diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md index dabc7f749b..2ae163cea6 100644 --- a/windows/security/identity-protection/access-control/active-directory-accounts.md +++ b/windows/security/identity-protection/access-control/active-directory-accounts.md @@ -470,7 +470,7 @@ Each default local account in Active Directory has a number of account settings

Account is trusted for delegation

-

Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.

+

Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.

Account is sensitive and cannot be delegated

@@ -480,7 +480,7 @@ Each default local account in Active Directory has a number of account settings

Use DES encryption types for this account

Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).

-Note

DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.

+Note

DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.

@@ -656,8 +656,8 @@ In this procedure, the workstations are dedicated to domain administrators. By s -

Windows Update Setting

-

Configuration

+

Windows Update Setting

+

Configuration

Allow Automatic Updates immediate installation

diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 7e7c2236cd..56e4f2edf2 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -297,9 +297,9 @@ The following table shows the Group Policy and registry settings that are used t -

No.

-

Setting

-

Detailed Description

+

No.

+

Setting

+

Detailed Description

@@ -334,7 +334,7 @@ The following table shows the Group Policy and registry settings that are used t

3

Registry key

-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

+

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

@@ -444,9 +444,9 @@ The following table shows the Group Policy settings that are used to deny networ -

No.

-

Setting

-

Detailed Description

+

No.

+

Setting

+

Detailed Description

diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index 7f5c4ffe62..25d125585e 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -98,7 +98,7 @@ The following tables describe baseline protections, plus protections for improve | Hardware: **Trusted Platform Module (TPM)** |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.

|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.

|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. | > [!IMPORTANT] > The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide. @@ -133,5 +133,5 @@ The following table lists qualifications for Windows 10, version 1703, which are | Protections for Improved Security | Description | Security Benefits |---|---|---| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections need to be page-aligned in memory (not required for in non-volatile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections need to be page-aligned in memory (not required for in non-volatile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | | Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features. | • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 33a9c450e1..7a92ed864a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -84,7 +84,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 1. In the **Custom OMA-URI Settings** blade, Click **Add**. 1. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where *tenant ID* is your Azure Active Directory tenant ID from step 2. 1. Select **Boolean** from the **Data type** list and select **True** from the **Value** list. -1. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile. +1. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile. #### Assign the PIN Reset Device configuration profile using Microsoft Intune diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index f220db21f6..0fb161ccb5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -17,7 +17,7 @@ ms.reviewer: --- # Windows Hello for Business Provisioning -Applies to: +Applies to: - Windows 10 Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index ae11903279..8ea5343d35 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -187,7 +187,7 @@ The web server is ready to host the CRL distribution point. Now, configure the 1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**. 2. In the navigation pane, right-click the name of the certificate authority and click **Properties** 3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list. -4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, ** or ** (do not forget the trailing forward slash). +4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, ** or ** (do not forget the trailing forward slash). ![CDP New Location dialog box](images/aadj/cdp-extension-new-location.png) 5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. 6. Type **.crl** at the end of the text in **Location**. Click **OK**. @@ -225,7 +225,7 @@ The web server is ready to host the CRL distribution point. Now, configure the Validate your new CRL distribution point is working. -1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL. +1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL. ![Validate the new CRL](images/aadj/validate-cdp-using-browser.png) ### Reissue domain controller certificates diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 4e95da0531..373339ebcd 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -58,7 +58,7 @@ Use the following table to compare different Remote Desktop connection security | **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server | | **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.

For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). | | **Helps prevent**                    |      N/A          |
  • Pass-the-Hash
  • Use of a credential after disconnection
|
  • Pass-the-Hash
  • Use of domain identity during connection
| -| **Credentials supported from the remote desktop client device** |
  • Signed on credentials
  • Supplied credentials
  • Saved credentials
|
  • Signed on credentials only |
    • Signed on credentials
    • Supplied credentials
    • Saved credentials
    | +| **Credentials supported from the remote desktop client device** |
    • Signed on credentials
    • Supplied credentials
    • Saved credentials
    |
    • Signed on credentials only |
      • Signed on credentials
      • Supplied credentials
      • Saved credentials
      | | **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. | | **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host’s identity**. | | **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account | diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index 4a92507705..560f4b240c 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -270,7 +270,7 @@ To better understand each component, review the table below: -The slider will never turn UAC completely off. If you set it to Never notify, it will: +The slider will never turn UAC completely off. If you set it to Never notify, it will: - Keep the UAC service running. - Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt. diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 96fc9bd8c2..405ffb126f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -252,11 +252,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us -

      Name

      -

      Parameters

      +

      Name

      +

      Parameters

      -

      Add-BitLockerKeyProtector

      +

      Add-BitLockerKeyProtector

      -ADAccountOrGroup

      -ADAccountOrGroupProtector

      -Confirm

      @@ -278,26 +278,26 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us

      -WhatIf

      -

      Backup-BitLockerKeyProtector

      +

      Backup-BitLockerKeyProtector

      -Confirm

      -KeyProtectorId

      -MountPoint

      -WhatIf

      -

      Disable-BitLocker

      +

      Disable-BitLocker

      -Confirm

      -MountPoint

      -WhatIf

      -

      Disable-BitLockerAutoUnlock

      +

      Disable-BitLockerAutoUnlock

      -Confirm

      -MountPoint

      -WhatIf

      -

      Enable-BitLocker

      +

      Enable-BitLocker

      -AdAccountOrGroup

      -AdAccountOrGroupProtector

      -Confirm

      @@ -322,44 +322,44 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us

      -WhatIf

      -

      Enable-BitLockerAutoUnlock

      +

      Enable-BitLockerAutoUnlock

      -Confirm

      -MountPoint

      -WhatIf

      -

      Get-BitLockerVolume

      +

      Get-BitLockerVolume

      -MountPoint

      -

      Lock-BitLocker

      +

      Lock-BitLocker

      -Confirm

      -ForceDismount

      -MountPoint

      -WhatIf

      -

      Remove-BitLockerKeyProtector

      +

      Remove-BitLockerKeyProtector

      -Confirm

      -KeyProtectorId

      -MountPoint

      -WhatIf

      -

      Resume-BitLocker

      +

      Resume-BitLocker

      -Confirm

      -MountPoint

      -WhatIf

      -

      Suspend-BitLocker

      +

      Suspend-BitLocker

      -Confirm

      -MountPoint

      -RebootCount

      -WhatIf

      -

      Unlock-BitLocker

      +

      Unlock-BitLocker

      -AdAccountOrGroup

      -Confirm

      -MountPoint

      @@ -374,7 +374,7 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets. A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLocker volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information. -Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors. +Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors. > **Note:**  In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID. diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 436ef15fe7..be8ab9ed7b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -106,39 +106,39 @@ This policy setting allows users on devices that are compliant with Modern Stand -

      Policy description

      +

      Policy description

      With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.

      -

      Introduced

      +

      Introduced

      Windows 10, version 1703

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      This setting overrides the Require startup PIN with TPM option of the Require additional authentication at startup policy on compliant hardware.

      -

      When enabled

      +

      When enabled

      Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The options of the Require additional authentication at startup policy apply.

      -Reference +Reference The preboot authentication option Require startup PIN with TPM of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN. @@ -156,37 +156,37 @@ This policy is used in addition to the BitLocker Drive Encryption Network Unlock -

      Policy description

      +

      Policy description

      With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.

      -

      When disabled or not configured

      +

      When disabled or not configured

      Clients cannot create and use Network Key Protectors

      -Reference +Reference To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create network key protectors to automatically unlock by using Network Unlock. @@ -205,39 +205,39 @@ This policy setting is used to control which unlock options are available for op -

      Policy description

      +

      Policy description

      With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      If one authentication method is required, the other methods cannot be allowed.

      -

      Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      +

      Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      -

      When enabled

      +

      When enabled

      Users can configure advanced startup options in the BitLocker Setup Wizard.

      -

      When disabled or not configured

      +

      When disabled or not configured

      Users can configure only basic options on computers with a TPM.

      Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.

      -Reference +Reference If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive. @@ -282,31 +282,31 @@ This policy setting permits the use of enhanced PINs when you use an unlock meth -

      Policy description

      +

      Policy description

      With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected.

      -

      When disabled or not configured

      +

      When disabled or not configured

      Enhanced PINs will not be used.

      @@ -330,37 +330,37 @@ This policy setting is used to set a minimum PIN length when you use an unlock m -

      Policy description

      +

      Policy description

      With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits.

      -

      When disabled or not configured

      +

      When disabled or not configured

      Users can configure a startup PIN of any length between 6 and 20 digits.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. @@ -413,31 +413,31 @@ This policy setting allows you to configure whether standard users are allowed t -

      Policy description

      +

      Policy description

      With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      Standard users are not allowed to change BitLocker PINs or passwords.

      -

      When disabled or not configured

      +

      When disabled or not configured

      Standard users are permitted to change BitLocker PINs or passwords.

      @@ -459,37 +459,37 @@ This policy controls how non-TPM based systems utilize the password protector. U -

      Policy description

      +

      Policy description

      With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      Passwords cannot be used if FIPS-compliance is enabled.

      -Note

      The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.

      +Note

      The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.

      -

      When enabled

      -

      Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select Require complexity.

      +

      When enabled

      +

      Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select Require complexity.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur.

      @@ -522,37 +522,37 @@ This policy setting is used to control what unlock options are available for com -

      Policy description

      +

      Policy description

      With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 and Windows Vista

      -

      Drive type

      +

      Drive type

      Operating system drives (Windows Server 2008 and Windows Vista)

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      If you choose to require an additional authentication method, other authentication methods cannot be allowed.

      -

      When enabled

      +

      When enabled

      The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.

      -Reference +Reference On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 6-digit to 20-digit startup PIN. @@ -586,41 +586,41 @@ This policy setting is used to require, allow, or deny the use of smart cards wi -

      Policy description

      +

      Policy description

      With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Fixed data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

      -

      Conflicts

      -

      To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.

      +

      Conflicts

      +

      To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.

      -

      When enabled

      -

      Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box.

      +

      When enabled

      +

      Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box.

      -

      When disabled

      +

      When disabled

      Users cannot use smart cards to authenticate their access to BitLocker-protected fixed data drives.

      -

      When not configured

      +

      When not configured

      Smart cards can be used to authenticate user access to a BitLocker-protected drive.

      -Reference +Reference >**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive. @@ -635,41 +635,41 @@ This policy setting is used to require, allow, or deny the use of passwords with -

      Policy description

      +

      Policy description

      With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Fixed data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

      -

      Conflicts

      -

      To use password complexity, the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements policy setting must also be enabled.

      +

      Conflicts

      +

      To use password complexity, the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements policy setting must also be enabled.

      -

      When enabled

      -

      Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity.

      +

      When enabled

      +

      Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity.

      -

      When disabled

      +

      When disabled

      The user is not allowed to use a password.

      -

      When not configured

      +

      When not configured

      Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.

      -Reference +Reference When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled. @@ -699,41 +699,41 @@ This policy setting is used to require, allow, or deny the use of smart cards wi -

      Policy description

      +

      Policy description

      With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Removable data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      -

      To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.

      +

      Conflicts

      +

      To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.

      -

      When enabled

      -

      Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box.

      +

      When enabled

      +

      Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box.

      -

      When disabled or not configured

      +

      When disabled or not configured

      Users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.

      -

      When not configured

      +

      When not configured

      Smart cards are available to authenticate user access to a BitLocker-protected removable data drive.

      -Reference +Reference >**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. @@ -748,41 +748,41 @@ This policy setting is used to require, allow, or deny the use of passwords with -

      Policy description

      +

      Policy description

      With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Removable data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      -

      To use password complexity, the Password must meet complexity requirements policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled.

      +

      Conflicts

      +

      To use password complexity, the Password must meet complexity requirements policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled.

      -

      When enabled

      -

      Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity.

      +

      When enabled

      +

      Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity.

      -

      When disabled

      +

      When disabled

      The user is not allowed to use a password.

      -

      When not configured

      +

      When not configured

      Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.

      -Reference +Reference If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled. @@ -812,37 +812,37 @@ This policy setting is used to determine what certificate to use with BitLocker. -

      Policy description

      +

      Policy description

      With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Fixed and removable data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      -

      The object identifier that is specified in the Object identifier setting must match the object identifier in the smart card certificate.

      +

      When enabled

      +

      The object identifier that is specified in the Object identifier setting must match the object identifier in the smart card certificate.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The default object identifier is used.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. @@ -863,37 +863,37 @@ This policy setting allows users to enable authentication options that require u -

      Policy description

      +

      Policy description

      With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drive

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      Devices must have an alternative means of preboot input (such as an attached USB keyboard).

      -

      When disabled or not configured

      +

      When disabled or not configured

      The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.

      -Reference +Reference The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password. @@ -918,37 +918,37 @@ This policy setting is used to require encryption of fixed drives prior to grant -

      Policy description

      +

      Policy description

      With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Fixed data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

      -

      Conflicts

      +

      Conflicts

      See the Reference section for a description of conflicts.

      -

      When enabled

      +

      When enabled

      All fixed data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.

      -

      When disabled or not configured

      +

      When disabled or not configured

      All fixed data drives on the computer are mounted with Read and Write access.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. @@ -973,37 +973,37 @@ This policy setting is used to require that removable drives are encrypted prior -

      Policy description

      +

      Policy description

      With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Removable data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      +

      Conflicts

      See the Reference section for a description of conflicts.

      -

      When enabled

      +

      When enabled

      All removable data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.

      -

      When disabled or not configured

      +

      When disabled or not configured

      All removable data drives on the computer are mounted with Read and Write access.

      -Reference +Reference If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it is checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting. @@ -1026,41 +1026,41 @@ This policy setting is used to prevent users from turning BitLocker on or off on -

      Policy description

      +

      Policy description

      With this policy setting, you can control the use of BitLocker on removable data drives.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Removable data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can select property settings that control how users can configure BitLocker.

      -

      When disabled

      +

      When disabled

      Users cannot use BitLocker on removable data drives.

      -

      When not configured

      +

      When not configured

      Users can use BitLocker on removable data drives.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. @@ -1082,37 +1082,37 @@ This policy setting is used to control the encryption method and cipher strength -

      Policy description

      +

      Policy description

      With this policy setting, you can control the encryption method and strength for drives.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      All drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.

      -

      When disabled or not configured

      +

      When disabled or not configured

      Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy.

      -Reference +Reference The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). @@ -1138,42 +1138,42 @@ This policy controls how BitLocker reacts to systems that are equipped with encr -

      Policy description

      +

      Policy description

      With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Fixed data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.

      -

      When disabled

      +

      When disabled

      BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.

      -

      When not configured

      +

      When not configured

      BitLocker software-based encryption is used irrespective of hardware-based encryption ability.

      -Reference +Reference >**Note:** The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. @@ -1193,41 +1193,41 @@ This policy controls how BitLocker reacts when encrypted drives are used as oper -

      Policy description

      +

      Policy description

      With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.

      -

      When disabled

      +

      When disabled

      BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted.

      -

      When not configured

      +

      When not configured

      BitLocker software-based encryption is used irrespective of hardware-based encryption ability.

      -Reference +Reference If hardware-based encryption is not available, BitLocker software-based encryption is used instead. @@ -1249,41 +1249,41 @@ This policy controls how BitLocker reacts to encrypted drives when they are used -

      Policy description

      +

      Policy description

      With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Removable data drive

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.

      -

      When disabled

      +

      When disabled

      BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.

      -

      When not configured

      +

      When not configured

      BitLocker software-based encryption is used irrespective of hardware-based encryption ability.

      -Reference +Reference If hardware-based encryption is not available, BitLocker software-based encryption is used instead. @@ -1305,37 +1305,37 @@ This policy controls whether fixed data drives utilize Used Space Only encryptio -

      Policy description

      +

      Policy description

      With this policy setting, you can configure the encryption type that is used by BitLocker.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Fixed data drive

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. @@ -1354,37 +1354,37 @@ This policy controls whether operating system drives utilize Full encryption or -

      Policy description

      +

      Policy description

      With this policy setting, you can configure the encryption type that is used by BitLocker.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drive

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. @@ -1403,37 +1403,37 @@ This policy controls whether fixed data drives utilize Full encryption or Used S -

      Policy description

      +

      Policy description

      With this policy setting, you can configure the encryption type that is used by BitLocker.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Removable data drive

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. @@ -1452,38 +1452,38 @@ This policy setting is used to configure recovery methods for operating system d -

      Policy description

      +

      Policy description

      With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      -

      You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      -

      When using data recovery agents, you must enable the Provide the unique identifiers for your organization policy setting.

      +

      Conflicts

      +

      You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      +

      When using data recovery agents, you must enable the Provide the unique identifiers for your organization policy setting.

      -

      When enabled

      +

      When enabled

      You can control the methods that are available to users to recover data from BitLocker-protected operating system drives.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. @@ -1513,37 +1513,37 @@ This policy setting is used to configure recovery methods for BitLocker-protecte -

      Policy description

      +

      Policy description

      With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 and Windows Vista

      -

      Drive type

      +

      Drive type

      Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

      -

      Conflicts

      -

      This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error.

      +

      Conflicts

      +

      This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error.

      -

      When enabled

      +

      When enabled

      You can configure the options that the Bitlocker Setup Wizard displays to users for recovering BitLocker encrypted data.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The BitLocker Setup Wizard presents users with ways to store recovery options.

      -Reference +Reference This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker. @@ -1567,37 +1567,37 @@ This policy setting is used to configure the storage of BitLocker recovery infor -

      Policy description

      +

      Policy description

      With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 and Windows Vista

      -

      Drive type

      +

      Drive type

      Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.

      -

      When disabled or not configured

      +

      When disabled or not configured

      BitLocker recovery information is not backed up to AD DS.

      -Reference +Reference This policy is only applicable to computers running Windows Server 2008 or Windows Vista. @@ -1625,37 +1625,37 @@ This policy setting is used to configure the default folder for recovery passwor -

      Policy description

      +

      Policy description

      With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password.

      -

      Introduced

      +

      Introduced

      Windows Vista

      -

      Drive type

      +

      Drive type

      All drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. @@ -1672,38 +1672,38 @@ This policy setting is used to configure recovery methods for fixed data drives. -

      Policy description

      +

      Policy description

      With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Fixed data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

      -

      Conflicts

      -

      You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      -

      When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.

      +

      Conflicts

      +

      You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      +

      When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.

      -

      When enabled

      +

      When enabled

      You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. @@ -1733,38 +1733,38 @@ This policy setting is used to configure recovery methods for removable data dri -

      Policy description

      +

      Policy description

      With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Removable data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      -

      You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      -

      When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.

      +

      Conflicts

      +

      You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      +

      When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.

      -

      When enabled

      +

      When enabled

      You can control the methods that are available to users to recover data from BitLocker-protected removable data drives.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. @@ -1791,37 +1791,37 @@ This policy setting is used to configure the entire recovery message and to repl -

      Policy description

      +

      Policy description

      With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL.

      -

      Introduced

      +

      Introduced

      Windows 10

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      -

      The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the Use default recovery message and URL option.

      +

      When enabled

      +

      The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the Use default recovery message and URL option.

      -

      When disabled or not configured

      +

      When disabled or not configured

      If the setting has not been previously enabled the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is subsequently disabled the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message.

      -Reference +Reference Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key. @@ -1846,38 +1846,38 @@ This policy controls how BitLocker-enabled system volumes are handled in conjunc -

      Policy description

      +

      Policy description

      With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      All drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      -

      If you enable Allow Secure Boot for integrity validation, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.

      +

      Conflicts

      +

      If you enable Allow Secure Boot for integrity validation, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.

      For more information about PCR 7, see Platform Configuration Register (PCR) in this topic.

      -

      When enabled or not configured

      +

      When enabled or not configured

      BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.

      -

      When disabled

      +

      When disabled

      BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.

      -Reference +Reference Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8. When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker. @@ -1895,37 +1895,37 @@ This policy setting is used to establish an identifier that is applied to all dr -

      Policy description

      +

      Policy description

      With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      All drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

      -

      Conflicts

      +

      Conflicts

      Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it is identical to the value that is configured on the computer.

      -

      When enabled

      +

      When enabled

      You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The identification field is not required.

      -Reference +Reference These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool. @@ -1952,37 +1952,37 @@ This policy setting is used to control whether the computer's memory will be ove -

      Policy description

      +

      Policy description

      With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets.

      -

      Introduced

      +

      Introduced

      Windows Vista

      -

      Drive type

      +

      Drive type

      All drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.

      -

      When disabled or not configured

      +

      When disabled or not configured

      BitLocker secrets are removed from memory when the computer restarts.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled. @@ -1997,37 +1997,37 @@ This policy setting determines what values the TPM measures when it validates ea -

      Policy description

      +

      Policy description

      With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.

      -Reference +Reference This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. @@ -2072,37 +2072,37 @@ This policy setting determines what values the TPM measures when it validates ea -

      Policy description

      +

      Policy description

      With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 and Windows Vista

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.

      -Reference +Reference This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection. @@ -2147,39 +2147,39 @@ This policy setting determines what values the TPM measures when it validates ea -

      Policy description

      +

      Policy description

      With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      -

      Setting this policy with PCR 7 omitted, overrides the Allow Secure Boot for integrity validation Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.

      +

      Conflicts

      +

      Setting this policy with PCR 7 omitted, overrides the Allow Secure Boot for integrity validation Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.

      If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured.

      For more information about PCR 7, see Platform Configuration Register (PCR) in this topic.

      -

      When enabled

      +

      When enabled

      Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.

      -

      When disabled or not configured

      +

      When disabled or not configured

      BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.

      -Reference +Reference This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection. @@ -2222,41 +2222,41 @@ This policy setting determines if you want platform validation data to refresh w -

      Policy description

      +

      Policy description

      With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      Platform validation data is refreshed when Windows is started following a BitLocker recovery.

      -

      When disabled

      +

      When disabled

      Platform validation data is not refreshed when Windows is started following a BitLocker recovery.

      -

      When not configured

      +

      When not configured

      Platform validation data is refreshed when Windows is started following a BitLocker recovery.

      -Reference +Reference For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md). @@ -2271,41 +2271,41 @@ This policy setting determines specific Boot Configuration Data (BCD) settings t -

      Policy description

      +

      Policy description

      With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      -

      When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored (as defined by the Allow Secure Boot for integrity validation Group Policy setting).

      +

      Conflicts

      +

      When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored (as defined by the Allow Secure Boot for integrity validation Group Policy setting).

      -

      When enabled

      +

      When enabled

      You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings.

      -

      When disabled

      +

      When disabled

      The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7.

      -

      When not configured

      +

      When not configured

      The computer verifies the default BCD settings in Windows.

      -Reference +Reference >**Note:** The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list. @@ -2320,37 +2320,37 @@ This policy setting is used to control whether access to drives is allowed by us -

      Policy description

      +

      Policy description

      With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Fixed data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled and When not configured

      +

      When enabled and When not configured

      Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.

      -

      When disabled

      +

      When disabled

      Fixed data drives that are formatted with the FAT file system and are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.

      -Reference +Reference >**Note:** This policy setting does not apply to drives that are formatted with the NTFS file system. @@ -2367,37 +2367,37 @@ This policy setting controls access to removable data drives that are using the -

      Policy description

      +

      Policy description

      With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Removable data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled and When not configured

      +

      When enabled and When not configured

      Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.

      -

      When disabled

      +

      When disabled

      Removable data drives that are formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.

      -Reference +Reference >**Note:** This policy setting does not apply to drives that are formatted with the NTFS file system. @@ -2414,37 +2414,37 @@ You can configure the Federal Information Processing Standard (FIPS) setting for -

      Policy description

      +

      Policy description

      Notes

      -

      Introduced

      +

      Introduced

      Windows Server 2003 with SP1

      -

      Drive type

      +

      Drive type

      System-wide

      -

      Policy path

      -

      Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

      +

      Policy path

      +

      Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

      -

      Conflicts

      +

      Conflicts

      Some applications, such as Terminal Services, do not support FIPS-140 on all operating systems.

      -

      When enabled

      +

      When enabled

      Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password.

      -

      When disabled or not configured

      +

      When disabled or not configured

      No BitLocker encryption key is generated

      -Reference +Reference This policy needs to be enabled before any encryption key is generated for BitLocker. Note that when this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead. diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index e4e1a3ffcd..220bed5038 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -126,11 +126,11 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work -

      Name

      -

      Parameters

      +

      Name

      +

      Parameters

      -

      Add-BitLockerKeyProtector

      +

      Add-BitLockerKeyProtector

      -ADAccountOrGroup

      -ADAccountOrGroupProtector

      -Confirm

      @@ -152,26 +152,26 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work

      -WhatIf

      -

      Backup-BitLockerKeyProtector

      +

      Backup-BitLockerKeyProtector

      -Confirm

      -KeyProtectorId

      -MountPoint

      -WhatIf

      -

      Disable-BitLocker

      +

      Disable-BitLocker

      -Confirm

      -MountPoint

      -WhatIf

      -

      Disable-BitLockerAutoUnlock

      +

      Disable-BitLockerAutoUnlock

      -Confirm

      -MountPoint

      -WhatIf

      -

      Enable-BitLocker

      +

      Enable-BitLocker

      -AdAccountOrGroup

      -AdAccountOrGroupProtector

      -Confirm

      @@ -196,44 +196,44 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work

      -WhatIf

      -

      Enable-BitLockerAutoUnlock

      +

      Enable-BitLockerAutoUnlock

      -Confirm

      -MountPoint

      -WhatIf

      -

      Get-BitLockerVolume

      +

      Get-BitLockerVolume

      -MountPoint

      -

      Lock-BitLocker

      +

      Lock-BitLocker

      -Confirm

      -ForceDismount

      -MountPoint

      -WhatIf

      -

      Remove-BitLockerKeyProtector

      +

      Remove-BitLockerKeyProtector

      -Confirm

      -KeyProtectorId

      -MountPoint

      -WhatIf

      -

      Resume-BitLocker

      +

      Resume-BitLocker

      -Confirm

      -MountPoint

      -WhatIf

      -

      Suspend-BitLocker

      +

      Suspend-BitLocker

      -Confirm

      -MountPoint

      -RebootCount

      -WhatIf

      -

      Unlock-BitLocker

      +

      Unlock-BitLocker

      -AdAccountOrGroup

      -Confirm

      -MountPoint

      diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 1473dadc79..d6b97d2ac5 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -168,91 +168,91 @@ The following table contains information about both Physical Disk Resources (i.e -

      Action

      -

      On owner node of failover volume

      -

      On Metadata Server (MDS) of CSV

      -

      On (Data Server) DS of CSV

      -

      Maintenance Mode

      +

      Action

      +

      On owner node of failover volume

      +

      On Metadata Server (MDS) of CSV

      +

      On (Data Server) DS of CSV

      +

      Maintenance Mode

      -

      Manage-bde –on

      +

      Manage-bde –on

      Blocked

      Blocked

      Blocked

      Allowed

      -

      Manage-bde –off

      +

      Manage-bde –off

      Blocked

      Blocked

      Blocked

      Allowed

      -

      Manage-bde Pause/Resume

      +

      Manage-bde Pause/Resume

      Blocked

      -

      Blocked

      +

      Blocked

      Blocked

      Allowed

      -

      Manage-bde –lock

      +

      Manage-bde –lock

      Blocked

      Blocked

      Blocked

      Allowed

      -

      manage-bde –wipe

      +

      manage-bde –wipe

      Blocked

      Blocked

      Blocked

      Allowed

      -

      Unlock

      +

      Unlock

      Automatic via cluster service

      Automatic via cluster service

      Automatic via cluster service

      Allowed

      -

      manage-bde –protector –add

      +

      manage-bde –protector –add

      Allowed

      Allowed

      Blocked

      Allowed

      -

      manage-bde -protector -delete

      +

      manage-bde -protector -delete

      Allowed

      Allowed

      Blocked

      Allowed

      -

      manage-bde –autounlock

      +

      manage-bde –autounlock

      Allowed (not recommended)

      Allowed (not recommended)

      Blocked

      Allowed (not recommended)

      -

      Manage-bde -upgrade

      +

      Manage-bde -upgrade

      Allowed

      Allowed

      Blocked

      Allowed

      -

      Shrink

      +

      Shrink

      Allowed

      Allowed

      Blocked

      Allowed

      -

      Extend

      +

      Extend

      Allowed

      Allowed

      Blocked

      @@ -261,7 +261,7 @@ The following table contains information about both Physical Disk Resources (i.e ->      Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node +>Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process. diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md index 23f23e50da..97733a4dd7 100644 --- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md @@ -53,7 +53,7 @@ This table includes info about how unenlightened apps might behave, based on you Name-based policies, using the /*AppCompat*/ string or proxy-based policies - Not required. App connects to enterprise cloud resources directly, using an IP address. + Not required. App connects to enterprise cloud resources directly, using an IP address.
      • App is entirely blocked from both personal and enterprise cloud resources.
        • @@ -70,7 +70,7 @@ This table includes info about how unenlightened apps might behave, based on you - Not required. App connects to enterprise cloud resources, using a hostname. + Not required. App connects to enterprise cloud resources, using a hostname.
        • App is blocked from accessing enterprise cloud resources, but can access other network resources.
          • @@ -80,7 +80,7 @@ This table includes info about how unenlightened apps might behave, based on you - Allow. App connects to enterprise cloud resources, using an IP address or a hostname. + Allow. App connects to enterprise cloud resources, using an IP address or a hostname.
          • App can access both personal and enterprise cloud resources.
            • @@ -90,7 +90,7 @@ This table includes info about how unenlightened apps might behave, based on you - Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. + Exempt. App connects to enterprise cloud resources, using an IP address or a hostname.
            • App can access both personal and enterprise cloud resources.
              • @@ -110,7 +110,7 @@ This table includes info about how enlightened apps might behave, based on your Networking policy configuration for name-based policies, possibly using the /*AppCompat*/ string, or proxy-based policies - Not required. App connects to enterprise cloud resources, using an IP address or a hostname. + Not required. App connects to enterprise cloud resources, using an IP address or a hostname.
              • App is blocked from accessing enterprise cloud resources, but can access other network resources.
                • @@ -120,7 +120,7 @@ This table includes info about how enlightened apps might behave, based on your - Allow. App connects to enterprise cloud resources, using an IP address or a hostname. + Allow. App connects to enterprise cloud resources, using an IP address or a hostname.
                • App can access both personal and enterprise cloud resources.
                  • @@ -130,7 +130,7 @@ This table includes info about how enlightened apps might behave, based on your - Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. + Exempt. App connects to enterprise cloud resources, using an IP address or a hostname.
                  • App can access both personal and enterprise cloud resources.
                    • diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index a5baa19809..49a57283b7 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -190,27 +190,27 @@ For this example, we're going to add Internet Explorer, a desktop app, to the ** All files signed by any publisher. (Not recommended.) - Publisher selected + Publisher selected All files signed by the named publisher.

                    This might be useful if your company is the publisher and signer of internal line-of-business apps. - Publisher and Product Name selected + Publisher and Product Name selected All files for the specified product, signed by the named publisher. - Publisher, Product Name, and Binary name selected + Publisher, Product Name, and Binary name selected Any version of the named file or package for the specified product, signed by the named publisher. - Publisher, Product Name, Binary name, and File Version, and above, selected + Publisher, Product Name, Binary name, and File Version, and above, selected Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.

                    This option is recommended for enlightened apps that weren't previously enlightened. - Publisher, Product Name, Binary name, and File Version, And below selected + Publisher, Product Name, Binary name, and File Version, And below selected Specified version or older releases of the named file or package for the specified product, signed by the named publisher. - Publisher, Product Name, Binary name, and File Version, Exactly selected + Publisher, Product Name, Binary name, and File Version, Exactly selected Specified version of the named file or package for the specified product, signed by the named publisher. @@ -403,8 +403,8 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources - With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
                    contoso.visualstudio.com,contoso.internalproxy2.com

                    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

                    For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

                    If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

                    Important
                    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. + With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
                    contoso.visualstudio.com,contoso.internalproxy2.com

                    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com + Specify the cloud resources to be treated as corporate and protected by WIP.

                    For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

                    If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

                    Important
                    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. Enterprise Network Domain Names (Required) @@ -422,12 +422,12 @@ There are no default locations included with WIP, you must add each of your netw Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.

                    This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.

                    If you have multiple resources, you must separate them using the ";" delimiter.
                    Enterprise IPv4 Range (Required) - Starting IPv4 Address: 3.4.0.1
                    Ending IPv4 Address: 3.4.255.254
                    Custom URI: 3.4.0.1-3.4.255.254,
                    10.0.0.1-10.255.255.254 + Starting IPv4 Address: 3.4.0.1
                    Ending IPv4 Address: 3.4.255.254
                    Custom URI: 3.4.0.1-3.4.255.254,
                    10.0.0.1-10.255.255.254 Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

                    If you have multiple ranges, you must separate them using the "," delimiter. Enterprise IPv6 Range - Starting IPv6 Address: 2a01:110::
                    Ending IPv6 Address: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
                    Custom URI: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
                    fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + Starting IPv6 Address: 2a01:110::
                    Ending IPv6 Address: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
                    Custom URI: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
                    fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

                    If you have multiple ranges, you must separate them using the "," delimiter. diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 8c01645295..a099742145 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -108,7 +108,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li | Microsoft Messaging | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Product Name:** Microsoft.Messaging
                    **App Type:** Universal app | | IE11 | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Binary Name:** iexplore.exe
                    **App Type:** Desktop app | | OneDrive Sync Client | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Binary Name:** onedrive.exe
                    **App Type:** Desktop app | -| OneDrive app | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Product Name:** Microsoft.Microsoftskydrive
                    Product Version:Product version: 17.21.0.0 (and later)
                    **App Type:** Universal app | +| OneDrive app | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Product Name:** Microsoft.Microsoftskydrive
                    Product Version:Product version: 17.21.0.0 (and later)
                    **App Type:** Universal app | | Notepad | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Binary Name:** notepad.exe
                    **App Type:** Desktop app | | Microsoft Paint | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Binary Name:** mspaint.exe
                    **App Type:** Desktop app | | Microsoft Remote Desktop | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Binary Name:** mstsc.exe
                    **App Type:** Desktop app | diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 340c9edb2a..c1cd7193c0 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -33,18 +33,18 @@ This table provides info about the most common problems you might encounter whil Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. - If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.

                    If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. + If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.

                    If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

                    We strongly recommend educating employees about how to limit or eliminate the need for this decryption. Direct Access is incompatible with WIP. Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource. - We recommend that you use VPN for client access to your intranet resources.

                    Note
                    VPN is optional and isn’t required by WIP. + We recommend that you use VPN for client access to your intranet resources.

                    Note
                    VPN is optional and isn’t required by WIP. - NetworkIsolation Group Policy setting takes precedence over MDM Policy settings. - The NetworkIsolation Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured. - If you use both Group Policy and MDM to configure your NetworkIsolation settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM. + NetworkIsolation Group Policy setting takes precedence over MDM Policy settings. + The NetworkIsolation Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured. + If you use both Group Policy and MDM to configure your NetworkIsolation settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM. Cortana can potentially allow data leakage if it’s on the allowed apps list. @@ -63,7 +63,7 @@ This table provides info about the most common problems you might encounter whil

                    • Start the installer directly from the file share.

                      -OR-

                    • Decrypt the locally copied files needed by the installer.

                      -OR-

                      • -
                    • Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
                      • +
                    • Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
                    @@ -74,17 +74,17 @@ This table provides info about the most common problems you might encounter whil Redirected folders with Client Side Caching are not compatible with WIP. Apps might encounter access errors while attempting to read a cached, offline file. - Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.

                    Note
                    For more info about Work Folders and Offline Files, see the blog, Work Folders and Offline Files support for Windows Information Protection. If you're having trouble opening files offline while using Offline Files and WIP, see the support article, Can't open files offline when you use Offline Files and Windows Information Protection. + Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.

                    Note
                    For more info about Work Folders and Offline Files, see the blog, Work Folders and Offline Files support for Windows Information Protection. If you're having trouble opening files offline while using Offline Files and WIP, see the support article, Can't open files offline when you use Offline Files and Windows Information Protection. An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device. -

                    Data copied from the WIP-managed device is marked as Work.

                    Data copied to the WIP-managed device is not marked as Work.

                    Local Work data copied to the WIP-managed device remains Work data.

                    Work data that is copied between two apps in the same session remains data. +

                    Data copied from the WIP-managed device is marked as Work.

                    Data copied to the WIP-managed device is not marked as Work.

                    Local Work data copied to the WIP-managed device remains Work data.

                    Work data that is copied between two apps in the same session remains data. Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default. You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. - A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal. - Open File Explorer and change the file ownership to Personal before you upload. + A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal. + Open File Explorer and change the file ownership to Personal before you upload. ActiveX controls should be used with caution. @@ -97,7 +97,7 @@ This table provides info about the most common problems you might encounter whil Format drive for NTFS, or use a different drive. - WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False: + WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False:

                    • AppDataRoaming
                    • Desktop
                      • @@ -115,7 +115,7 @@ This table provides info about the most common problems you might encounter whil
                    WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager. - Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here.

                    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection. + Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here.

                    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection. @@ -143,7 +143,7 @@ This table provides info about the most common problems you might encounter whil Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button. - Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected. + Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected. If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected. diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index 961744bbf6..7353daae25 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -39,30 +39,30 @@ You can try any of the processes included in these scenarios, but you should foc Encrypt and decrypt files using File Explorer. - For desktop:

                    + For desktop:

                      -
                    1. Open File Explorer, right-click a work document, and then click Work from the File Ownership menu.
                      Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. The file should show up under the heading, This enterprise domain can remove or revoke access: <your_enterprise_identity>. For example, contoso.com.
                      2. -
                    2. In File Explorer, right-click the same document, and then click Personal from the File Ownership menu.
                      Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
                      3. +
                    3. Open File Explorer, right-click a work document, and then click Work from the File Ownership menu.
                      Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. The file should show up under the heading, This enterprise domain can remove or revoke access: <your_enterprise_identity>. For example, contoso.com.
                      4. +
                    4. In File Explorer, right-click the same document, and then click Personal from the File Ownership menu.
                      Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
                    - For mobile:

                    + For mobile:

                      -
                    1. Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
                      2. -
                    2. Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work.
                      Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
                      3. -
                    3. Select the same file, click File ownership from the drop down menu, and then click Personal.
                      Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
                      4. +
                    4. Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
                      5. +
                    5. Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work.
                      Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
                      6. +
                    6. Select the same file, click File ownership from the drop down menu, and then click Personal.
                      Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
                    Create work documents in enterprise-allowed apps. - For desktop:

                    + For desktop:

                    - For mobile:

                    + For mobile:

                      -
                    1. Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location.
                      Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
                      2. +
                    2. Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location.
                      Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
                    3. Open the same document and attempt to save it to a non-work-related location.
                      WIP should stop you from saving the file to this location.
                      4. -
                    4. Open the same document one last time, make a change to the contents, and then save it again using the Personal option.
                      Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
                      5. +
                    5. Open the same document one last time, make a change to the contents, and then save it again using the Personal option.
                      Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.

                    @@ -70,7 +70,7 @@ You can try any of the processes included in these scenarios, but you should foc
                    1. Start an app that doesn't appear on your allowed apps list, and then try to open a work-encrypted file.
                      The app shouldn't be able to access the file.
                      2. -
                    2. Try double-clicking or tapping on the work-encrypted file.
                      If your default app association is an app not on your allowed apps list, you should get an Access Denied error message.
                      3. +
                    3. Try double-clicking or tapping on the work-encrypted file.
                      If your default app association is an app not on your allowed apps list, you should get an Access Denied error message.
                    @@ -78,9 +78,9 @@ You can try any of the processes included in these scenarios, but you should foc Copy and paste from enterprise apps to non-enterprise apps.
                      -
                    1. Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.
                      You should see a WIP-related warning box, asking you to click either Change to personal or Keep at work.
                      2. -
                    2. Click Keep at work.
                      The content isn't pasted into the non-enterprise app.
                      3. -
                    3. Repeat Step 1, but this time click Change to personal, and try to paste the content again.
                      The content is pasted into the non-enterprise app.
                      4. +
                    4. Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.
                      You should see a WIP-related warning box, asking you to click either Change to personal or Keep at work.
                      5. +
                    5. Click Keep at work.
                      The content isn't pasted into the non-enterprise app.
                      6. +
                    6. Repeat Step 1, but this time click Change to personal, and try to paste the content again.
                      The content is pasted into the non-enterprise app.
                    7. Try copying and pasting content between apps on your allowed apps list.
                      The content should copy and paste between apps without any warning messages.
                    @@ -89,9 +89,9 @@ You can try any of the processes included in these scenarios, but you should foc Drag and drop from enterprise apps to non-enterprise apps.
                      -
                    1. Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.
                      You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
                      2. -
                    2. Click Keep at work.
                      The content isn't dropped into the non-enterprise app.
                      3. -
                    3. Repeat Step 1, but this time click Change to personal, and try to drop the content again.
                      The content is dropped into the non-enterprise app.
                      4. +
                    4. Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.
                      You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
                      5. +
                    5. Click Keep at work.
                      The content isn't dropped into the non-enterprise app.
                      6. +
                    6. Repeat Step 1, but this time click Change to personal, and try to drop the content again.
                      The content is dropped into the non-enterprise app.
                    7. Try dragging and dropping content between apps on your allowed apps list.
                      The content should move between the apps without any warning messages.
                    @@ -100,9 +100,9 @@ You can try any of the processes included in these scenarios, but you should foc Share between enterprise apps and non-enterprise apps.
                      -
                    1. Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.
                      You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
                      2. -
                    2. Click Keep at work.
                      The content isn't shared into Facebook.
                      3. -
                    3. Repeat Step 1, but this time click Change to personal, and try to share the content again.
                      The content is shared into Facebook.
                      4. +
                    4. Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.
                      You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
                      5. +
                    5. Click Keep at work.
                      The content isn't shared into Facebook.
                      6. +
                    6. Repeat Step 1, but this time click Change to personal, and try to share the content again.
                      The content is shared into Facebook.
                    7. Try sharing content between apps on your allowed apps list.
                      The content should share between the apps without any warning messages.
                    @@ -112,8 +112,8 @@ You can try any of the processes included in these scenarios, but you should foc
                    1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
                      Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
                      2. -
                    2. Open File Explorer and make sure your modified files are appearing with a Lock icon.
                      3. -
                    3. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

                      Note
                      Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.

                      A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
                      4. +
                    4. Open File Explorer and make sure your modified files are appearing with a Lock icon.
                      5. +
                    5. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

                      Note
                      Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.

                      A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
                    @@ -130,7 +130,7 @@ You can try any of the processes included in these scenarios, but you should foc Verify your shared files can use WIP.
                      -
                    1. Download a file from a protected file share, making sure the file is encrypted by locating the Briefcase icon next to the file name.
                      2. +
                    2. Download a file from a protected file share, making sure the file is encrypted by locating the Briefcase icon next to the file name.
                    3. Open the same file, make a change, save it and then try to upload it back to the file share. Again, this should work without any warnings.
                    4. Open an app that doesn't appear on your allowed apps list and attempt to access a file on the WIP-enabled file share.
                      The app shouldn't be able to access the file share.
                    @@ -142,7 +142,7 @@ You can try any of the processes included in these scenarios, but you should foc
                    1. Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.
                    2. Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.
                      Both browsers should respect the enterprise and personal boundary.
                      3. -
                    3. Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
                      IE11 shouldn't be able to access the sites.

                      Note
                      Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
                      4. +
                    4. Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
                      IE11 shouldn't be able to access the sites.

                      Note
                      Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
                    @@ -150,7 +150,7 @@ You can try any of the processes included in these scenarios, but you should foc Verify your Virtual Private Network (VPN) can be auto-triggered.
                      -
                    1. Set up your VPN network to start based on the WIPModeID setting.
                      For specific info about how to do this, see the Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune topic.
                      2. +
                    2. Set up your VPN network to start based on the WIPModeID setting.
                      For specific info about how to do this, see the Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune topic.
                    3. Start an app from your allowed apps list.
                      The VPN network should automatically start.
                    4. Disconnect from your network and then start an app that isn't on your allowed apps list.
                      The VPN shouldn't start and the app shouldn't be able to access your enterprise network.
                    @@ -160,7 +160,7 @@ You can try any of the processes included in these scenarios, but you should foc Unenroll client devices from WIP.
                      -
                    • Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove.
                      The device should be removed and all of the enterprise content for that managed account should be gone.

                      Important
                      On desktop devices, the data isn't removed and can be recovered, so you must make sure the content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.
                      • +
                    • Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove.
                      The device should be removed and all of the enterprise content for that managed account should be gone.

                      Important
                      On desktop devices, the data isn't removed and can be recovered, so you must make sure the content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.
                    diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md index d0474f5941..4289b8d65a 100644 --- a/windows/security/threat-protection/auditing/event-4626.md +++ b/windows/security/threat-protection/auditing/event-4626.md @@ -157,7 +157,7 @@ This event generates on the computer to which the logon was performed (target co - “dadmin” – claim value. -**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value. For computer accounts this field has device claims listed. +**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value. For computer accounts this field has device claims listed. ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md index 45dcd000c9..bc6d20907b 100644 --- a/windows/security/threat-protection/auditing/event-4670.md +++ b/windows/security/threat-protection/auditing/event-4670.md @@ -274,5 +274,5 @@ For file system and registry objects, the following recommendations apply. - If you have critical registry objects for which you need to monitor all modifications (especially permissions changes and owner changes), monitor for the specific **Object\\Object Name.** -- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers. +- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers. diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md index 1641acbc10..81b9fd94a0 100644 --- a/windows/security/threat-protection/auditing/event-4672.md +++ b/windows/security/threat-protection/auditing/event-4672.md @@ -22,7 +22,7 @@ ms.author: dansimp Event 4672 illustration
                    -Subcategory: Audit Special Logon +Subcategory: Audit Special Logon ***Event Description:*** diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md index 1caa24d32d..dc2d0e52fe 100644 --- a/windows/security/threat-protection/auditing/event-4673.md +++ b/windows/security/threat-protection/auditing/event-4673.md @@ -135,40 +135,40 @@ Failure event generates when service call attempt fails. | **Subcategory of event** | **Privilege Name:
                    User Right Group Policy Name** | **Description** | |-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
                    Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
                    With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | -| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
                    Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | -| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
                    Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | -| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
                    Create permanent shared objects | Required to create a permanent object.
                    This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | -| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
                    Create symbolic links | Required to create a symbolic link. | -| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
                    Increase scheduling priority | Required to increase the base priority of a process.
                    With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | -| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
                    Adjust memory quotas for a process | Required to increase the quota assigned to a process.
                    With this privilege, the user can change the maximum memory that can be consumed by a process. | -| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
                    Increase a process working set | Required to allocate more memory for applications that run in the context of users. | -| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory.
                    With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
                    Add workstations to domain | With this privilege, the user can create a computer account.
                    This privilege is valid only on domain controllers. | -| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
                    Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | -| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
                    Profile single process | Required to gather profiling information for a single process.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | -| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
                    Modify an object label | Required to modify the mandatory integrity level of an object. | -| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
                    Force shutdown from a remote system | Required to shut down a system using a network request. | -| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
                    Shut down the system | Required to shut down a local system. | -| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
                    Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
                    With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | -| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
                    Profile system performance | Required to gather profiling information for the entire system.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | -| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
                    Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs.
                    If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | -| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
                    Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | -| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
                    Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | -| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
                    Remove computer from docking station | Required to undock a laptop.
                    With this privilege, the user can undock a portable computer from its docking station without logging on. | +| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
                    Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
                    With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
                    Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
                    Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
                    Create permanent shared objects | Required to create a permanent object.
                    This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
                    Create symbolic links | Required to create a symbolic link. | +| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
                    Increase scheduling priority | Required to increase the base priority of a process.
                    With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
                    Adjust memory quotas for a process | Required to increase the quota assigned to a process.
                    With this privilege, the user can change the maximum memory that can be consumed by a process. | +| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
                    Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory.
                    With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
                    Add workstations to domain | With this privilege, the user can create a computer account.
                    This privilege is valid only on domain controllers. | +| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
                    Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
                    Profile single process | Required to gather profiling information for a single process.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
                    Modify an object label | Required to modify the mandatory integrity level of an object. | +| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
                    Force shutdown from a remote system | Required to shut down a system using a network request. | +| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
                    Shut down the system | Required to shut down a local system. | +| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
                    Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
                    With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
                    Profile system performance | Required to gather profiling information for the entire system.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
                    Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs.
                    If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
                    Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
                    Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
                    Remove computer from docking station | Required to undock a laptop.
                    With this privilege, the user can undock a portable computer from its docking station without logging on. | | **Subcategory of event** | **Privilege Name:
                    User Right Group Policy Name** | **Description** | |-------------------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
                    Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | -| Audit Sensitive Privilege Use | SeAuditPrivilege:
                    Generate security audits | With this privilege, the user can add entries to the security log. | -| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
                    Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| Audit Sensitive Privilege Use | SeDebugPrivilege:
                    Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | -| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
                    Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | -| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
                    Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | -| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
                    Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | -| Audit Sensitive Privilege Use | SeTcbPrivilege:
                    Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | -| Audit Sensitive Privilege Use | SeEnableDelegationPrivilege:
                    Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
                    Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| Audit Sensitive Privilege Use | SeAuditPrivilege:
                    Generate security audits | With this privilege, the user can add entries to the security log. | +| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
                    Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| Audit Sensitive Privilege Use | SeDebugPrivilege:
                    Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
                    Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
                    Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
                    Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| Audit Sensitive Privilege Use | SeTcbPrivilege:
                    Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| Audit Sensitive Privilege Use | SeEnableDelegationPrivilege:
                    Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md index b4146f681a..5781254277 100644 --- a/windows/security/threat-protection/auditing/event-4674.md +++ b/windows/security/threat-protection/auditing/event-4674.md @@ -157,42 +157,42 @@ Failure event generates when operation attempt fails. | **Subcategory of event** | **Privilege Name:
                    User Right Group Policy Name** | **Description** | |-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
                    Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
                    With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | -| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
                    Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | -| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
                    Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | -| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
                    Create permanent shared objects | Required to create a permanent object.
                    This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | -| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
                    Create symbolic links | Required to create a symbolic link. | -| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
                    Increase scheduling priority | Required to increase the base priority of a process.
                    With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | -| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
                    Adjust memory quotas for a process | Required to increase the quota assigned to a process.
                    With this privilege, the user can change the maximum memory that can be consumed by a process. | -| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
                    Increase a process working set | Required to allocate more memory for applications that run in the context of users. | -| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory.
                    With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
                    Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. | -| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
                    Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | -| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
                    Profile single process | Required to gather profiling information for a single process.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | -| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
                    Modify an object label | Required to modify the mandatory integrity level of an object. | -| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
                    Force shutdown from a remote system | Required to shut down a system using a network request. | -| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
                    Shut down the system | Required to shut down a local system. | -| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
                    Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
                    With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | -| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
                    Profile system performance | Required to gather profiling information for the entire system.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | -| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
                    Change the system time | Required to modify the system time.
                    With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | -| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
                    Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | -| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
                    Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | -| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
                    Remove computer from docking station | Required to undock a laptop.
                    With this privilege, the user can undock a portable computer from its docking station without logging on. | +| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
                    Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
                    With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
                    Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
                    Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
                    Create permanent shared objects | Required to create a permanent object.
                    This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
                    Create symbolic links | Required to create a symbolic link. | +| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
                    Increase scheduling priority | Required to increase the base priority of a process.
                    With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
                    Adjust memory quotas for a process | Required to increase the quota assigned to a process.
                    With this privilege, the user can change the maximum memory that can be consumed by a process. | +| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
                    Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory.
                    With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
                    Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. | +| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
                    Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
                    Profile single process | Required to gather profiling information for a single process.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
                    Modify an object label | Required to modify the mandatory integrity level of an object. | +| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
                    Force shutdown from a remote system | Required to shut down a system using a network request. | +| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
                    Shut down the system | Required to shut down a local system. | +| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
                    Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
                    With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
                    Profile system performance | Required to gather profiling information for the entire system.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
                    Change the system time | Required to modify the system time.
                    With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
                    Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
                    Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
                    Remove computer from docking station | Required to undock a laptop.
                    With this privilege, the user can undock a portable computer from its docking station without logging on. | | **Subcategory of event** | **Privilege Name:
                    User Right Group Policy Name** | **Description** | |-------------------------------|-----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
                    Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
                    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | -| Audit Sensitive Privilege Use | SeAuditPrivilege:
                    Generate security audits | With this privilege, the user can add entries to the security log. | -| Audit Sensitive Privilege Use | SeBackupPrivilege:
                    Back up files and directories | - Required to perform backup operations.
                    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
                    The following access rights are granted if this privilege is held:
                    READ\_CONTROL
                    ACCESS\_SYSTEM\_SECURITY
                    FILE\_GENERIC\_READ
                    FILE\_TRAVERSE | -| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
                    Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
                    When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| Audit Sensitive Privilege Use | SeDebugPrivilege:
                    Debug programs | Required to debug and adjust the memory of a process owned by another account.
                    With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right.
                    This user right provides complete access to sensitive and critical operating system components. | -| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
                    Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | -| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
                    Load and unload device drivers | Required to load or unload a device driver.
                    With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | -| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory.
                    With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| Audit Sensitive Privilege Use | SeRestorePrivilege:
                    Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
                    WRITE\_DAC
                    WRITE\_OWNER
                    ACCESS\_SYSTEM\_SECURITY
                    FILE\_GENERIC\_WRITE
                    FILE\_ADD\_FILE
                    FILE\_ADD\_SUBDIRECTORY
                    DELETE
                    With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | -| Audit Sensitive Privilege Use | SeSecurityPrivilege:
                    Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
                    With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. | -| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
                    Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | -| Audit Sensitive Privilege Use | SeTakeOwnershipPrivilege:
                    Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
                    With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
                    Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
                    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| Audit Sensitive Privilege Use | SeAuditPrivilege:
                    Generate security audits | With this privilege, the user can add entries to the security log. | +| Audit Sensitive Privilege Use | SeBackupPrivilege:
                    Back up files and directories | - Required to perform backup operations.
                    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
                    The following access rights are granted if this privilege is held:
                    READ\_CONTROL
                    ACCESS\_SYSTEM\_SECURITY
                    FILE\_GENERIC\_READ
                    FILE\_TRAVERSE | +| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
                    Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
                    When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| Audit Sensitive Privilege Use | SeDebugPrivilege:
                    Debug programs | Required to debug and adjust the memory of a process owned by another account.
                    With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right.
                    This user right provides complete access to sensitive and critical operating system components. | +| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
                    Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
                    Load and unload device drivers | Required to load or unload a device driver.
                    With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory.
                    With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Sensitive Privilege Use | SeRestorePrivilege:
                    Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
                    WRITE\_DAC
                    WRITE\_OWNER
                    ACCESS\_SYSTEM\_SECURITY
                    FILE\_GENERIC\_WRITE
                    FILE\_ADD\_FILE
                    FILE\_ADD\_SUBDIRECTORY
                    DELETE
                    With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| Audit Sensitive Privilege Use | SeSecurityPrivilege:
                    Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
                    With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. | +| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
                    Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| Audit Sensitive Privilege Use | SeTakeOwnershipPrivilege:
                    Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
                    With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 55ace9419d..e441a2501c 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -206,9 +206,9 @@ For 4688(S): A new process has been created. - It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**. -- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. Typically this means that UAC is disabled for this account for some reason. +- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. Typically this means that UAC is disabled for this account for some reason. -- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. This means that a user ran a program using administrative privileges. +- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. This means that a user ran a program using administrative privileges. - You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs. diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md index ef907d69b0..ddfd079946 100644 --- a/windows/security/threat-protection/auditing/event-4741.md +++ b/windows/security/threat-protection/auditing/event-4741.md @@ -242,7 +242,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT - **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. The value of **dNSHostName** attribute of new computer object. For manually created computer account objects this field has value “**-**“. -- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation: +- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation: HOST/Win81.contoso.local diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index b39135ee00..94fc78b48f 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -243,7 +243,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT - **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. If the SPN list of a computer account changed, you will see the new SPN list in **Service Principal Names** field (note that you will see the new list instead of changes). If the value of **servicePrincipalName** attribute of computer object was changed, you will see the new value here. - Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots: + Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots: HOST/Win81.contoso.local diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md index 34454c6d14..6610d670eb 100644 --- a/windows/security/threat-protection/auditing/event-4907.md +++ b/windows/security/threat-protection/auditing/event-4907.md @@ -285,5 +285,5 @@ For 4907(S): Auditing settings on object were changed. - If you have critical file or registry objects and you need to monitor all modifications (especially changes in SACL), monitor for specific “**Object\\Object Name”**. -- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers. +- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers. diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md index a4f705ba93..3d3d5152cc 100644 --- a/windows/security/threat-protection/auditing/event-5140.md +++ b/windows/security/threat-protection/auditing/event-5140.md @@ -145,7 +145,7 @@ For 5140(S, F): A network share object was accessed. > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). -- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor share **C$** on domain controllers. +- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor share **C$** on domain controllers. - Monitor this event if the **Network Information\\Source Address** is not from your internal IP range. diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md index 858e4a608f..727a8f8576 100644 --- a/windows/security/threat-protection/auditing/event-5142.md +++ b/windows/security/threat-protection/auditing/event-5142.md @@ -104,7 +104,7 @@ For 5142(S): A network share object was added. > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). -- If you have high-value computers for which you need to monitor creation of new file shares, monitor this event. For example, you could monitor domain controllers. +- If you have high-value computers for which you need to monitor creation of new file shares, monitor this event. For example, you could monitor domain controllers. - We recommend checking “**Share Path**”, because it should not point to system directories, such as **C:\\Windows** or **C:\\**, or to critical local folders which contain private or high value information. diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md index c7f46521ae..7fd678a12b 100644 --- a/windows/security/threat-protection/auditing/event-5143.md +++ b/windows/security/threat-protection/auditing/event-5143.md @@ -259,5 +259,5 @@ For 5143(S): A network share object was modified. > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). -- If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor all changes to the SYSVOL share on domain controllers. +- If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor all changes to the SYSVOL share on domain controllers. diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md index 4c20a34092..c0cff03c22 100644 --- a/windows/security/threat-protection/auditing/event-5144.md +++ b/windows/security/threat-protection/auditing/event-5144.md @@ -106,5 +106,5 @@ For 5144(S): A network share object was deleted. - If you have critical network shares for which you need to monitor all changes (especially, the deletion of that share), monitor for specific “**Share Information\\Share Name”.** -- If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers. For example, you could monitor file shares on domain controllers. +- If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers. For example, you could monitor file shares on domain controllers. diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 725e9d2023..d594900ce7 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -42,7 +42,7 @@ The following tables provide more information about the hardware, firmware, and | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

                    Important:
                    Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

                    | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | +| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

                    Important:
                    Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

                    | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | > **Important**  The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide. @@ -75,6 +75,6 @@ The following tables describe additional hardware and firmware qualifications, a | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
                    • UEFI runtime service must meet these requirements:
                        • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
                        • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
                        • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
                            • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
                            • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

                    Notes:
                    • This only applies to UEFI runtime service memory, and not UEFI boot service memory.
                    • This protection is applied by VBS on OS page tables.


                    Please also note the following:
                    • Do not use sections that are both writeable and executable
                    • Do not attempt to directly modify executable system memory
                    • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                    • Reduces the attack surface to VBS from system firmware. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
                    • UEFI runtime service must meet these requirements:
                        • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
                        • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
                        • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
                            • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
                            • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

                    Notes:
                    • This only applies to UEFI runtime service memory, and not UEFI boot service memory.
                    • This protection is applied by VBS on OS page tables.


                    Please also note the following:
                    • Do not use sections that are both writeable and executable
                    • Do not attempt to directly modify executable system memory
                    • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                    • Reduces the attack surface to VBS from system firmware. | | Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                    • Reduces the attack surface to VBS from system firmware.
                    • Blocks additional security attacks against SMM. | diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 7bc3af8993..262058bf1d 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -102,10 +102,10 @@ Validated Editions: Home, Pro, Enterprise, Education -Cryptographic Module -Version (link to Security Policy) -FIPS Certificate # -Algorithms +Cryptographic Module +Version (link to Security Policy) +FIPS Certificate # +Algorithms Cryptographic Primitives Library @@ -166,10 +166,10 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile -Cryptographic Module -Version (link to Security Policy) -FIPS Certificate # -Algorithms +Cryptographic Module +Version (link to Security Policy) +FIPS Certificate # +Algorithms Cryptographic Primitives Library @@ -236,10 +236,10 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile -Cryptographic Module -Version (link to Security Policy) -FIPS Certificate # -Algorithms +Cryptographic Module +Version (link to Security Policy) +FIPS Certificate # +Algorithms Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) @@ -251,7 +251,7 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile

                    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278)

                    -Kernel Mode Cryptographic Primitives Library (cng.sys) +Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.15063 #3094

                    #3094

                    @@ -323,10 +323,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile -Cryptographic Module -Version (link to Security Policy) -FIPS Certificate # -Algorithms +Cryptographic Module +Version (link to Security Policy) +FIPS Certificate # +Algorithms Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) @@ -338,7 +338,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile

                    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886)

                    -Kernel Mode Cryptographic Primitives Library (cng.sys) +Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.14393 #2936

                    FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
                    @@ -416,10 +416,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub -Cryptographic Module -Version (link to Security Policy) -FIPS Certificate # -Algorithms +Cryptographic Module +Version (link to Security Policy) +FIPS Certificate # +Algorithms Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) @@ -431,7 +431,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub

                    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664)

                    -Kernel Mode Cryptographic Primitives Library (cng.sys) +Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.10586 #2605

                    FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
                    @@ -514,10 +514,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface -Cryptographic Module -Version (link to Security Policy) -FIPS Certificate # -Algorithms +Cryptographic Module +Version (link to Security Policy) +FIPS Certificate # +Algorithms Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) @@ -529,7 +529,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface

                    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575)

                    -Kernel Mode Cryptographic Primitives Library (cng.sys) +Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.10240 #2605

                    FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
                    @@ -612,10 +612,10 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded -Cryptographic Module -Version (link to Security Policy) -FIPS Certificate # -Algorithms +Cryptographic Module +Version (link to Security Policy) +FIPS Certificate # +Algorithms Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) @@ -627,7 +627,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded

                    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323)

                    -Kernel Mode Cryptographic Primitives Library (cng.sys) +Kernel Mode Cryptographic Primitives Library (cng.sys) 6.3.9600 6.3.9600.17042 #2356

                    FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
                    @@ -689,10 +689,10 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone - - - - + + + + @@ -705,7 +705,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone - + - - - - + + + + @@ -915,10 +915,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -981,10 +981,10 @@ Validated Editions: Ultimate Edition
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)
                    Kernel Mode Cryptographic Primitives Library (cng.sys)Kernel Mode Cryptographic Primitives Library (cng.sys) 6.2.9200 #1891 FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
                    @@ -791,10 +791,10 @@ Validated Editions: Windows 7, Windows 7 SP1
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Boot Manager (bootmgr)
                    - - - - + + + + @@ -1033,10 +1033,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1074,10 +1074,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1108,10 +1108,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1135,10 +1135,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1162,10 +1162,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1199,10 +1199,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1240,10 +1240,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1270,10 +1270,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1297,10 +1297,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1318,10 +1318,10 @@ Validated Editions: Ultimate Edition
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Enhanced Cryptographic Provider (RSAENH)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Kernel Mode Cryptographic Module (FIPS.SYS)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    DSS/Diffie-Hellman Enhanced Cryptographic Provider
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Microsoft Enhanced Cryptographic Provider
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Kernel Mode Cryptographic Module
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Kernel Mode Cryptographic Module (FIPS.SYS)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Kernel Mode Cryptographic Module (FIPS.SYS)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider
                    - - - - + + + + @@ -1349,10 +1349,10 @@ Validated Editions: Standard, Datacenter - - - - + + + + @@ -1413,10 +1413,10 @@ Validated Editions: Standard, Datacenter - - - - + + + + @@ -1483,10 +1483,10 @@ Validated Editions: Standard, Datacenter, Storage Server - - - - + + + + @@ -1497,7 +1497,7 @@ Validated Editions: Standard, Datacenter, Storage Server Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt) - +
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Base Cryptographic Provider
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Cryptographic Primitives Library
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Cryptographic Primitives Library
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
                    Kernel Mode Cryptographic Primitives Library (cng.sys)Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.14393 2936 FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
                    @@ -1562,10 +1562,10 @@ Validated Editions: Server, Storage Server, - - - - + + + + @@ -1576,7 +1576,7 @@ Validated Editions: Server, Storage Server, Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) - +
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
                    Kernel Mode Cryptographic Primitives Library (cng.sys)Kernel Mode Cryptographic Primitives Library (cng.sys) 6.3.9600 6.3.9600.17042 2356 FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
                    @@ -1638,10 +1638,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -1654,7 +1654,7 @@ Validated Editions: Server, Storage Server Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) - +
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)
                    Kernel Mode Cryptographic Primitives Library (cng.sys)Kernel Mode Cryptographic Primitives Library (cng.sys) 6.2.9200 1891 FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
                    @@ -1728,10 +1728,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -1742,7 +1742,7 @@ Validated Editions: Server, Storage Server Other algorithms: MD5 - + - + - + - + - + - +
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Boot Manager (bootmgr)
                    Winload OS Loader (winload.exe)Winload OS Loader (winload.exe) 6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675 1333 FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
                    @@ -1806,10 +1806,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -1820,7 +1820,7 @@ Validated Editions: Server, Storage Server Other algorithms: N/A - + - - - - + + + + @@ -1925,10 +1925,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -1972,10 +1972,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -2021,10 +2021,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -2056,10 +2056,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -2083,10 +2083,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -2113,8 +2113,8 @@ The following tables are organized by cryptographic algorithms with their modes, - - + + - + - - - +

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    - + - + - + - + - + - +

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    - - - - - - - +

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    - - +

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    - - - - + - +

                    GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    +(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
                    +IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
                    +GMAC_Supported

                    - - + - - - - - + - + - + - + - + - + - + - - + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -3017,8 +3017,8 @@ Deterministic Random Bit Generator (DRBG) - - + + - - - - - - - - - - - @@ -3256,8 +3256,8 @@ Some of the previously validated components for this validation have been remove

                    Windows 7 Ultimate and SP1 CNG algorithms #386

                    - @@ -3265,16 +3265,16 @@ Some of the previously validated components for this validation have been remove

                    Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385

                    - - @@ -3282,8 +3282,8 @@ Some of the previously validated components for this validation have been remove

                    Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281

                    - @@ -3291,61 +3291,61 @@ Some of the previously validated components for this validation have been remove

                    Windows Vista Enhanced DSS (DSSENH) #226

                    - - - - - -

                    Windows NT 4 SP6 DSSBASE.DLL #25

                    - @@ -3375,8 +3375,8 @@ SHS: SHA-1 (BYTE)

                    - - + +

                    Version 10.0.16299

                    - - - - + - + - - - - @@ -3747,79 +3747,79 @@ DRBG: - - - - - - @@ -3836,8 +3836,8 @@ Some of the previously validated components for this validation have been remove - - + + - + - + - + - + - + - + - - + - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -4257,8 +4257,8 @@ SHS - - + + @@ -4790,15 +4790,15 @@ DRBG - +

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                     - - @@ -4858,11 +4858,11 @@ DRBG - @@ -4870,11 +4870,11 @@ DRBG - @@ -4882,11 +4882,11 @@ DRBG - @@ -4894,20 +4894,20 @@ DRBG - - - + - + - + - +
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Boot Manager (bootmgr)
                    Winload OS Loader (winload.exe)Winload OS Loader (winload.exe) 6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596 1005 FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
                    @@ -1884,10 +1884,10 @@ Validated Editions: Server, Storage Server
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Kernel Mode Cryptographic Module (FIPS.SYS)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Kernel Mode Cryptographic Module (FIPS.SYS)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Enhanced Cryptographic Provider
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Enhanced Cryptographic Provider
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Outlook Cryptographic Provider (EXCHCSP)
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -2563,137 +2563,137 @@ The following tables are organized by cryptographic algorithms with their modes,

                      Version 10.0.16299

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB128 ( e/d; 128 , 192 , 256 );

                    -

                    OFB ( e/d; 128 , 192 , 256 );

                    -

                    CTR ( int only; 128 , 192 , 256 )

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB128 ( e/d; 128 , 192 , 256 );

                    +

                    OFB ( e/d; 128 , 192 , 256 );

                    +

                    CTR ( int only; 128 , 192 , 256 )

                    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627

                    Version 10.0.15063

                    KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

                    +

                    KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

                    AES Val#4624

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626

                    Version 10.0.15063

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    +

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    AES Val#4624

                     

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625

                    Version 10.0.15063

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    -

                    CFB128 ( e/d; 128 , 192 , 256 );

                    -

                    CTR ( int only; 128 , 192 , 256 )

                    -

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    -

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )

                    -

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

                    +

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    CFB128 ( e/d; 128 , 192 , 256 );

                    +

                    CTR ( int only; 128 , 192 , 256 )

                    +

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    +

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )

                    +

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

                    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

                    IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported

                    GMAC_Supported

                    -

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624

                    Version 10.0.15063

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434

                    Version 7.00.2872

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433

                    Version 8.00.6246

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CTR ( int only; 128 , 192 , 256 )

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CTR ( int only; 128 , 192 , 256 )

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431

                    Version 7.00.2872

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CTR ( int only; 128 , 192 , 256 )

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CTR ( int only; 128 , 192 , 256 )

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430

                    Version 8.00.6246

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB128 ( e/d; 128 , 192 , 256 );

                    -

                    OFB ( e/d; 128 , 192 , 256 );

                    -

                    CTR ( int only; 128 , 192 , 256 )

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB128 ( e/d; 128 , 192 , 256 );

                    +

                    OFB ( e/d; 128 , 192 , 256 );

                    +

                    CTR ( int only; 128 , 192 , 256 )

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

                    Version 10.0.14393

                    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

                    -

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    -

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    -

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    +

                    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

                    +

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    +

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    +

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
                    -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
                    +IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
                    GMAC_Supported

                    -

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064

                    Version 10.0.14393

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                     

                    		 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
                    Version 10.0.14393

                    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )

                    +

                    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )

                    AES Val#4064

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062

                    Version 10.0.14393

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    +

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    AES Val#4064

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061

                    Version 10.0.14393

                    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

                    +

                    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

                    AES Val#3629

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652

                    Version 10.0.10586

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    +

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    AES Val#3629

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653

                    Version 10.0.10586

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                     

                    		 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
                    Version 10.0.10586

                    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

                    -

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    -

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    -

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    +

                    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

                    +

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    +

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    +

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
                    -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
                    +IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
                    GMAC_Supported

                    -

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629

                    @@ -2706,141 +2706,141 @@ GMAC_Supported

                    Version 10.0.10240

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    +

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    AES Val#3497

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498

                    Version 10.0.10240

                    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

                    -

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    -

                    CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    -

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    +

                    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

                    +

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    +

                    CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    +

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
                    -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
                    +IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
                    GMAC_Supported

                    -

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    		 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
                    Version 10.0.10240

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                     

                    		 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
                    Version 10.0.10240

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                     

                    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853

                    Version 6.3.9600

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    +

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    AES Val#2832

                    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848

                    Version 6.3.9600

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    -

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    -

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

                    -

                    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

                    -

                    IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 8 , 1024 ) ; 96BitIV_Supported ;
                    -OtherIVLen_Supported
                    -GMAC_Supported

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    +

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    +

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

                    +

                    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

                    +

                    IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 8 , 1024 ) ; 96BitIV_Supported ;
                    +OtherIVLen_Supported
                    +GMAC_Supported

                    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

                    Version 6.3.9600

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
                    +

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
                    AES Val#2197

                    -

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
                    +

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
                    AES Val#2197

                    -

                    GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
                    -IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
                    -GMAC_Supported

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    +

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    AES Val#2196

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    -

                    CFB128 ( e/d; 128 , 192 , 256 );

                    -

                    CTR ( int only; 128 , 192 , 256 )

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    CFB128 ( e/d; 128 , 192 , 256 );

                    +

                    CTR ( int only; 128 , 192 , 256 )

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                     

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196
                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
                    +                    		CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
                    AES Val#1168

                    Windows Server 2008 R2 and SP1 CNG algorithms #1187

                    Windows 7 Ultimate and SP1 CNG algorithms #1178
                    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
                    +                    		CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
                    AES Val#1168                    		 Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                     

                    		 Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168

                    GCM

                    -

                    GMAC

                    GCM

                    +

                    GMAC

                    		 Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed
                    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760
                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    Windows Server 2008 CNG algorithms #757

                    Windows Vista Ultimate SP1 CNG algorithms #756

                    CBC ( e/d; 128 , 256 );

                    -

                    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )

                    CBC ( e/d; 128 , 256 );

                    +

                    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )

                    Windows Vista Ultimate BitLocker Drive Encryption #715

                    Windows Vista Ultimate BitLocker Drive Encryption #424

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                    Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739

                    Windows Vista Symmetric Algorithm Implementation #553

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CTR ( int only; 128 , 192 , 256 )

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CTR ( int only; 128 , 192 , 256 )

                    		 Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024

                    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818

                    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781

                    @@ -2865,8 +2865,8 @@ Deterministic Random Bit Generator (DRBG)
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -2934,74 +2934,74 @@ Deterministic Random Bit Generator (DRBG)

                      Version 10.0.16299
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ]

                    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556

                    Version 10.0.15063
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ]

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555

                    Version 10.0.15063
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ]

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433

                    Version 7.00.2872
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ]

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432

                    Version 8.00.6246
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ]

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430

                    Version 7.00.2872
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ]

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429

                    Version 8.00.6246
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ]

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

                    Version 10.0.14393
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ]

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217

                    Version 10.0.14393
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ]

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955

                    Version 10.0.10586
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ]

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868

                    Version 10.0.10240
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ]

                    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

                    Version 6.3.9600
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23
                    DRBG (SP 800–90)DRBG (SP 800–90) Windows Vista Ultimate SP1, vendor-affirmed
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -3137,118 +3137,118 @@ Deterministic Random Bit Generator (DRBG)

                      Version 10.0.16299

                    FIPS186-4:

                    -

                    PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]

                    -

                    PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    -

                    KeyPairGen:   [ (2048,256) ; (3072,256) ]

                    -

                    SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]

                    -

                    SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    +

                    FIPS186-4:

                    +

                    PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]

                    +

                    PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    +

                    KeyPairGen:   [ (2048,256) ; (3072,256) ]

                    +

                    SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]

                    +

                    SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    SHS: Val#3790

                    DRBG: Val# 1555

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223

                    Version 10.0.15063
                    FIPS186-4:
                    -PQG(ver)PARMS TESTED:                       [ (1024,160) SHA( 1 ); ]
                    -SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
                    +                    		FIPS186-4:
                    +PQG(ver)PARMS TESTED:                       [ (1024,160) SHA( 1 ); ]
                    +SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
                    SHS: Val# 3649

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188

                    Version 7.00.2872
                    FIPS186-4:
                    -PQG(ver)PARMS TESTED:                       [ (1024,160) SHA( 1 ); ]
                    -SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
                    +                    		FIPS186-4:
                    +PQG(ver)PARMS TESTED:                       [ (1024,160) SHA( 1 ); ]
                    +SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
                    SHS: Val#3648

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187

                    Version 8.00.6246

                    FIPS186-4:
                    -PQG(gen)                    PARMS TESTED: [
                    +

                    FIPS186-4:
                    +PQG(gen)                    PARMS TESTED: [
                    (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
                    -PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    +PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    KeyPairGen:    [ (2048,256) ; (3072,256) ]
                    -SIG(gen)PARMS TESTED:   [ (2048,256)
                    +SIG(gen)PARMS TESTED:   [ (2048,256)
                    SHA( 256 ); (3072,256) SHA( 256 ); ]
                    -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    +SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    SHS: Val# 3347
                    DRBG: Val# 1217

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098

                    Version 10.0.14393

                    FIPS186-4:
                    -PQG(gen)                    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
                    -KeyPairGen:    [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
                    -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    +

                    FIPS186-4:
                    +PQG(gen)                    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
                    +KeyPairGen:    [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
                    +SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    SHS: Val# 3047
                    DRBG: Val# 955

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024

                    Version 10.0.10586

                    FIPS186-4:
                    -PQG(gen)                    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
                    -PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    +

                    FIPS186-4:
                    +PQG(gen)                    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
                    +PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    KeyPairGen:    [ (2048,256) ; (3072,256) ]
                    -SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    +SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    SHS: Val# 2886
                    DRBG: Val# 868

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983

                    Version 10.0.10240

                    FIPS186-4:
                    -PQG(gen)                    PARMS TESTED:   [
                    +

                    FIPS186-4:
                    +PQG(gen)                    PARMS TESTED:   [
                    (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
                    -PQG(ver)PARMS TESTED:   [ (2048,256)
                    +PQG(ver)PARMS TESTED:   [ (2048,256)
                    SHA( 256 ); (3072,256) SHA( 256 ) ]
                    KeyPairGen:    [ (2048,256) ; (3072,256) ]
                    -SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
                    -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    +SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
                    +SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    SHS: Val# 2373
                    DRBG: Val# 489

                    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

                    Version 6.3.9600

                    FIPS186-2:
                    -PQG(ver) MOD(1024);
                    -SIG(ver) MOD(1024);
                    +

                    FIPS186-2:
                    +PQG(ver) MOD(1024);
                    +SIG(ver) MOD(1024);
                    SHS: #1903
                    DRBG: #258

                    -

                    FIPS186-4:
                    -PQG(gen)PARMS TESTED                    : [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
                    -PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    -SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
                    -SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    +

                    FIPS186-4:
                    +PQG(gen)PARMS TESTED                    : [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
                    +PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    +SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
                    +SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    SHS: #1903
                    DRBG: #258
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687
                    FIPS186-2:
                    -PQG(ver)                     MOD(1024);
                    -SIG(ver) MOD(1024);
                    +                    		FIPS186-2:
                    +PQG(ver)                     MOD(1024);
                    +SIG(ver) MOD(1024);
                    SHS: #1902
                    DRBG: #258
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686.                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 1773
                    DRBG: Val# 193
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645.                    		 Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 1081
                    DRBG: Val# 23
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386.
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 1081
                    RNG: Val# 649
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385.
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 753
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283.

                    Windows Server 2008 CNG algorithms #284

                    Windows Vista Ultimate SP1 CNG algorithms #283
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 753
                    RNG: Val# 435
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281.
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 618
                    RNG: Val# 321
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226.
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 784
                    RNG: Val# 448
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292.                    		 Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 783
                    RNG: Val# 447
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291.                    		 Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291
                    FIPS186-2:
                    -PQG(gen)                     MOD(1024);
                    -PQG(ver) MOD(1024);
                    -KEYGEN(Y) MOD(1024);
                    -SIG(gen) MOD(1024);
                    -SIG(ver) MOD(1024);
                    +                    		FIPS186-2:
                    +PQG(gen)                     MOD(1024);
                    +PQG(ver) MOD(1024);
                    +KEYGEN(Y) MOD(1024);
                    +SIG(gen) MOD(1024);
                    +SIG(ver) MOD(1024);
                    SHS: Val# 611
                    RNG: Val# 314                    		 Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221
                    FIPS186-2:
                    -PQG(gen)                     MOD(1024);
                    -PQG(ver) MOD(1024);
                    -KEYGEN(Y) MOD(1024);
                    -SIG(gen) MOD(1024);
                    -SIG(ver) MOD(1024);
                    +                    		FIPS186-2:
                    +PQG(gen)                     MOD(1024);
                    +PQG(ver) MOD(1024);
                    +KEYGEN(Y) MOD(1024);
                    +SIG(gen) MOD(1024);
                    +SIG(ver) MOD(1024);
                    SHS: Val# 385                    		 Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146
                    FIPS186-2:
                    -PQG(ver)                     MOD(1024);
                    -KEYGEN(Y) MOD(1024);
                    -SIG(gen) MOD(1024);
                    -SIG(ver) MOD(1024);
                    +                    		FIPS186-2:
                    +PQG(ver)                     MOD(1024);
                    +KEYGEN(Y) MOD(1024);
                    +SIG(gen) MOD(1024);
                    +SIG(ver) MOD(1024);
                    SHS: Val# 181

                    		 Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95
                    FIPS186-2:
                    -PQG(gen)                     MOD(1024);
                    -PQG(ver) MOD(1024);
                    -KEYGEN(Y) MOD(1024);
                    -SIG(gen) MOD(1024);
                    +                    		FIPS186-2:
                    +PQG(gen)                     MOD(1024);
                    +PQG(ver) MOD(1024);
                    +KEYGEN(Y) MOD(1024);
                    +SIG(gen) MOD(1024);
                    SHS: SHA-1 (BYTE)
                    -SIG(ver) MOD(1024);
                    +SIG(ver) MOD(1024);
                    SHS: SHA-1 (BYTE)

                    Windows 2000 DSSENH.DLL #29

                    Windows 2000 DSSBASE.DLL #28

                    @@ -3353,12 +3353,12 @@ SHS: SHA-1 (BYTE)

                    FIPS186-2: PRIME;
                    -FIPS186-2:

                    -

                    KEYGEN(Y):
                    +

                    FIPS186-2: PRIME;
                    +FIPS186-2:

                    +

                    KEYGEN(Y):
                    SHS: SHA-1 (BYTE)

                    -

                    SIG(gen):
                    -SIG(ver)                     MOD(1024);
                    +

                    SIG(gen):
                    +SIG(ver)                     MOD(1024);
                    SHS: SHA-1 (BYTE)

                    		 Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -3653,93 +3653,93 @@ SHS: SHA-1 (BYTE)
                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 TestingCandidates )
                    +                    		FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 TestingCandidates )
                    SHS: Val#3790
                    DRBG: Val# 1555

                    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136

                    Version 10.0.15063
                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -PKV: CURVES( P-256 P-384 P-521 )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    +                    		FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +PKV: CURVES( P-256 P-384 P-521 )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    SHS: Val#3790
                    DRBG: Val# 1555

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135

                    Version 10.0.15063
                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -PKV: CURVES( P-256 P-384 P-521 )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    +                    		FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +PKV: CURVES( P-256 P-384 P-521 )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    SHS: Val#3790
                    DRBG: Val# 1555

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133

                    Version 10.0.15063
                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -PKV: CURVES( P-256 P-384 P-521 )
                    -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
                    -SHS:Val# 3649
                    -DRBG:Val# 1430                    		FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +PKV: CURVES( P-256 P-384 P-521 )
                    +SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
                    +SHS:Val# 3649
                    +DRBG:Val# 1430

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073

                    Version 7.00.2872
                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -PKV: CURVES( P-256 P-384 P-521 )
                    -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
                    -SHS:Val#3648
                    -DRBG:Val# 1429                    		FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +PKV: CURVES( P-256 P-384 P-521 )
                    +SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
                    +SHS:Val#3648
                    +DRBG:Val# 1429

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072

                    Version 8.00.6246

                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 TestingCandidates )
                    -PKV: CURVES( P-256 P-384 )
                    -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )

                    +

                    FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 TestingCandidates )
                    +PKV: CURVES( P-256 P-384 )
                    +SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )

                    SHS: Val# 3347
                    DRBG: Val# 1222

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

                    Version 10.0.14393

                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -PKV: CURVES( P-256 P-384 P-521 )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

                    +

                    FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +PKV: CURVES( P-256 P-384 P-521 )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

                    SHS: Val# 3347
                    DRBG: Val# 1217

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911

                    Version 10.0.14393

                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

                    +

                    FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

                    SHS: Val# 3047
                    DRBG: Val# 955

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760

                    Version 10.0.10586

                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +

                    FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

                    SHS: Val# 2886
                    DRBG: Val# 868

                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

                    +

                    FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

                    SHS: Val#2373
                    DRBG: Val# 489

                    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

                    Version 6.3.9600

                    FIPS186-2:
                    -PKG: CURVES                    ( P-256 P-384 P-521 )
                    -SHS: #1903
                    -DRBG: #258
                    -SIG(ver):CURVES( P-256 P-384 P-521 )
                    -SHS: #1903
                    -DRBG: #258

                    -

                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    -SHS: #1903
                    -DRBG: #258
                    +

                    FIPS186-2:
                    +PKG: CURVES                    ( P-256 P-384 P-521 )
                    +SHS: #1903
                    +DRBG: #258
                    +SIG(ver):CURVES( P-256 P-384 P-521 )
                    +SHS: #1903
                    +DRBG: #258

                    +

                    FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    +SHS: #1903
                    +DRBG: #258
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341

                    FIPS186-2:
                    -PKG: CURVES                    ( P-256 P-384 P-521 )
                    -SHS: Val#1773
                    -DRBG: Val# 193
                    -SIG(ver): CURVES( P-256 P-384 P-521 )
                    -SHS: Val#1773
                    -DRBG: Val# 193

                    -

                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    -SHS: Val#1773
                    -DRBG: Val# 193
                    +

                    FIPS186-2:
                    +PKG: CURVES                    ( P-256 P-384 P-521 )
                    +SHS: Val#1773
                    +DRBG: Val# 193
                    +SIG(ver): CURVES( P-256 P-384 P-521 )
                    +SHS: Val#1773
                    +DRBG: Val# 193

                    +

                    FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    +SHS: Val#1773
                    +DRBG: Val# 193
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.

                    		 Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295
                    FIPS186-2:
                    -PKG: CURVES                    ( P-256 P-384 P-521 )
                    -SHS: Val#1081
                    -DRBG: Val# 23
                    -SIG(ver): CURVES( P-256 P-384 P-521 )
                    -SHS: Val#1081
                    -DRBG: Val# 23
                    +                    		FIPS186-2:
                    +PKG: CURVES                    ( P-256 P-384 P-521 )
                    +SHS: Val#1081
                    +DRBG: Val# 23
                    +SIG(ver): CURVES( P-256 P-384 P-521 )
                    +SHS: Val#1081
                    +DRBG: Val# 23
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141.

                    Windows Server 2008 R2 and SP1 CNG algorithms #142

                    Windows 7 Ultimate and SP1 CNG algorithms #141
                    FIPS186-2:
                    -PKG: CURVES                    ( P-256 P-384 P-521 )
                    -SHS: Val#753
                    -SIG(ver): CURVES( P-256 P-384 P-521 )
                    -SHS: Val#753
                    +                    		FIPS186-2:
                    +PKG: CURVES                    ( P-256 P-384 P-521 )
                    +SHS: Val#753
                    +SIG(ver): CURVES( P-256 P-384 P-521 )
                    +SHS: Val#753
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82.

                    Windows Server 2008 CNG algorithms #83

                    Windows Vista Ultimate SP1 CNG algorithms #82
                    FIPS186-2:
                    -PKG: CURVES                    ( P-256 P-384 P-521 )
                    -SHS: Val#618
                    -RNG: Val# 321
                    -SIG(ver): CURVES( P-256 P-384 P-521 )
                    -SHS: Val#618
                    -RNG: Val# 321
                    +                    		FIPS186-2:
                    +PKG: CURVES                    ( P-256 P-384 P-521 )
                    +SHS: Val#618
                    +RNG: Val# 321
                    +SIG(ver): CURVES( P-256 P-384 P-521 )
                    +SHS: Val#618
                    +RNG: Val# 321
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60.                    		 Windows Vista CNG algorithms #60
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -3983,265 +3983,265 @@ Some of the previously validated components for this validation have been remove

                      Version 10.0.16299

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062

                    Version 10.0.15063

                    HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061

                    Version 10.0.15063

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946

                    Version 7.00.2872

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945

                    Version 8.00.6246

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943

                    Version 7.00.2872

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942

                    Version 8.00.6246

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    +

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    SHS Val# 3347

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    SHS Val# 3347

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                    SHS Val# 3347

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

                    Version 10.0.14393

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651

                    Version 10.0.14393

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    +

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    SHS Val# 3047

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    SHS Val# 3047

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                    SHS Val# 3047

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
                    SHS Val# 3047

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381

                    Version 10.0.10586

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    +

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    SHSVal# 2886

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    SHSVal# 2886

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                     SHSVal# 2886

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
                    SHSVal# 2886

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233

                    Version 10.0.10240

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    +

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    SHS Val#2373

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    SHS Val#2373

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                    SHS Val#2373

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
                    SHS Val#2373

                    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

                    Version 6.3.9600

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

                    Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122

                    Version 5.2.29344

                    HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KS#1902

                    HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KS#1902

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )

                    -

                    SHS#1903

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )

                    -

                    SHS#1903

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS )

                    -

                    SHS#1903

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )

                    -

                    SHS#1903

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )

                    +

                    SHS#1903

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )

                    +

                    SHS#1903

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS )

                    +

                    SHS#1903

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )

                    +

                    SHS#1903

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

                    -

                    Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

                    +

                    Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

                    		 Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

                    		 Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

                    Windows Server 2008 R2 and SP1 CNG algorithms #686

                    Windows 7 and SP1 CNG algorithms #677

                    Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687

                    Windows 7 Enhanced Cryptographic Provider (RSAENH) #673

                    HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081

                    HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081

                    		 Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816

                    		 Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

                    		 Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753

                    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408

                    Windows Vista Enhanced Cryptographic Provider (RSAENH) #407

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    		 Windows Vista Enhanced Cryptographic Provider (RSAENH) #297
                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785

                    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429

                    Windows XP, vendor-affirmed

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783

                    		 Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613

                    		 Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289
                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610 Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    Windows Server 2008 CNG algorithms #413

                    Windows Vista Ultimate SP1 CNG algorithms #412

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

                    		 Windows Vista Ultimate BitLocker Drive Encryption #386

                    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    		 Windows Vista CNG algorithms #298

                    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589

                    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589

                    		 Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267

                    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578

                    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578

                    		 Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

                    		 Windows Vista BitLocker Drive Encryption #199
                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364

                    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99

                    Windows XP, vendor-affirmed

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305

                    		 Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -4782,7 +4782,7 @@ SHS -

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ]

                    +

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ]

                    SHS Val#3790
                    DSA Val#1135
                    DRBG Val#1556

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    -( FB: SHA256 ) ( FC: SHA256 ) ]
                    -[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    +( FB: SHA256 ) ( FC: SHA256 ) ]
                    +[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    SHS Val#3790
                    DSA Val#1223
                    DRBG Val#1555

                    -

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    -[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    +

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                    SHS Val#3790
                    ECDSA Val#1133
                    @@ -4807,29 +4807,29 @@ DRBG -

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    -( FB: SHA256 ) ( FC: SHA256 ) ]
                    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    +( FB: SHA256 ) ( FC: SHA256 ) ]
                    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    SHS Val# 3649
                    DSA Val#1188
                    DRBG Val#1430

                    -

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    -[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115

                    Version 7.00.2872

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    -( FB: SHA256 ) ( FC: SHA256 ) ]
                    -[ dhHybridOneFlow ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    -[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    +( FB: SHA256 ) ( FC: SHA256 ) ]
                    +[ dhHybridOneFlow ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    +[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    SHS Val#3648
                    DSA Val#1187
                    DRBG Val#1429

                    -

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    -[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    +

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                    SHS Val#3648
                    ECDSA Val#1072
                    @@ -4838,19 +4838,19 @@ DRBG -

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration )
                    -SCHEMES  [ FullUnified  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ]

                    +

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration )
                    +SCHEMES  [ FullUnified  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ]

                    SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

                    Version 10.0.14393

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation )
                    -SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    -( FB: SHA256 ) ( FC: SHA256 ) ]
                    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation )
                    +SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    +( FB: SHA256 ) ( FC: SHA256 ) ]
                    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

                    SHS Val# 3347 DSA Val#1098 DRBG Val#1217

                    -

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    [ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    [ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                    SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    ( FB: SHA256 ) ( FC: SHA256 ) ]
                    [ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

                    SHS Val# 3047 DSA Val#1024 DRBG Val#955

                    -

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    [ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    [ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                    SHS Val# 3047 ECDSA Val#760 DRBG Val#955

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    ( FB: SHA256 ) ( FC: SHA256 ) ]
                    [ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

                    SHS Val# 2886 DSA Val#983 DRBG Val#868

                    -

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    [ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    [ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                    SHS Val# 2886 ECDSA Val#706 DRBG Val#868

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    ( FB: SHA256 ) ( FC: SHA256 ) ]
                    [ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

                    SHS Val#2373 DSA Val#855 DRBG Val#489

                    -

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    [ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    [ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                    SHS Val#2373 ECDSA Val#505 DRBG Val#489

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    -( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
                    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
                    -[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    +( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
                    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
                    +[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
                    SHS #1903 DSA Val#687 DRBG #258

                    -

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    -[ OnePassDH( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
                    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
                    +

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +[ OnePassDH( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
                    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]

                    SHS #1903 ECDSA Val#341 DRBG #258

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36

                    KAS (SP 800–56A)

                    +

                    KAS (SP 800–56A)

                    key agreement

                    key establishment methodology provides 80 to 256 bits of encryption strength

                    Windows 7 and SP1, vendor-affirmed

                    @@ -4922,8 +4922,8 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF) - - + + - - - - - - @@ -5087,34 +5087,34 @@ Random Number Generator (RNG) - - + + - + - + - + - + - + @@ -5140,8 +5140,8 @@ Random Number Generator (RNG) - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -6143,8 +6143,8 @@ Some of the previously validated components for this validation have been remove - - + + - + - + - + - + - + - + - + - + - + - + - + - + - + - - + - + - + - + - + - + - + - +

                    Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176

                    - + - + - - + +

                    Version 10.0.16299

                    - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -5021,7 +5021,7 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF)

                      Version 10.0.16299
                    CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
                    +                    		CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    KAS Val#128
                    DRBG Val#1556
                    @@ -5030,7 +5030,7 @@ MAC -                    		CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
                    +                    		CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    KAS Val#127
                    AES Val#4624
                    @@ -5040,37 +5040,37 @@ MAC -

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    +

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    KAS Val#93 DRBG Val#1222 MAC Val#2661

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

                    Version 10.0.14393

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    +

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101

                    Version 10.0.14393

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    +

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72

                    Version 10.0.10586

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    +

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66

                    Version 10.0.10240

                    CTR_Mode:  ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    +

                    CTR_Mode:  ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    DRBG Val#489 MAC Val#1773

                    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

                    Version 6.3.9600

                    CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    +

                    CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    DRBG #258 HMAC Val#1345

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #

                    FIPS 186-2 General Purpose

                    -

                    [ (x-Original); (SHA-1) ]

                    FIPS 186-2 General Purpose

                    +

                    [ (x-Original); (SHA-1) ]

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110
                    FIPS 186-2
                    -[ (x-Original); (SHA-1) ]                    		FIPS 186-2
                    +[ (x-Original); (SHA-1) ]

                    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060

                    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292

                    Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286

                    Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66

                    FIPS 186-2
                    -[ (x-Change Notice); (SHA-1) ]

                    -

                    FIPS 186-2 General Purpose
                    -[ (x-Change Notice); (SHA-1) ]

                    FIPS 186-2
                    +[ (x-Change Notice); (SHA-1) ]

                    +

                    FIPS 186-2 General Purpose
                    +[ (x-Change Notice); (SHA-1) ]

                    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649

                    Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435

                    Windows Vista RNG implementation #321
                    FIPS 186-2 General Purpose
                    -[ (x-Change Notice); (SHA-1) ]                    		FIPS 186-2 General Purpose
                    +[ (x-Change Notice); (SHA-1) ]

                    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470

                    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449

                    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447

                    @@ -5122,8 +5122,8 @@ Random Number Generator (RNG)

                    Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313
                    FIPS 186-2
                    -[ (x-Change Notice); (SHA-1) ]                    		FIPS 186-2
                    +[ (x-Change Notice); (SHA-1) ]

                    Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448

                    Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #

                    RSA:

                    @@ -5711,419 +5711,419 @@ Random Number Generator (RNG)

                    Version 10.0.16299
                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
                    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
                    +                    		FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
                    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
                    SHA Val#3790

                    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524

                    Version 10.0.15063
                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    +                    		FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    SHA Val#3790

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523

                    Version 10.0.15063
                    FIPS186-4:
                    -186-4KEY(gen):                     FIPS186-4_Fixed_e ( 10001 ) ;
                    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
                    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    +                    		FIPS186-4:
                    +186-4KEY(gen):                     FIPS186-4_Fixed_e ( 10001 ) ;
                    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
                    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    SHA Val#3790
                    DRBG: Val# 1555

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522

                    Version 10.0.15063
                    FIPS186-4:
                    +                    		FIPS186-4:
                    186-4KEY(gen):
                    -PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
                    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    +PGM(ProbRandom:                     ( 2048 , 3072 ) PPTT:( C.2 )
                    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    SHA Val#3790

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521

                    Version 10.0.15063

                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +

                    FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

                    -

                    FIPS186-4:
                    -ALG[ANSIX9.31]                     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
                    -SIG(gen) with SHA-1 affirmed for use with protocols only.                     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
                    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    +

                    FIPS186-4:
                    +ALG[ANSIX9.31]                     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
                    +SIG(gen) with SHA-1 affirmed for use with protocols only.                     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
                    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    SHA Val#3652

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415

                    Version 7.00.2872

                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +

                    FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

                    -

                    FIPS186-4:
                    -ALG[ANSIX9.31]                     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
                    -SIG(gen) with SHA-1 affirmed for use with protocols only.                     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
                    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    +

                    FIPS186-4:
                    +ALG[ANSIX9.31]                     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
                    +SIG(gen) with SHA-1 affirmed for use with protocols only.                     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
                    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    SHA Val#3651

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414

                    Version 8.00.6246

                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
                    +

                    FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649

                    -

                    FIPS186-4:
                    -186-4KEY(gen):                     FIPS186-4_Fixed_e (10001) ;
                    -PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
                    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    +

                    FIPS186-4:
                    +186-4KEY(gen):                     FIPS186-4_Fixed_e (10001) ;
                    +PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
                    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    SHA Val# 3649
                    DRBG: Val# 1430

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412

                    Version 7.00.2872

                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
                    +

                    FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

                    -

                    FIPS186-4:
                    -186-4KEY(gen):                     FIPS186-4_Fixed_e (10001) ;
                    -PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
                    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    +

                    FIPS186-4:
                    +186-4KEY(gen):                     FIPS186-4_Fixed_e (10001) ;
                    +PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
                    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    SHA Val#3648
                    DRBG: Val# 1429

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411

                    Version 8.00.6246

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
                    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))

                    SHA Val# 3347

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

                    Version 10.0.14393

                    FIPS186-4:
                    -186-4KEY(gen):                     FIPS186-4_Fixed_e ( 10001 ) ;
                    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

                    +

                    FIPS186-4:
                    +186-4KEY(gen):                     FIPS186-4_Fixed_e ( 10001 ) ;
                    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

                    SHA Val# 3347 DRBG: Val# 1217

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195

                    Version 10.0.14393

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val#3346

                    soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194

                    Version 10.0.14393

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val# 3347 DRBG: Val# 1217

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193

                    Version 10.0.14393

                    FIPS186-4:
                    -[RSASSA-PSS]: Sig(Gen):                     (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    -

                    Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    +

                    FIPS186-4:
                    +[RSASSA-PSS]: Sig(Gen):                     (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    +

                    Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    SHA Val# 3347 DRBG: Val# 1217

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192

                    Version 10.0.14393

                    FIPS186-4:
                    -186-4KEY(gen)                    :  FIPS186-4_Fixed_e ( 10001 ) ;
                    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

                    +

                    FIPS186-4:
                    +186-4KEY(gen)                    :  FIPS186-4_Fixed_e ( 10001 ) ;
                    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

                    SHA Val# 3047 DRBG: Val# 955

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889

                    Version 10.0.10586

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val#3048

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871

                    Version 10.0.10586

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val# 3047

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888

                    Version 10.0.10586

                    FIPS186-4:
                    -[RSASSA-PSS]: Sig(Gen)                    : (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    -Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    +

                    FIPS186-4:
                    +[RSASSA-PSS]: Sig(Gen)                    : (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    +Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    SHA Val# 3047

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887

                    Version 10.0.10586

                    FIPS186-4:
                    -186-4KEY(gen):                     FIPS186-4_Fixed_e ( 10001 ) ;
                    +

                    FIPS186-4:
                    +186-4KEY(gen):                     FIPS186-4_Fixed_e ( 10001 ) ;
                    PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

                    SHA Val# 2886 DRBG: Val# 868

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798

                    Version 10.0.10240

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val#2871

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784

                    Version 10.0.10240

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val#2871

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783

                    Version 10.0.10240

                    FIPS186-4:
                    -[RSASSA-PSS]:                     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    +

                    FIPS186-4:
                    +[RSASSA-PSS]:                     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    SHA Val# 2886

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802

                    Version 10.0.10240

                    FIPS186-4:
                    -186-4KEY(gen):                     FIPS186-4_Fixed_e ;
                    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

                    +

                    FIPS186-4:
                    +186-4KEY(gen):                     FIPS186-4_Fixed_e ;
                    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

                    SHA Val#2373 DRBG: Val# 489

                    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

                    Version 6.3.9600

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val#2373

                    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494

                    Version 6.3.9600

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5                    ] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5                    ] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val#2373

                    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

                    Version 6.3.9600

                    FIPS186-4:
                    -[RSASSA-PSS]:                     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    +

                    FIPS186-4:
                    +[RSASSA-PSS]:                     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    SHA Val#2373

                    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

                    Version 6.3.9600

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
                    SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
                    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
                    SHA #1903

                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134
                    FIPS186-4:
                    -186-4KEY(gen):                     FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
                    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
                    +                    		FIPS186-4:
                    +186-4KEY(gen):                     FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
                    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
                    SHA #1903 DRBG: #258                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133
                    FIPS186-2:
                    -ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132.                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132
                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052.                    		 Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052
                    FIPS186-2:
                    -ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051.                    		 Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051
                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    +                    		FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568.                    		 Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568
                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    +                    		FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
                    +ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560.

                    Windows Server 2008 R2 and SP1 CNG algorithms #567

                    Windows 7 and SP1 CNG algorithms #560
                    FIPS186-2:
                    -ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559.                    		 Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559
                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    +                    		FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557.                    		 Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557
                    FIPS186-2:
                    +                    		FIPS186-2:
                    ALG[ANSIX9.31]:
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395.                    		 Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395
                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371.                    		 Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371
                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
                    +                    		FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
                    -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
                    +ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357.

                    Windows Server 2008 CNG algorithms #358

                    Windows Vista SP1 CNG algorithms #357
                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354.

                    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355

                    Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354
                    FIPS186-2:
                    -ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353.                    		 Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353
                    FIPS186-2:
                    -ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258.                    		 Windows Vista RSA key generation implementation #258
                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
                    +                    		FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
                    -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
                    +ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257.                    		 Windows Vista CNG algorithms #257
                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
                    +                    		FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255.                    		 Windows Vista Enhanced Cryptographic Provider (RSAENH) #255
                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245.                    		 Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245
                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230.                    		 Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230
                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222.                    		 Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222
                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:
                    +                    		FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81.                    		 Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81
                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52.                    		 Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52

                    FIPS186-2:

                    +

                    FIPS186-2:

                    – PKCS#1 v1.5, signature generation and verification

                    – Mod sizes: 1024, 1536, 2048, 3072, 4096

                    – SHS: SHA–1/256/384/512
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -6213,170 +6213,170 @@ Some of the previously validated components for this validation have been remove

                      Version 10.0.16299
                    SHA-1      (BYTE-only)
                    -SHA-256  (BYTE-only)
                    -SHA-384  (BYTE-only)
                    -SHA-512  (BYTE-only)                    		SHA-1      (BYTE-only)
                    +SHA-256  (BYTE-only)
                    +SHA-384  (BYTE-only)
                    +SHA-512  (BYTE-only)

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790

                    Version 10.0.15063
                    SHA-1      (BYTE-only)
                    -SHA-256  (BYTE-only)
                    -SHA-384  (BYTE-only)
                    -SHA-512  (BYTE-only)                    		SHA-1      (BYTE-only)
                    +SHA-256  (BYTE-only)
                    +SHA-384  (BYTE-only)
                    +SHA-512  (BYTE-only)

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652

                    Version 7.00.2872
                    SHA-1      (BYTE-only)
                    -SHA-256  (BYTE-only)
                    -SHA-384  (BYTE-only)
                    -SHA-512  (BYTE-only)                    		SHA-1      (BYTE-only)
                    +SHA-256  (BYTE-only)
                    +SHA-384  (BYTE-only)
                    +SHA-512  (BYTE-only)

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651

                    Version 8.00.6246
                    SHA-1      (BYTE-only)
                    -SHA-256  (BYTE-only)
                    -SHA-384  (BYTE-only)
                    -SHA-512  (BYTE-only)                    		SHA-1      (BYTE-only)
                    +SHA-256  (BYTE-only)
                    +SHA-384  (BYTE-only)
                    +SHA-512  (BYTE-only)

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649

                    Version 7.00.2872
                    SHA-1      (BYTE-only)
                    -SHA-256  (BYTE-only)
                    -SHA-384  (BYTE-only)
                    -SHA-512  (BYTE-only)                    		SHA-1      (BYTE-only)
                    +SHA-256  (BYTE-only)
                    +SHA-384  (BYTE-only)
                    +SHA-512  (BYTE-only)

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648

                    Version 8.00.6246
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
                    Version 10.0.14393
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
                    Version 10.0.14393
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
                    Version 10.0.10586
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
                    Version 10.0.10586
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
                    Version 10.0.10240
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
                    Version 10.0.10240
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
                    Version 6.3.9600
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
                    Version 6.3.9600

                    SHA-1 (BYTE-only)

                    -

                    SHA-256 (BYTE-only)

                    -

                    SHA-384 (BYTE-only)

                    -

                    SHA-512 (BYTE-only)

                    +

                    SHA-1 (BYTE-only)

                    +

                    SHA-256 (BYTE-only)

                    +

                    SHA-384 (BYTE-only)

                    +

                    SHA-512 (BYTE-only)

                    Implementation does not support zero-length (null) messages.

                    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903

                    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)

                    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774

                    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)

                    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081

                    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816
                    SHA-1 (BYTE-only)SHA-1 (BYTE-only)

                    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785

                    Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)

                    Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753

                    Windows Vista Symmetric Algorithm Implementation #618
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)

                    Windows Vista BitLocker Drive Encryption #737

                    Windows Vista Beta 2 BitLocker Drive Encryption #495
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)

                    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613

                    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364
                    SHA-1 (BYTE-only)SHA-1 (BYTE-only)

                    Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611

                    Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610

                    Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385

                    @@ -6386,16 +6386,16 @@ Version 6.3.9600
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)

                    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589

                    Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578

                    Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305
                    SHA-1 (BYTE-only)SHA-1 (BYTE-only)

                    Windows XP Microsoft Enhanced Cryptographic Provider #83

                    Crypto Driver for Windows 2000 (fips.sys) #35

                    Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32

                    @@ -6417,8 +6417,8 @@ Version 6.3.9600
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -6499,112 +6499,112 @@ Version 6.3.9600
                    TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459

                    Version 10.0.15063

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, )

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384

                    Version 8.00.6246

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, )

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383

                    Version 8.00.6246

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, ) ;

                    -

                    CTR ( int only )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, ) ;

                    +

                    CTR ( int only )

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382

                    Version 7.00.2872

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, )

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381

                    Version 8.00.6246

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, ) ;

                    -

                    TCFB8( KO 1 e/d, ) ;

                    -

                    TCFB64( KO 1 e/d, )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, ) ;

                    +

                    TCFB8( KO 1 e/d, ) ;

                    +

                    TCFB64( KO 1 e/d, )

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227

                    Version 10.0.14393

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, ) ;

                    -

                    TCFB8( KO 1 e/d, ) ;

                    -

                    TCFB64( KO 1 e/d, )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, ) ;

                    +

                    TCFB8( KO 1 e/d, ) ;

                    +

                    TCFB64( KO 1 e/d, )

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024

                    Version 10.0.10586

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, ) ;

                    -

                    TCFB8( KO 1 e/d, ) ;

                    -

                    TCFB64( KO 1 e/d, )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, ) ;

                    +

                    TCFB8( KO 1 e/d, ) ;

                    +

                    TCFB64( KO 1 e/d, )

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969

                    Version 10.0.10240

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, ) ;

                    -

                    TCFB8( KO 1 e/d, ) ;

                    -

                    TCFB64( KO 1 e/d, )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, ) ;

                    +

                    TCFB8( KO 1 e/d, ) ;

                    +

                    TCFB64( KO 1 e/d, )

                    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

                    Version 6.3.9600

                    TECB( e/d; KO 1,2 ) ;

                    -

                    TCBC( e/d; KO 1,2 ) ;

                    -

                    TCFB8( e/d; KO 1,2 ) ;

                    -

                    TCFB64( e/d; KO 1,2 )

                    TECB( e/d; KO 1,2 ) ;

                    +

                    TCBC( e/d; KO 1,2 ) ;

                    +

                    TCFB8( e/d; KO 1,2 ) ;

                    +

                    TCFB64( e/d; KO 1,2 )

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387

                    TECB( e/d; KO 1,2 ) ;

                    -

                    TCBC( e/d; KO 1,2 ) ;

                    -

                    TCFB8( e/d; KO 1,2 )

                    TECB( e/d; KO 1,2 ) ;

                    +

                    TCBC( e/d; KO 1,2 ) ;

                    +

                    TCFB8( e/d; KO 1,2 )

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386

                    TECB( e/d; KO 1,2 ) ;

                    -

                    TCBC( e/d; KO 1,2 ) ;

                    -

                    TCFB8( e/d; KO 1,2 )

                    TECB( e/d; KO 1,2 ) ;

                    +

                    TCBC( e/d; KO 1,2 ) ;

                    +

                    TCFB8( e/d; KO 1,2 )

                    		 Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846

                    TECB( e/d; KO 1,2 ) ;

                    -

                    TCBC( e/d; KO 1,2 ) ;

                    -

                    TCFB8( e/d; KO 1,2 )

                    TECB( e/d; KO 1,2 ) ;

                    +

                    TCBC( e/d; KO 1,2 ) ;

                    +

                    TCFB8( e/d; KO 1,2 )

                    		 Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656

                    TECB( e/d; KO 1,2 ) ;

                    -

                    TCBC( e/d; KO 1,2 ) ;

                    -

                    TCFB8( e/d; KO 1,2 )

                    TECB( e/d; KO 1,2 ) ;

                    +

                    TCBC( e/d; KO 1,2 ) ;

                    +

                    TCFB8( e/d; KO 1,2 )

                    		 Windows Vista Symmetric Algorithm Implementation #549
                    Triple DES MACTriple DES MAC

                    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed

                    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed

                    TECB( e/d; KO 1,2 ) ;

                    -

                    TCBC( e/d; KO 1,2 )

                    TECB( e/d; KO 1,2 ) ;

                    +

                    TCBC( e/d; KO 1,2 )

                    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308

                    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307

                    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691

                    @@ -6636,15 +6636,15 @@ Version 6.3.9600
                    + PBKDF (vendor affirmed) + PBKDF (vendor affirmed) - - + + - + @@ -113,7 +113,7 @@ The following steps assume that you have completed all the required steps in [Be - diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md index 7f19406d2e..a856668804 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md @@ -108,15 +108,15 @@ See Onboard Windows 10 devices. - + diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md index 4f0891df0c..3956891c0c 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md @@ -33,29 +33,29 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor - + - - - - + + + + - + - + - + @@ -90,11 +90,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C @@ -102,11 +102,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C @@ -114,11 +114,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C @@ -126,11 +126,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C @@ -138,11 +138,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C @@ -150,11 +150,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
                    - Modes / States / Key Sizes + Modes / States / Key Sizes - Algorithm Implementation and Certificate # + Algorithm Implementation and Certificate #
                    - PBKDF (vendor affirmed)

                     Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
                    (Software Version: 10.0.14393)

                    Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
                    (Software Version: 10.0.14393)

                    @@ -6654,7 +6654,7 @@ Version 6.3.9600
                    - PBKDF (vendor affirmed)

                    Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
                    (Software Version: 10.0.14393)

                    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed

                    @@ -6672,8 +6672,8 @@ Version 6.3.9600
                    Publication / Component Validated / DescriptionImplementation and Certificate #Publication / Component Validated / DescriptionImplementation and Certificate #
                      diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md index 8544b43d61..5ecbd9a101 100644 --- a/windows/security/threat-protection/intelligence/support-scams.md +++ b/windows/security/threat-protection/intelligence/support-scams.md @@ -63,6 +63,6 @@ It is also important to keep the following in mind: Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by reporting tech support scams: -www.microsoft.com/reportascam +www.microsoft.com/reportascam You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index 2dc93956ba..ef4053bac6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -103,8 +103,8 @@ The following steps assume that you have completed all the required steps in [Be For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file.
                    Events URLDepending on the location of your datacenter, select either the EU or the US URL:

                    For EU: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
                    -
                    For US: https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME

                    For UK: https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME                    		Depending on the location of your datacenter, select either the EU or the US URL:

                    For EU: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
                    +
                    For US: https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME

                    For UK: https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
                    Authentication Type OAuth 2Browse to the location of the wdatp-connector.properties file. The name must match the file provided in the .zip that you downloaded.
                    Refresh TokenYou can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.

                    For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Microsoft Defender ATP.

                    Get your refresh token using the restutil tool:
                    a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool.

                    b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open.

                    c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

                    d. A refresh token is shown in the command prompt.

                    e. Copy and paste it into the Refresh Token field. +                     		You can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.

                    For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Microsoft Defender ATP.

                    Get your refresh token using the restutil tool:
                    a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool.

                    b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open.

                    c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

                    d. A refresh token is shown in the command prompt.

                    e. Copy and paste it into the Refresh Token field.
                    9 Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable.During onboarding: The device did not onboard correctly and will not be reporting to the portal.

                    During offboarding: Failed to change the service start type. The offboarding process continues.                     		During onboarding: The device did not onboard correctly and will not be reporting to the portal.

                    During offboarding: Failed to change the service start type. The offboarding process continues.                     		Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
                    See Onboard Windows 10 devices.
                    Description
                    Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

                    -

                    		Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

                    Windows 10, Version 1607 and earlier:
                    Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen

                    		Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

                    +

                    		Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

                    Windows 10, Version 1607 and earlier:
                    Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen

                    		 At least Windows Server 2012, Windows 8 or Windows RT This policy setting turns on Microsoft Defender SmartScreen.

                    If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

                    If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

                    If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.
                    Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control                    		Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control                    		Windows 10, version 1703This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

                    This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

                    Important: Using a trustworthy browser helps ensure that these protections work as expected.

                    		Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control                    		Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control                    		Windows 10, version 1703This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

                    This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

                    Important: Using a trustworthy browser helps ensure that these protections work as expected.
                    Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

                    Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

                    Windows 10, Version 1607 and earlier:
                    Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen

                    		Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

                    Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

                    Windows 10, Version 1607 and earlier:
                    Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen

                    		 Microsoft Edge on Windows 10 or later This policy setting turns on Microsoft Defender SmartScreen.

                    If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.

                    If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

                    If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.
                    Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

                    Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

                    Windows 10, Version 1511 and 1607:
                    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files

                    		Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

                    Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

                    Windows 10, Version 1511 and 1607:
                    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files

                    		 Microsoft Edge on Windows 10, version 1511 or later This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.

                    If you enable this setting, it stops employees from bypassing the warning, stopping the file download.

                    If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.
                    Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

                    Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

                    Windows 10, Version 1511 and 1607:
                    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites

                    		Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

                    Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

                    Windows 10, Version 1511 and 1607:
                    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites

                    		 Microsoft Edge on Windows 10, version 1511 or later This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.

                    If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.

                    If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.
                    Windows 10
                      -
                    • URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
                      • -
                    • Data type. Integer
                      • -
                    • Allowed values:
                        -
                      • 0 . Turns off Microsoft Defender SmartScreen in Edge.
                        • -
                      • 1. Turns on Microsoft Defender SmartScreen in Edge.
                    +
                  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
                    • +
                  • Data type. Integer
                    • +
                  • Allowed values:
                      +
                    • 0 . Turns off Microsoft Defender SmartScreen in Edge.
                      • +
                    • 1. Turns on Microsoft Defender SmartScreen in Edge.
                    		•
                    Windows 10, version 1703
                      -
                    • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
                      • -
                    • Data type. Integer
                      • -
                    • Allowed values:
                        -
                      • 0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
                        • -
                      • 1. Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.
                    +
                  • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
                    • +
                  • Data type. Integer
                    • +
                  • Allowed values:
                      +
                    • 0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
                      • +
                    • 1. Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.
                    		•
                    Windows 10, version 1703
                      -
                    • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
                      • -
                    • Data type. Integer
                      • -
                    • Allowed values:
                        -
                      • 0 . Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
                        • -
                      • 1. Turns on Microsoft Defender SmartScreen in Windows for app and file execution.
                    +
                  • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
                    • +
                  • Data type. Integer
                    • +
                  • Allowed values:
                      +
                    • 0 . Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
                      • +
                    • 1. Turns on Microsoft Defender SmartScreen in Windows for app and file execution.
                    		•
                    Windows 10, version 1703
                      -
                    • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
                      • -
                    • Data type. Integer
                      • -
                    • Allowed values:
                        -
                      • 0 . Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
                        • -
                      • 1. Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.
                    +
                  • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
                    • +
                  • Data type. Integer
                    • +
                  • Allowed values:
                      +
                    • 0 . Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
                      • +
                    • 1. Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.
                    		•
                    Windows 10, Version 1511 and later
                      -
                    • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
                      • -
                    • Data type. Integer
                      • -
                    • Allowed values:
                        -
                      • 0 . Employees can ignore Microsoft Defender SmartScreen warnings.
                        • -
                      • 1. Employees can't ignore Microsoft Defender SmartScreen warnings.
                    +
                  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
                    • +
                  • Data type. Integer
                    • +
                  • Allowed values:
                      +
                    • 0 . Employees can ignore Microsoft Defender SmartScreen warnings.
                      • +
                    • 1. Employees can't ignore Microsoft Defender SmartScreen warnings.
                    		•
                    Windows 10, Version 1511 and later
                      -
                    • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
                      • -
                    • Data type. Integer
                      • -
                    • Allowed values:
                        -
                      • 0 . Employees can ignore Microsoft Defender SmartScreen warnings for files.
                        • -
                      • 1. Employees can't ignore Microsoft Defender SmartScreen warnings for files.
                    +
                  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
                    • +
                  • Data type. Integer
                    • +
                  • Allowed values:
                      +
                    • 0 . Employees can ignore Microsoft Defender SmartScreen warnings for files.
                      • +
                    • 1. Employees can't ignore Microsoft Defender SmartScreen warnings for files.
                    		•
                    @@ -170,19 +170,19 @@ To better help you protect your organization, we recommend turning on and using
                    Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreenEnable. Turns on Microsoft Defender SmartScreen.Enable. Turns on Microsoft Defender SmartScreen.
                    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sitesEnable. Stops employees from ignoring warning messages and continuing to a potentially malicious website.Enable. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
                    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for filesEnable. Stops employees from ignoring warning messages and continuing to download potentially malicious files.Enable. Stops employees from ignoring warning messages and continuing to download potentially malicious files.
                    Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreenEnable with the Warn and prevent bypass option. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.Enable with the Warn and prevent bypass option. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.

                    @@ -193,23 +193,23 @@ To better help you protect your organization, we recommend turning on and using

                    Browser/AllowSmartScreen1. Turns on Microsoft Defender SmartScreen.1. Turns on Microsoft Defender SmartScreen.
                    Browser/PreventSmartScreenPromptOverride1. Stops employees from ignoring warning messages and continuing to a potentially malicious website.1. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
                    Browser/PreventSmartScreenPromptOverrideForFiles1. Stops employees from ignoring warning messages and continuing to download potentially malicious files.1. Stops employees from ignoring warning messages and continuing to download potentially malicious files.
                    SmartScreen/EnableSmartScreenInShell1. Turns on Microsoft Defender SmartScreen in Windows.

                    Requires at least Windows 10, version 1703.

                    		1. Turns on Microsoft Defender SmartScreen in Windows.

                    Requires at least Windows 10, version 1703.
                    SmartScreen/PreventOverrideForFilesInShell1. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.

                    Requires at least Windows 10, version 1703.

                    		1. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.

                    Requires at least Windows 10, version 1703.
                    diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 15bf8bc91c..eaef387dbf 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -311,9 +311,9 @@ The following table lists EMET features in relation to Windows 10 features. - - + + diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index d726f7ff56..905bf8c06a 100644 --- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -351,7 +351,7 @@ The following table details the hardware requirements for both virtualization-ba - + - + @@ -87,30 +87,30 @@ You can perform this task by using the Group Policy Management Console for an Ap - - + + - + - + - + - - + +
                    Specific EMET featuresHow these EMET features map
                    -to Windows 10 features                    		Specific EMET featuresHow these EMET features map
                    +to Windows 10 features

                    Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled

                    Required to support virtualization-based security.

                    -Note

                    Device Guard can be enabled without using virtualization-based security.

                    +Note

                    Device Guard can be enabled without using virtualization-based security.

                    @@ -533,7 +533,7 @@ If the TPM ownership is not known but the EK exists, the client library will pro As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub** -> **Note:** For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: https://\*.microsoftaik.azure.net +> **Note:** For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: https://\*.microsoftaik.azure.net ### Windows 10 Health Attestation CSP diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md index 7ac5a2faeb..1f35434f95 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md @@ -59,12 +59,12 @@ You can perform this task by using the Group Policy Management Console for an Ap

                    Use an installed packaged app as a reference

                    Use an installed packaged app as a reference

                    If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule.

                    You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you are creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference.

                    Use a packaged app installer as a reference

                    Use a packaged app installer as a reference

                    If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name and package version of the installer to define the rule.

                    Your company has developed a number of internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share and choose the installer for the Payroll app as a reference to create your rule.

                    Applies to Any publisher

                    This is the least restrictive scope condition for an Allow rule. It permits every packaged app to run or install.

                    -

                    Conversely, if this is a Deny rule, then this option is the most restrictive because it denies all apps from installing or running.

                    Applies to Any publisher

                    This is the least restrictive scope condition for an Allow rule. It permits every packaged app to run or install.

                    +

                    Conversely, if this is a Deny rule, then this option is the most restrictive because it denies all apps from installing or running.

                    You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.

                    Applies to a specific Publisher

                    Applies to a specific Publisher

                    This scopes the rule to all apps published by a particular publisher.

                    You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope.

                    Applies to a Package name

                    Applies to a Package name

                    This scopes the rule to all packages that share the publisher name and package name as the reference file.

                    You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope.

                    Applies to a Package version

                    Applies to a Package version

                    This scopes the rule to a particular version of the package.

                    You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer.

                    Applying custom values to the rule

                    Selecting the Use custom values check box allows you to adjust the scope fields for your particular circumstance.

                    You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the Use custom values check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.

                    Selecting the Use custom values check box allows you to adjust the scope fields for your particular circumstance.

                    You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the Use custom values check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.
                    diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md index 3cac5abbce..c43cf96fee 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md @@ -99,9 +99,9 @@ The following table provides an example of how to list applications for each bus
                    ->Note: AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary. +>Note: AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary. -Event processing +Event processing As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record: diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index 90bf198903..35e51ee350 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -277,7 +277,7 @@ The following table is an example of what to consider and record.
                    -Policy maintenance policy +Policy maintenance policy When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies. The following table is an example of what to consider and record. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index 5bfe8d38ed..1d132ac242 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -131,7 +131,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
                    -Event processing policy +Event processing policy @@ -169,7 +169,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
                    -Policy maintenance policy +Policy maintenance policy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index 7baf71b5df..a8bfeff845 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -119,7 +119,7 @@ If your organization supports multiple Windows operating systems, app control po

                    AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see Requirements to use AppLocker.

                    -Note

                    If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.

                    +Note

                    If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.

                    diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md index 2ddcbb332e..eab62e36b7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md @@ -119,7 +119,7 @@ The following table compares AppLocker to Software Restriction Policies.
                    -Application control function differences +Application control function differences The following table compares the application control functions of Software Restriction Policies (SRP) and AppLocker. @@ -141,7 +141,7 @@ The following table compares the application control functions of Software Restr

                    SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.

                    AppLocker policies apply only to those supported operating system versions and editions listed in Requirements to use AppLocker. But these systems can also use SRP.

                    -Note

                    Use different GPOs for SRP and AppLocker rules.

                    +Note

                    Use different GPOs for SRP and AppLocker rules.