diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 4a01c45a31..195bd1e6bf 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -1,484 +1,484 @@ -{ - "build_entry_point": "", - "docsets_to_publish": [ - { - "docset_name": "education", - "build_source_folder": "education", - "build_output_subfolder": "education", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "hololens", - "build_source_folder": "devices/hololens", - "build_output_subfolder": "hololens", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "internet-explorer", - "build_source_folder": "browsers/internet-explorer", - "build_output_subfolder": "internet-explorer", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "keep-secure", - "build_source_folder": "windows/keep-secure", - "build_output_subfolder": "keep-secure", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "mdop", - "build_source_folder": "mdop", - "build_output_subfolder": "mdop", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "microsoft-edge", - "build_source_folder": "browsers/edge", - "build_output_subfolder": "microsoft-edge", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "release-information", - "build_source_folder": "windows/release-information", - "build_output_subfolder": "release-information", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": false, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "smb", - "build_source_folder": "smb", - "build_output_subfolder": "smb", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "store-for-business", - "build_source_folder": "store-for-business", - "build_output_subfolder": "store-for-business", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "surface", - "build_source_folder": "devices/surface", - "build_output_subfolder": "surface", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "surface-hub", - "build_source_folder": "devices/surface-hub", - "build_output_subfolder": "surface-hub", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-access-protection", - "build_source_folder": "windows/access-protection", - "build_output_subfolder": "win-access-protection", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-app-management", - "build_source_folder": "windows/application-management", - "build_output_subfolder": "win-app-management", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-client-management", - "build_source_folder": "windows/client-management", - "build_output_subfolder": "win-client-management", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-configuration", - "build_source_folder": "windows/configuration", - "build_output_subfolder": "win-configuration", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-deployment", - "build_source_folder": "windows/deployment", - "build_output_subfolder": "win-deployment", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-device-security", - "build_source_folder": "windows/device-security", - "build_output_subfolder": "win-device-security", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-configure", - "build_source_folder": "windows/configure", - "build_output_subfolder": "windows-configure", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-deploy", - "build_source_folder": "windows/deploy", - "build_output_subfolder": "windows-deploy", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-hub", - "build_source_folder": "windows/hub", - "build_output_subfolder": "windows-hub", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-manage", - "build_source_folder": "windows/manage", - "build_output_subfolder": "windows-manage", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-plan", - "build_source_folder": "windows/plan", - "build_output_subfolder": "windows-plan", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-privacy", - "build_source_folder": "windows/privacy", - "build_output_subfolder": "windows-privacy", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-security", - "build_source_folder": "windows/security", - "build_output_subfolder": "windows-security", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-update", - "build_source_folder": "windows/update", - "build_output_subfolder": "windows-update", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-threat-protection", - "build_source_folder": "windows/threat-protection", - "build_output_subfolder": "win-threat-protection", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-whats-new", - "build_source_folder": "windows/whats-new", - "build_output_subfolder": "win-whats-new", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - } - ], - "notification_subscribers": [ - "elizapo@microsoft.com" - ], - "sync_notification_subscribers": [ - "daniha@microsoft.com" - ], - "branches_to_filter": [ - "" - ], - "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs", - "git_repository_branch_open_to_public_contributors": "master", - "skip_source_output_uploading": false, - "need_preview_pull_request": true, - "resolve_user_profile_using_github": true, - "contribution_branch_mappings": {}, - "dependent_repositories": [ - { - "path_to_root": "_themes.pdf", - "url": "https://github.com/Microsoft/templates.docs.msft.pdf", - "branch": "master", - "branch_mapping": {} - }, - { - "path_to_root": "_themes", - "url": "https://github.com/Microsoft/templates.docs.msft", - "branch": "master", - "branch_mapping": {} - } - ], - "branch_target_mapping": { - "live": [ - "Publish", - "Pdf" - ], - "master": [ - "Publish", - "Pdf" - ] - }, - "need_generate_pdf_url_template": true, - "targets": { - "Pdf": { - "template_folder": "_themes.pdf" - } - }, - "need_generate_pdf": false, - "need_generate_intellisense": false +{ + "build_entry_point": "", + "docsets_to_publish": [ + { + "docset_name": "education", + "build_source_folder": "education", + "build_output_subfolder": "education", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "hololens", + "build_source_folder": "devices/hololens", + "build_output_subfolder": "hololens", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "internet-explorer", + "build_source_folder": "browsers/internet-explorer", + "build_output_subfolder": "internet-explorer", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "keep-secure", + "build_source_folder": "windows/keep-secure", + "build_output_subfolder": "keep-secure", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "mdop", + "build_source_folder": "mdop", + "build_output_subfolder": "mdop", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "microsoft-edge", + "build_source_folder": "browsers/edge", + "build_output_subfolder": "microsoft-edge", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "release-information", + "build_source_folder": "windows/release-information", + "build_output_subfolder": "release-information", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "smb", + "build_source_folder": "smb", + "build_output_subfolder": "smb", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "store-for-business", + "build_source_folder": "store-for-business", + "build_output_subfolder": "store-for-business", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "surface", + "build_source_folder": "devices/surface", + "build_output_subfolder": "surface", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "surface-hub", + "build_source_folder": "devices/surface-hub", + "build_output_subfolder": "surface-hub", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-access-protection", + "build_source_folder": "windows/access-protection", + "build_output_subfolder": "win-access-protection", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-app-management", + "build_source_folder": "windows/application-management", + "build_output_subfolder": "win-app-management", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-client-management", + "build_source_folder": "windows/client-management", + "build_output_subfolder": "win-client-management", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-configuration", + "build_source_folder": "windows/configuration", + "build_output_subfolder": "win-configuration", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-deployment", + "build_source_folder": "windows/deployment", + "build_output_subfolder": "win-deployment", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-device-security", + "build_source_folder": "windows/device-security", + "build_output_subfolder": "win-device-security", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-configure", + "build_source_folder": "windows/configure", + "build_output_subfolder": "windows-configure", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-deploy", + "build_source_folder": "windows/deploy", + "build_output_subfolder": "windows-deploy", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-hub", + "build_source_folder": "windows/hub", + "build_output_subfolder": "windows-hub", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-manage", + "build_source_folder": "windows/manage", + "build_output_subfolder": "windows-manage", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-plan", + "build_source_folder": "windows/plan", + "build_output_subfolder": "windows-plan", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-privacy", + "build_source_folder": "windows/privacy", + "build_output_subfolder": "windows-privacy", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-security", + "build_source_folder": "windows/security", + "build_output_subfolder": "windows-security", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-update", + "build_source_folder": "windows/update", + "build_output_subfolder": "windows-update", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-threat-protection", + "build_source_folder": "windows/threat-protection", + "build_output_subfolder": "win-threat-protection", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-whats-new", + "build_source_folder": "windows/whats-new", + "build_output_subfolder": "win-whats-new", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + } + ], + "notification_subscribers": [ + "elizapo@microsoft.com" + ], + "sync_notification_subscribers": [ + "daniha@microsoft.com" + ], + "branches_to_filter": [ + "" + ], + "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs", + "git_repository_branch_open_to_public_contributors": "master", + "skip_source_output_uploading": false, + "need_preview_pull_request": true, + "resolve_user_profile_using_github": true, + "contribution_branch_mappings": {}, + "dependent_repositories": [ + { + "path_to_root": "_themes.pdf", + "url": "https://github.com/Microsoft/templates.docs.msft.pdf", + "branch": "master", + "branch_mapping": {} + }, + { + "path_to_root": "_themes", + "url": "https://github.com/Microsoft/templates.docs.msft", + "branch": "master", + "branch_mapping": {} + } + ], + "branch_target_mapping": { + "live": [ + "Publish", + "Pdf" + ], + "master": [ + "Publish", + "Pdf" + ] + }, + "need_generate_pdf_url_template": true, + "targets": { + "Pdf": { + "template_folder": "_themes.pdf" + } + }, + "need_generate_pdf": false, + "need_generate_intellisense": false } \ No newline at end of file diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 4ce774ddfc..7254840960 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -14958,8 +14958,8 @@ "redirect_document_id": true }, { -"source_path": "windows/windows/deployment/windows-10-enterprise-subscription-activation.md", -"redirect_url": "/windows/windows/deployment/windows-10-subscription-activation", +"source_path": "windows/deployment/windows-10-enterprise-subscription-activation.md", +"redirect_url": "/windows/deployment/windows-10-subscription-activation", "redirect_document_id": true }, { diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index e1bd5ba5d6..e2858bc04b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -24,7 +24,7 @@ ms.date: 07/27/2017 Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. >**Upgrade Readiness and Windows upgrades**
->You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/en-us/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). +>You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). ## Before you begin diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md index 7e3946d6d2..67093919f3 100644 --- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md @@ -20,11 +20,11 @@ Get answers to commonly asked questions about the Internet Explorer 11 Blocker T >[!Important] >If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. -- [Automatic updates delivery process]() +- [Automatic updates delivery process](#automatic-updates-delivery-process) -- [How the Internet Explorer 11 Blocker Toolkit works]() +- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works) -- [Internet Explorer 11 Blocker Toolkit and other update services]() +- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services) ## Automatic Updates delivery process @@ -50,7 +50,7 @@ other update management solution. **Q. Why don’t we just block URL access to Windows Update or Microsoft Update?** A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable. -How the Internet Explorer 11 Blocker Toolkit works +## How the Internet Explorer 11 Blocker Toolkit works **Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?** A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary. diff --git a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md index 0b775febe8..6931f6e77d 100644 --- a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md @@ -20,7 +20,7 @@ Review this list of tasks and references to help you use the Internet Explorer A |Task |References | |----------------------------------------|--------------------------------------------------------------| |Review concepts and requirements, including info about the version and features you'll use. | | -|Prep your environment and get all of the info you'll need for running IEAK 11 | | +|Prep your environment and get all of the info you'll need for running IEAK 11 | | |Run the Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard | | |Review your policy settings and create multiple versions of your install package. | | |Review the general IEAK Customization Wizard 11 information, which applies throughout the process. | | diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index 5455a7c03d..827a27bd02 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -59,5 +59,5 @@ ## [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md) ## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) ## [Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md) -## [Technical information for 84” Microsoft Surface Hub ](surface-hub-technical-84.md) +## [Technical information for 84” Microsoft Surface Hub](surface-hub-technical-84.md) ## [Change history for Surface Hub](change-history-surface-hub.md) diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index b28387f8d2..2d55222b1b 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -22,7 +22,7 @@ New or changed topic | Description --- | --- [Surface Hub Site Readiness Guide](surface-hub-site-readiness-guide.md) | New; previously available for download only [Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md) | New; previously available for download and on [Surface Hub Tech Spec](https://support.microsoft.com/help/4483539/surface-hub-tech-spec) -[Technical information for 84” Microsoft Surface Hub ](surface-hub-technical-84.md) | New; previously available for download and on [Surface Hub Tech Spec](https://support.microsoft.com/help/4483539/surface-hub-tech-spec) +[Technical information for 84” Microsoft Surface Hub](surface-hub-technical-84.md) | New; previously available for download and on [Surface Hub Tech Spec](https://support.microsoft.com/help/4483539/surface-hub-tech-spec) [Surface Hub SSD replacement](surface-hub-ssd-replacement.md) | New; previously available for download only [Implement Quality of Service on Surface Hub](surface-hub-qos.md) | New diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md index 86d6848826..5fd13d7b95 100644 --- a/devices/surface-hub/connect-and-display-with-surface-hub.md +++ b/devices/surface-hub/connect-and-display-with-surface-hub.md @@ -115,11 +115,11 @@ Use these ports on the Surface Hub for Guest Mode. These are the port connections used for Guest Mode on the 55" and 84" Surface Hubs. -![image showing guest ports on 55" surface hub. ](images/sh-55-guest-ports.png) +![image showing guest ports on 55" surface hub.](images/sh-55-guest-ports.png) Wired port connections on 55" Surface Hub -![image showing guest ports on 84" surface hub. ](images/sh-84-guest-ports.png) +![image showing guest ports on 84" surface hub.](images/sh-84-guest-ports.png) Wired port connections on 84" Surface Hub @@ -294,7 +294,7 @@ Check directly with graphics card vendors for the latest drivers. Replacement PC ports on 55" Surface Hub -![image showing replacement pc ports on 55" surface hub. ](images/sh-55-rpc-ports.png) +![image showing replacement pc ports on 55" surface hub.](images/sh-55-rpc-ports.png) @@ -351,7 +351,7 @@ Replacement PC ports on 55" Surface Hub Replacement PC ports on 84" Surface Hub -![image showing replacement pc ports on 84" surface hub. ](images/sh-84-rpc-ports.png) +![image showing replacement pc ports on 84" surface hub.](images/sh-84-rpc-ports.png)
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index 6c133e978d..ff1e2014b5 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -95,7 +95,7 @@ Install the following module in Powershell 2. Create a Credentials object, then create a new session that connects to Skype for Business Online, and provide the global tenant administrator account, then click **OK**. - ![Image for Windows PowerShell credential request. ](images/setupdeviceaccto365-18.png) + ![Image for Windows PowerShell credential request.](images/setupdeviceaccto365-18.png) 3. To connect to Microsoft Online Services, run: diff --git a/devices/surface-hub/surface-hub-site-readiness-guide.md b/devices/surface-hub/surface-hub-site-readiness-guide.md index f865f7d7a6..44e8717278 100644 --- a/devices/surface-hub/surface-hub-site-readiness-guide.md +++ b/devices/surface-hub/surface-hub-site-readiness-guide.md @@ -89,7 +89,7 @@ The 55” Surface Hub requires two people to safely lift and mount. The 84” Su ## Mounting and setup -See the [Technical information]() section, or your mounting guide at http://www.microsoft.com/surface/support/surface-hub, for detailed instructions. +See your mounting guide at http://www.microsoft.com/surface/support/surface-hub for detailed instructions. There are three ways to mount your Surface Hub: @@ -97,7 +97,7 @@ There are three ways to mount your Surface Hub: - **Floor support mount**: Supports Surface Hub on the floor while it is permanently anchored to a conference space wall. - **Rolling stand**: Supports Surface Hub and lets you move it to other conference locations. For links to guides that provide details about each mounting method, including building requirements, see http://www.microsoft.com/surface/support/surface-hub. -For specifications on available mounts for the original Surfae Hub, see the following: +For specifications on available mounts for the original Surface Hub, see the following: - [Surface Hub Mounts and Stands Datasheet](http://download.microsoft.com/download/5/0/1/501F98D9-1BCC-4448-A1DB-47056CEE33B6/20160711_Surface_Hub_Mounts_and_Stands_Datasheet.pdf) - [Surface Hub Stand and Wall Mount Specifications](http://download.microsoft.com/download/7/A/7/7A75BD0F-5A46-4BCE-B313-A80E47AEB581/20160720_Combined_Stand_Wall_Mount_Drawings.pdf) diff --git a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md index 8583a2c15a..eedbfe9ae5 100644 --- a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md +++ b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md @@ -118,7 +118,7 @@ Field |Success |Failure |Comment |Reference LyncDiscover Cert CN | | |Informational. Displays the LD cert Common name | LyncDiscover Cert CA | | |Informational. Displays the LD Cert CA | LyncDiscover Cert Root CA | | |Informational. Displays the LD Cert Root CA, if available. | -LD Trust Status |Certificate is Trusted. |Certificate is not trusted, please add the Root CA. |Verify the certificate against the local cert store. Returns positive if the machine trusts the certificate.|[Download and deploy Skype for Business certificates using PowerShell](https://blogs.msdn.microsoft.com/surfacehub/2016/06/07/download-and-deploy-skype-for-business-certificates-using-powershell/)/[Supported items for Surface Hub provisioning packages](https://docs.microsoft.com/en-us/surface-hub/provisioning-packages-for-surface-hub#supported-items-for-surface-hub-provisioning-packages) +LD Trust Status |Certificate is Trusted. |Certificate is not trusted, please add the Root CA. |Verify the certificate against the local cert store. Returns positive if the machine trusts the certificate.|[Download and deploy Skype for Business certificates using PowerShell](https://blogs.msdn.microsoft.com/surfacehub/2016/06/07/download-and-deploy-skype-for-business-certificates-using-powershell/)/[Supported items for Surface Hub provisioning packages](https://docs.microsoft.com/surface-hub/provisioning-packages-for-surface-hub#supported-items-for-surface-hub-provisioning-packages) SIP Pool Certification diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index c83a77a2bd..3b0acc91f0 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -29,11 +29,10 @@ ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) ### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) -## [Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) +## [Fix common Surface device issues using the Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business-intro.md) +### [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) ### [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) ### [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) ## [Surface Data Eraser](microsoft-surface-data-eraser.md) ## [Top support solutions for Surface devices](support-solutions-surface.md) ## [Change history for Surface documentation](change-history-for-surface.md) - - diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index d4e7df2e2b..312c8a39b2 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -15,10 +15,18 @@ ms.topic: article This topic lists new and updated topics in the Surface documentation library. +## June 2019 + +New or changed topic | Description +--- | --- + +[Fix common Surface problems using the Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-for-business-intro.md) | New + ## March 2019 New or changed topic | Description --- | --- + [Surface System SKU reference](surface-system-sku-reference.md) | New diff --git a/devices/surface/documentation/surface-system-sku-reference.md b/devices/surface/documentation/surface-system-sku-reference.md new file mode 100644 index 0000000000..c0aa8460a0 --- /dev/null +++ b/devices/surface/documentation/surface-system-sku-reference.md @@ -0,0 +1,55 @@ +--- +title: Surface System SKU reference +description: This topic provides a reference of System SKU names that you can use to quickly determine the machine state of a specific device. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: coveminer +ms.author: v-jokai +ms.topic: article +ms.date: 03/12/2019 +--- +# Surface System SKU Reference +This document provides a reference of System SKU names that you can use to quickly determine the machine state of a specific device using PowerShell, WMI, and related tools. + +System SKU is a variable (along with System Model and others) stored in System Management BIOS (SMBIOS) tables in the UEFI layer of Surface devices. Use the System SKU name whenever you need to differentiate between devices with the same System Model name, such as Surface Pro and Surface Pro with LTE Advanced. + +| **Device**| **System Model** | **System SKU**| +| --- | ---| --- | +| Surface 3 WiFI | Surface 3 | Surface_3 | +| Surface 3 LTE AT&T | Surface 3 | Surface_3_US1 | +| Surface 3 LTE Verizon | Surface 3 | Surface_3_US2 | +| Surface 3 LTE North America | Surface 3 | Surface_3_NAG | +| Surface 3 LTE Outside of North America and T-Mobile In Japan | Surface 3 | Surface_3_ROW | +| Surface Pro | Surface Pro | Surface_Pro_1796 | +| Surface Pro with LTE Advanced | Surface Pro | Surface_Pro_1807 | +| Surface Book 2 13inch | Surface Book 2 | Surface_Book_1832 | +| Surface Book 2 15inch | Surface Book 2 | Surface_Book_1793 | +| Surface Go Consumer | Surface Go | Surface_Go_1824_Consumer | +| Surface Go Commercial | Surface Go | Surface_Go_1824_Commercial | +| Surface Pro 6 Consumer | Surface Pro 6 | Surface_Pro_6_1796_Consumer | +| Surface Pro 6 Commercial | Surface Pro 6 | Surface_Pro_6_1796_Commercial | +| Surface Laptop 2 Consumer | Surface Laptop 2 | Surface_Laptop_2_1769_Consumer | +| Surface Laptop 2 Commercial | Surface Laptop 2 | Surface_Laptop_2_1769_Commercial | + +## Using System SKU variables + +### PowerShell + + gwmi -namespace root\wmi -class MS_SystemInformation | select SystemSKU + +### System Information +You can also find the System SKU and System Model for a device in System Information. +- Click **Start** > **MSInfo32**. + +### WMI +You can use System SKU variables in a Task Sequence WMI Condition in the Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager. For example: + + - WMI Namespace – Root\WMI + - WQL Query – SELECT * FROM MS_SystemInformation WHERE SystemSKU = "Surface_Pro_1796" + + + + + + diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md index 57852f1b49..c0a2890973 100644 --- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md +++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md @@ -103,7 +103,7 @@ Power slider enables four states as described in the following table: | Slider mode| Description | |---|---| -| Battery saver| Helps conserve power and prolong battery life when the system is disconnected from a power source. When battery saver is on, some Windows features are disabled, throttled, or behave differently. Screen brightness is also reduced. Battery saver is only available when using battery power (DC). To learn more, see [Battery Saver](https://docs.microsoft.com/en-us/windows-hardware/design/component-guidelines/battery-saver).| +| Battery saver| Helps conserve power and prolong battery life when the system is disconnected from a power source. When battery saver is on, some Windows features are disabled, throttled, or behave differently. Screen brightness is also reduced. Battery saver is only available when using battery power (DC). To learn more, see [Battery Saver](https://docs.microsoft.com/windows-hardware/design/component-guidelines/battery-saver).| | Recommended | Delivers longer battery life than the default settings in earlier versions of Windows. | | Better Performance | Slightly favors performance over battery life, functioning as the default slider mode. | | Best Performance | Favors performance over power for workloads requiring maximum performance and responsiveness, regardless of battery power consumption.| diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md index 7ce3009574..dfe01468cc 100644 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ b/devices/surface/step-by-step-surface-deployment-accelerator.md @@ -18,12 +18,10 @@ ms.date: 07/27/2017 # Step by step: Surface Deployment Accelerator - This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. This article also contains instructions on how to perform these tasks without an Internet connection or without support for Windows Deployment Services network boot (PXE). ## How to install Surface Deployment Accelerator - For information about prerequisites and instructions for how to download and install SDA, see [Microsoft Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md). 1. Download SDA, which is included in [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) on the Microsoft Download Center. @@ -47,56 +45,51 @@ The tool installs in the SDA program group, as shown in Figure 2. >[!NOTE] >At this point, the tool has not yet prepared any deployment environment or downloaded any materials from the Internet. - - ## Create a deployment share - The following steps show you how to create a deployment share for Windows 10 that supports Surface 3, Surface Pro 3, Surface Pro 4, Surface Book, the Surface Firmware Tool, the Surface Asset Tag Tool, and Office 365. As you follow the steps below, make the selections that are applicable for your organization. For example, you could choose to deploy Windows 10 to Surface Book only, without any of the Surface apps. >[!NOTE] >SDA lets you create deployment shares for both Windows 8.1 and Windows 10 deployments, but you can only create a single deployment share at a time. Therefore, to create both Windows 8.1 and Windows 10 deployment shares, you will need to run the tool twice. - - 1. Open the SDA wizard by double-clicking the icon in the **Surface Deployment Accelerator** program group on the Start screen. 2. On the **Welcome** page, click **Next** to continue. -3. On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 2. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue. +3. On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 2. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue. - > [!NOTE] - > As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows: - > * Deployment tools - > * User State Migration Tool (USMT) - > * Windows Preinstallation Environment (WinPE)

- > - > [!NOTE] - > As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1. + >[!NOTE] + >As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows: + > * Deployment tools + > * User State Migration Tool (USMT) + > * Windows Preinstallation Environment (WinPE) -4. On the **Windows 8.1** page, to create a Windows 10 deployment share, do not select the **Would you like to support Windows 8.1** check box. Click **Next** to continue. + > [!NOTE] + > As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1. -5. On the **Windows 10** page, to create a Windows 10 deployment share, select the **Would you like to support Windows 10** check box. Supply the following information before you click **Next** to continue: +4. On the **Windows 8.1** page, to create a Windows 10 deployment share, do not select the **Would you like to support Windows 8.1** check box. Click **Next** to continue. - - **Configure Deployment Share for Windows 10** +5. On the **Windows 10** page, to create a Windows 10 deployment share, select the **Would you like to support Windows 10** check box. Supply the following information before you click **Next** to continue: - - **Local Path** – Specify or browse to a location on the local storage device where you would like to store the deployment share files for the Windows 10 SDA deployment share. For example, **E:\\SDAWin10\\** is the location specified in Figure 3. + - **Configure Deployment Share for Windows 10** + + - **Local Path** – Specify or browse to a location on the local storage device where you would like to store the deployment share files for the Windows 10 SDA deployment share. For example, **E:\\SDAWin10\\** is the location specified in Figure 3. - **Share Name** – Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**. - - **Windows 10 Deployment Services** + - **Windows 10 Deployment Services** - Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot. - - **Windows 10 Source Files** + - **Windows 10 Source Files** - - **Local Path** – Specify or browse to the root directory of Windows 10 installation files. If you have an ISO file, mount it and browse to the root of the mounted drive. You must have a full set of source files, not just **Install.wim**. + - **Local Path** – Specify or browse to the root directory of Windows 10 installation files. If you have an ISO file, mount it and browse to the root of the mounted drive. You must have a full set of source files, not just **Install.wim**. - ![Specify Windows 10 deployment share options](images/sdasteps-fig3.png "Specify Windows 10 deployment share options") + ![Specify Windows 10 deployment share options](images/sdasteps-fig3.png "Specify Windows 10 deployment share options") - *Figure 3. Specify Windows 10 deployment share options* + *Figure 3. Specify Windows 10 deployment share options* -6. On the **Configure** page, select the check box next to each device or app that you want to include in your deployment share. Note that Surface Pro 4 and Surface Book only support Windows 10 and are not available for the deployment of Windows 8.1. The Surface Firmware Tool is only applicable to Surface 3 and Surface Pro 3 and cannot be selected unless Surface 3 or Surface Pro 3 drivers are selected, as shown in Figure 4. Click **Next** to continue. +6. On the **Configure** page, select the check box next to each device or app that you want to include in your deployment share. Note that Surface Pro 4 and Surface Book only support Windows 10 and are not available for the deployment of Windows 8.1. The Surface Firmware Tool is only applicable to Surface 3 and Surface Pro 3 and cannot be selected unless Surface 3 or Surface Pro 3 drivers are selected, as shown in Figure 4. Click **Next** to continue. ![Firmware tool selection](images/sdasteps-fig4-select.png "Firmware tool selection") @@ -105,7 +98,7 @@ The following steps show you how to create a deployment share for Windows 10 tha >[!NOTE] >You cannot select both Surface 3 and Surface 3 LTE models at the same time. -7. On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes: +7. On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes: - Download of Windows ADK @@ -127,82 +120,83 @@ The following steps show you how to create a deployment share for Windows 10 tha ![The installatin progress window](images/sdasteps-fig5-installwindow.png "The installatin progress window") - *Figure 5. The Installation Progress window* - >[!NOTE] - >The following error message may be hit while Installing the latest ADK or MDT: "An exception occurred during a WebClient request.". This is due to incompatibility between SDA and BITS. Here is the workaround for this: + *Figure 5. The Installation Progress window* + + ### Optional: Workaround for Webclient exception + + You may see this error message while installing the latest version of ADK or MDT: _An exception occurred during a WebClient request._ This is due to incompatibility between the Surface Deployment Accelerator (SDA) and Background Intelligent Transfer Service (BITS). To work around this issue, do the following. - ``` - In the following two PowerShell scripts: - %ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\Install-MDT.ps1 - %ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\INSTALL-WindowsADK.ps1 + In the two PowerShell scripts: -Edit the $BITSTransfer variable in the input parameters to $False as shown below: + ```PowerShell + %ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\Install-MDT.ps1 + %ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\INSTALL-WindowsADK.ps1 + ``` -Param( - [Parameter( - Position=0, - Mandatory=$False, - HelpMessage="Download via BITS bool true/false" + Edit the $BITSTransfer variable in the input parameters to $False as shown below: + + ```PowerShell + Param( + [Parameter( + Position=0, + Mandatory=$False, + HelpMessage="Download via BITS bool true/false" )] [string]$BITSTransfer = $False ) - ``` + ``` -8. When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices. +8. When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices. -### Optional: Create a deployment share without an Internet connection + ### Optional: Create a deployment share without an Internet connection -If you are unable to connect to the Internet with your deployment server, or if you want to download the Surface drivers and apps separately, you can specify a local source for the driver an app files at the time of deployment share creation. On the **Configure** page of the SDA wizard, select the **Copy from a Local Directory** check box, as shown in Figure 6. The **Download from the Internet** check box will be automatically deselected. Enter the folder location where you have placed the driver and app files in the **Local Path** field, as shown in Figure 6. + If you are unable to connect to the Internet with your deployment server, or if you want to download the Surface drivers and apps separately, you can specify a local source for the driver and app files at the time of deployment share creation. On the **Configure** page of the SDA wizard, select the **Copy from a Local Directory** check box, as shown in Figure 6. The **Download from the Internet** check box will be automatically deselected. Enter the folder location where you have placed the driver and app files in the **Local Path** field, as shown in Figure 6. ->[!NOTE] ->All of the downloaded driver and applications files must be located in the same folder. If a required driver or application file is missing from the selected folder when you click **Next**, a warning is displayed and the wizard will not proceed to the next step. + >[!NOTE] + >All of the downloaded driver and applications files must be located in the same folder. If a required driver or application file is missing from the selected folder when you click **Next**, a warning is displayed and the wizard will not proceed to the next step. ->[!NOTE] ->The driver and app files do not need to be extracted from the downloaded .zip files. + >[!NOTE] + >The driver and app files do not need to be extracted from the downloaded .zip files. ->[!NOTE] ->Including Office 365 in your deployment share requires an Internet connection and cannot be performed if you use local files. + >[!NOTE] + >Including Office 365 in your deployment share requires an Internet connection and cannot be performed if you use local files. -![Specify Surface driver and app files](images/sdasteps-fig6-specify-driver-app-files.png "Specify Surface driver and app files") + ![Specify Surface driver and app files](images/sdasteps-fig6-specify-driver-app-files.png "Specify Surface driver and app files") -*Figure 6. Specify the Surface driver and app files from a local path* + *Figure 6. Specify the Surface driver and app files from a local path* ->[!NOTE] ->The **Copy from a Local Directory** check box is only available in SDA version 1.90.0221 or later. + >[!NOTE] + >The **Copy from a Local Directory** check box is only available in SDA version 1.90.0221 or later. + ### Optional: Prepare offline USB media + You can use USB media to perform an SDA deployment if your Surface device is unable to boot from the network. For example, if you do not have a Microsoft Surface Ethernet Adapter or Microsoft Surface dock to facilitate network boot (PXE boot). The USB drive produced by following these steps includes a complete copy of the SDA deployment share and can be run on a Surface device without a network connection. -### Optional: Prepare offline USB media + >[!NOTE] + >The offline media files for the complete SDA deployment share are approximately 9 GB in size. Your USB drive must be at least 9 GB in size. A 16 GB USB drive is recommended. -You can use USB media to perform an SDA deployment if your Surface device is unable to boot from the network. For example, if you do not have a Microsoft Surface Ethernet Adapter or Microsoft Surface dock to facilitate network boot (PXE boot). The USB drive produced by following these steps includes a complete copy of the SDA deployment share and can be run on a Surface device without a network connection. + Before you can create bootable media files within the MDT Deployment Workbench or copy those files to a USB drive, you must first configure that USB drive to be bootable. Using [DiskPart](https://go.microsoft.com/fwlink/p/?LinkId=761073), create a partition, format the partition as FAT32, and set the partition to be active. To run DiskPart, open an administrative PowerShell or Command Prompt window, and then run the following sequence of commands, as shown in Figure 7: ->[!NOTE] ->The offline media files for the complete SDA deployment share are approximately 9 GB in size. Your USB drive must be at least 9 GB in size. A 16 GB USB drive is recommended. + 1. **diskpart** – Opens DiskPart to manage disks and partitions. + 2. **list disk** – Displays a list of the disks available in your system; use this list to identify the disk number that corresponds with your USB drive. + 3. **sel disk 2** – Selects your USB drive; use the number that corresponds with the disk in your system. -Before you can create bootable media files within the MDT Deployment Workbench or copy those files to a USB drive, you must first configure that USB drive to be bootable. Using [DiskPart](https://go.microsoft.com/fwlink/p/?LinkId=761073), create a partition, format the partition as FAT32, and set the partition to be active. To run DiskPart, open an administrative PowerShell or Command Prompt window, and then run the following sequence of commands, as shown in Figure 7: - -1. **diskpart** – Opens DiskPart to manage disks and partitions. - -2. **list disk** – Displays a list of the disks available in your system; use this list to identify the disk number that corresponds with your USB drive. - -3. **sel disk 2** – Selects your USB drive; use the number that corresponds with the disk in your system. - -4. **clean** – Removes all configuration from your USB drive. + 4. **clean** – Removes all configuration from your USB drive. >[!WARNING] >This step will remove all information from your drive. Verify that your USB drive does not contain any needed data before you perform the **clean** command. -5. **create part pri** – Creates a primary partition on the USB drive. + 5. **create part pri** – Creates a primary partition on the USB drive. -6. **format fs=fat32 quick** – Formats the partition with the FAT32 file system, performing a quick format. FAT32 is required to boot the device from UEFI systems like Surface devices. + 6. **format fs=fat32 quick** – Formats the partition with the FAT32 file system, performing a quick format. FAT32 is required to boot the device from UEFI systems like Surface devices. -7. **assign** – Assigns the next available drive letter to the newly created FAT32 volume. + 7. **assign** – Assigns the next available drive letter to the newly created FAT32 volume. -8. **active** – Sets the partition to be active, which is required to boot the volume. + 8. **active** – Sets the partition to be active, which is required to boot the volume. -9. **exit** – Exits DiskPart, after which you can close the PowerShell or Command Prompt window. + 9. **exit** – Exits DiskPart, after which you can close the PowerShell or Command Prompt window. ![Use DiskPart to prepare a USB drive for boot](images/sdasteps-fig7-diskpart.png "Use DiskPart to prepare a USB drive for boot") @@ -211,15 +205,13 @@ Before you can create bootable media files within the MDT Deployment Workbench o >[!NOTE] >You can format your USB drive with FAT32 from Disk Management, but you must still use DiskPart to set the partition as active for the drive to boot properly. + After you have prepared the USB drive for boot, the next step is to generate offline media from the SDA deployment share. To create this media, follow these steps: + 1. Open the **Deployment Workbench** from the **Microsoft Deployment Toolkit** group on your Start screen. -After you have prepared the USB drive for boot, the next step is to generate offline media from the SDA deployment share. To create this media, follow these steps: + 2. Expand the **Deployment Shares** node and the **Microsoft Surface Deployment Accelerator** deployment share. -1. Open the **Deployment Workbench** from the **Microsoft Deployment Toolkit** group on your Start screen. - -2. Expand the **Deployment Shares** node and the **Microsoft Surface Deployment Accelerator** deployment share. - -3. Expand the folder **Advanced Configuration** and select the **Media** folder. + 3. Expand the folder **Advanced Configuration** and select the **Media** folder. 4. Right-click the **Media** folder and click **New Media** as shown in Figure 8 to start the New Media Wizard. @@ -227,78 +219,78 @@ After you have prepared the USB drive for boot, the next step is to generate off *Figure 8. The Media folder of the SDA deployment share* -5. On the **General Settings** page in the **Media path** field, enter or browse to a folder where you will create the files for the new offline media. See the example **E:\\SDAMedia** in Figure 9. Leave the default profile **Everything** selected in the **Selection profile** drop-down menu, and then click **Next**. + 5. On the **General Settings** page in the **Media path** field, enter or browse to a folder where you will create the files for the new offline media. See the example **E:\\SDAMedia** in Figure 9. Leave the default profile **Everything** selected in the **Selection profile** drop-down menu, and then click **Next**. ![Specify a location and selection profile for your offline media](images/sdasteps-fig9-location.png "Specify a location and selection profile for your offline media") *Figure 9. Specify a location and selection profile for your offline media* -6. On the **Summary** page verify your selections, and then click **Next** to begin creation of the media. + 6. On the **Summary** page verify your selections, and then click **Next** to begin creation of the media. -7. A **Progress** page is displayed while the media is created. + 7. A **Progress** page is displayed while the media is created. -8. On the **Confirmation** page, click **Finish** to complete creation of the media. + 8. On the **Confirmation** page, click **Finish** to complete creation of the media. -9. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab as shown in Figure 10. + 9. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab as shown in Figure 10. ![Rules of the SDA deployment share](images/sdasteps-fig10-rules.png "Rules of the SDA deployment share") *Figure 10. Rules of the SDA deployment share* -10. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+C** to copy the text. + 10. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+C** to copy the text. -11. Click **OK** to close the **Microsoft Surface Deployment Accelerator** deployment share properties. + 11. Click **OK** to close the **Microsoft Surface Deployment Accelerator** deployment share properties. -12. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then click the **Rules** tab. + 12. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then click the **Rules** tab. -13. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+V** to paste the text you copied from the **Microsoft Surface Deployment Accelerator** deployment share rules. + 13. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+V** to paste the text you copied from the **Microsoft Surface Deployment Accelerator** deployment share rules. -14. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab again. Click the **Bootstrap.ini** button to open Bootstrap.ini in Notepad. + 14. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab again. Click the **Bootstrap.ini** button to open Bootstrap.ini in Notepad. -15. Press **Ctrl+A** to select all of the text in the window, and then press **Ctrl+C** to copy the text. + 15. Press **Ctrl+A** to select all of the text in the window, and then press **Ctrl+C** to copy the text. -16. Close Bootstrap.ini and click **OK** in **Microsoft Surface Deployment Accelerator** deployment share properties to close the window. + 16. Close Bootstrap.ini and click **OK** in **Microsoft Surface Deployment Accelerator** deployment share properties to close the window. -17. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then click the **Rules** tab again. Click the **Bootstrap.ini** button to open Bootstrap.ini in Notepad. + 17. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then click the **Rules** tab again. Click the **Bootstrap.ini** button to open Bootstrap.ini in Notepad. -18. Press **Ctrl+A** to select all of the text in the window, then press **Ctrl+V** to paste the text from the SDA deployment share Bootstrap.ini file. + 18. Press **Ctrl+A** to select all of the text in the window, then press **Ctrl+V** to paste the text from the SDA deployment share Bootstrap.ini file. -19. Delete the following lines from the Bootstrap.ini as shown in Figure 11, and then save the file: - ``` - UserID= - UserDomain= - UserPassword= - DeployRoot=\\SDASERVER\SDAWin10 - UserID= - UserDomain= - UserPassword= - ``` + 19. Delete the following lines from the Bootstrap.ini as shown in Figure 11, and then save the file: + + ```PowerShell + UserID= + UserDomain= + UserPassword= + DeployRoot=\\SDASERVER\SDAWin10 + UserID= + UserDomain= + UserPassword= + ``` ![The Bootstrap.ini file](images/sdasteps-fig11-bootstrap.ini.png "The Bootstrap.ini file") *Figure 11. The Bootstrap.ini file of MEDIA001* -20. Close Bootstrap.ini and click **OK** in **MEDIA001** deployment share properties to close the window. + 20. Close Bootstrap.ini and click **OK** in **MEDIA001** deployment share properties to close the window. -21. In the **Deployment Workbench** under the **Media** folder, right-click the newly created **MEDIA001** and click **Update Media Content**, as shown in Figure 12. This will update the media files with the content of the **Microsoft Surface Deployment Accelerator** deployment share. + 21. In the **Deployment Workbench** under the **Media** folder, right-click the newly created **MEDIA001** and click **Update Media Content**, as shown in Figure 12. This will update the media files with the content of the **Microsoft Surface Deployment Accelerator** deployment share. ![Select the Update Media Content option](images/sdasteps-fig12-updatemedia.png "Select the Update Media Content option") *Figure 12. Select the Update Media Content option* -22. The **Update Media Content** window is displayed and shows the progress as the media files are created. When the process completes, click **Finish.** + 22. The **Update Media Content** window is displayed and shows the progress as the media files are created. When the process completes, click **Finish.** -The final step is to copy the offline media files to your USB drive. + The final step is to copy the offline media files to your USB drive. -1. In File Explorer, open the path you specified in Step 5, for example **E:\\SDAMedia**. + 1. In File Explorer, open the path you specified in Step 5, for example **E:\\SDAMedia**. -2. Copy all of the files from the Content folder to the root of the USB drive. + 2. Copy all of the files from the Content folder to the root of the USB drive. -Your USB drive is now configured as bootable offline media that contains all of the resources required to perform a deployment to a Surface device. + Your USB drive is now configured as bootable offline media that contains all of the resources required to perform a deployment to a Surface device. ## SDA task sequences - The SDA deployment share is configured with all of the resources required to perform a Windows deployment to a Surface device. These resources include Windows source files, image, Surface drivers, and Surface apps. The deployment share also contains two pre-configured task sequences, as shown in Figure 13. These task sequences contain the steps required to perform a deployment to a Surface device using the default Windows image from the installation media or to create a reference image complete with Windows updates and applications. To learn more about task sequences, see [MDT 2013 Update 2 Lite Touch components](https://technet.microsoft.com/itpro/windows/deploy/mdt-2013-lite-touch-components). ![Task sequences in the Deployment Workbench](images/sdasteps-fig13-taskseq.png "Task sequences in the Deployment Workbench") @@ -335,7 +327,6 @@ Like the **1 – Deploy Microsoft Surface** task sequence, the **2 – Create Wi >[!NOTE] >Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and System Center Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt). - In addition to the information required by the **1 – Deploy Microsoft Surface** task sequence, you will also be prompted to capture an image when you run this task sequence on your reference virtual machine. The **Location** and **File name** fields are automatically populated with the proper information for your deployment share. All that you need to do is select the **Capture an image of this reference computer** option when you are prompted on the **Capture Image** page of the Windows Deployment Wizard. ## Deployment to Surface devices @@ -414,12 +405,3 @@ To run the Deploy Microsoft Surface task sequence: *Figure 17. The Installation Progress window* 8. When the deployment task sequence completes, a **Success** window is displayed. Click **Finish** to complete the deployment and begin using your Surface device. - - - - - - - - - diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md index ad0823f286..82d39fd1a8 100644 --- a/devices/surface/surface-diagnostic-toolkit-business.md +++ b/devices/surface/surface-diagnostic-toolkit-business.md @@ -1,5 +1,5 @@ --- -title: Surface Diagnostic Toolkit for Business +title: Deploy Surface Diagnostic Toolkit for Business description: This topic explains how to use the Surface Diagnostic Toolkit for Business. ms.prod: w10 ms.mktglfcycl: manage @@ -12,7 +12,7 @@ ms.reviewer: manager: dansimp --- -# Surface Diagnostic Toolkit for Business +# Deploy Surface Diagnostic Toolkit for Business The Microsoft Surface Diagnostic Toolkit for Business (SDT) enables IT administrators to quickly investigate, troubleshoot, and resolve hardware, software, and firmware issues with Surface devices. You can run a range of diagnostic tests and software repairs in addition to obtaining device health insights and guidance for resolving issues. diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md new file mode 100644 index 0000000000..26bac290b4 --- /dev/null +++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md @@ -0,0 +1,42 @@ +--- +title: Fix common Surface problems using the Surface Diagnostic Toolkit for Business +description: This page provides an introduction to the Surface Diagnostic Toolkit for Business for use in commercial environments. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: dansimp +ms.author: dansimp +ms.topic: article +ms.date: 06/11/2019 +ms.reviewer: cottmca +manager: dansimp +--- + +# Fix common Surface problems using the Surface Diagnostic Toolkit for Business + +If your Surface isn’t working properly, the Microsoft Surface Diagnostic Toolkit for Business can help you or your administrator find and solve problems. + +> [!NOTE] +> Surface Diagnostic Toolkit for Business is built for commercial devices. If your device is a personal device and not managed by your work or school run the [Surface Diagnostic Toolkit](https://support.microsoft.com/en-us/help/4037239/surface-fix-common-surface-problems-using-surface-diagnostic-toolkit) instead. + +## Run the Surface Diagnostic Toolkit for Business + +Before you run the diagnostic tool, make sure you have the latest Windows updates. Go to [Install Surface and Windows 10 updates](https://support.microsoft.com/en-us/help/4023505/surface-install-surface-and-windows-updates) for more information. If that doesn't solve the problem, you'll need to run the diagnostic tool. + +> [!NOTE] +> The Surface Diagnostic Toolkit for Business only works on Surface devices running Windows 10. It does not work on Surface Pro, Surface Pro 2, or Surface devices configured in S mode. + +**To run the Surface Diagnostic Toolkit for Business:** + +1. Download the [Surface Diagnostic Toolkit for Business](https://aka.ms/checkmysurface). +2. Select Run and follow the on-screen instructions. + +The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required. For more detailed information on Surface Diagnostic Toolkit for Business, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business). + +# If you still need help + +If the Surface Diagnostic Toolkit for Business didn’t fix the problem, you can also: + +- Make an in-store appointment: We might be able to fix the problem or provide a replacement Surface at your local Microsoft Store. [Locate a Microsoft Store near you](https://www.microsoft.com/en-us/store/locations/find-a-store?WT.mc_id=MSC_Solutions_en_us_scheduleappt). +- Contact customer support: If you want to talk to someone about how to fix your problem, [contact us](https://support.microsoft.com/en-us/help/4037645/contact-surface-warranty-and-software-support-for-business). +- Get your Surface serviced: If your Surface product needs service, [request it online](https://mybusinessservice.surface.com/). diff --git a/education/get-started/change-history-ms-edu-get-started.md b/education/get-started/change-history-ms-edu-get-started.md index c53e6d17a6..5273dbe9ce 100644 --- a/education/get-started/change-history-ms-edu-get-started.md +++ b/education/get-started/change-history-ms-edu-get-started.md @@ -1,44 +1,44 @@ ---- -title: Change history for Microsoft Education Get Started -description: New and changed topics in the Microsoft Education get started guide. -keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: edu -author: levinec -ms.author: ellevin -ms.date: 07/07/2017 -ms.reviewer: -manager: dansimp ---- - -# Change history for Microsoft Education Get Started - -This topic lists the changes in the Microsoft Education IT admin get started. - -## July 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Broke up the get started guide to highlight each phase in the Microsoft Education deployment and management process. | -| [Set up an Office 365 Education tenant](set-up-office365-edu-tenant.md) | New. Shows the video and step-by-step guide on how to set up an Office 365 for Education tenant. | -| [Use School Data Sync to import student data](use-school-data-sync.md) | New. Shows the video and step-by-step guide on School Data Sync and sample CSV files to import student data in a trial environment. | -| [Enable Microsoft Teams for your school](enable-microsoft-teams.md) | New. Shows how IT admins can enable and deploy Microsoft Teams in schools. | -| [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md) | New. Shows the video and step-by-step guide on how to accept the services agreement and ensure your Microsoft Store account is associated with Intune for Education. | -| [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md) | New. Shows the video and step-by-step guide on how to set up Intune for Education, buy apps from the Microsoft Store for Education, and install the apps for all users in your tenant. | -| [Set up Windows 10 education devices](set-up-windows-10-education-devices.md) | New. Shows options available to you when you need to set up new Windows 10 devices and enroll them to your education tenant. Each option contains a video and step-by-step guide. | -| [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) | New. Shows the video and step-by-step guide on how to finish preparing your Windows 10 devices for use in the classroom. | - - -## June 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Includes the following updates:

- New configuration guidance for IT administrators to deploy Microsoft Teams.
- Updated steps for School Data Sync to show the latest workflow and user experience.
- Updated steps for Option 2: Try out Microsoft Education in a trial environment. You no longer need the SDS promo code to try SDS in a trial environment. | - -## May 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | New. Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. | +--- +title: Change history for Microsoft Education Get Started +description: New and changed topics in the Microsoft Education get started guide. +keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: edu +author: levinec +ms.author: ellevin +ms.date: 07/07/2017 +ms.reviewer: +manager: dansimp +--- + +# Change history for Microsoft Education Get Started + +This topic lists the changes in the Microsoft Education IT admin get started. + +## July 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Broke up the get started guide to highlight each phase in the Microsoft Education deployment and management process. | +| [Set up an Office 365 Education tenant](set-up-office365-edu-tenant.md) | New. Shows the video and step-by-step guide on how to set up an Office 365 for Education tenant. | +| [Use School Data Sync to import student data](use-school-data-sync.md) | New. Shows the video and step-by-step guide on School Data Sync and sample CSV files to import student data in a trial environment. | +| [Enable Microsoft Teams for your school](enable-microsoft-teams.md) | New. Shows how IT admins can enable and deploy Microsoft Teams in schools. | +| [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md) | New. Shows the video and step-by-step guide on how to accept the services agreement and ensure your Microsoft Store account is associated with Intune for Education. | +| [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md) | New. Shows the video and step-by-step guide on how to set up Intune for Education, buy apps from the Microsoft Store for Education, and install the apps for all users in your tenant. | +| [Set up Windows 10 education devices](set-up-windows-10-education-devices.md) | New. Shows options available to you when you need to set up new Windows 10 devices and enroll them to your education tenant. Each option contains a video and step-by-step guide. | +| [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) | New. Shows the video and step-by-step guide on how to finish preparing your Windows 10 devices for use in the classroom. | + + +## June 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Includes the following updates:

- New configuration guidance for IT administrators to deploy Microsoft Teams.
- Updated steps for School Data Sync to show the latest workflow and user experience.
- Updated steps for Option 2: Try out Microsoft Education in a trial environment. You no longer need the SDS promo code to try SDS in a trial environment. | + +## May 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | New. Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. | diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 1729553e5c..b55cbbfe02 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -8,10 +8,10 @@ #### [Azure AD Join for school PCs](set-up-school-pcs-azure-ad-join.md) #### [Shared PC mode for school devices](set-up-school-pcs-shared-pc-mode.md) #### [Provisioning package settings](set-up-school-pcs-provisioning-package.md) -### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) +### [Use the Set up School PCs app](use-set-up-school-pcs-app.md) ### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md) ### [Provision student PCs with apps](set-up-students-pcs-with-apps.md) -## [Take tests in Windows 10 ](take-tests-in-windows-10.md) +## [Take tests in Windows 10](take-tests-in-windows-10.md) ### [Set up Take a Test on a single PC](take-a-test-single-pc.md) ### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) ### [Take a Test app technical reference](take-a-test-app-technical.md) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 3516574e11..b3dd38357b 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -56,21 +56,21 @@ New or changed topic | Description | New or changed topic | Description | | --- | ---- | -| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated the prerequisites to provide more clarification. | +| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated the prerequisites to provide more clarification. | ## August 2017 | New or changed topic | Description | | --- | ---- | | [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | New. Find out how you can test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us. | -| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated the instructions to reflect the new or updated functionality in the latest version of the app. | +| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated the instructions to reflect the new or updated functionality in the latest version of the app. | ## July 2017 | New or changed topic | Description | | --- | ---- | | [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-for-education.md) | New information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices. | -| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Added the how-to video, which shows how to use the app to create a provisioning package that you can use to set up school PCs. | +| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Added the how-to video, which shows how to use the app to create a provisioning package that you can use to set up school PCs. | | [Take a Test app technical reference](take-a-test-app-technical.md) | Added a Group Policy section to inform you of any policies that affect the Take a Test app or functionality within the app. | ## June 2017 @@ -79,14 +79,14 @@ New or changed topic | Description | --- | ---- | | [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) | Includes the following updates:

- New configuration guidance for IT administrators to enable students and school personnel, who use assistive technology apps not available in the Microsoft Store for Education and use devices running Windows 10 S, to be successful in the classroom and in their jobs.
- New configuration information when using Windows 10 S for education. | | [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | New configuration guidance for IT administrators to enable students and school personnel, who use assistive technology apps not available in the Microsoft Store for Education and use devices running Windows 10 S, to be successful in the classroom and in their jobs. | -| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated the recommended apps section to include information about Office 365 for Windows 10 S (Education Preview). | +| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated the recommended apps section to include information about Office 365 for Windows 10 S (Education Preview). | ## May 2017 | New or changed topic | Description | | --- | ---- | | [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education. | -| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated. Now includes network tips and updated step-by-step instructions that show the latest updates to the app such as Wi-Fi setup. | +| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated. Now includes network tips and updated step-by-step instructions that show the latest updates to the app such as Wi-Fi setup. | ## RELEASE: Windows 10, version 1703 (Creators Update) @@ -97,9 +97,9 @@ New or changed topic | Description | [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) | New. Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school. | | [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Updated the screenshots and related instructions to reflect the current UI and experience. | | [Set up Windows devices for education](set-up-windows-10.md) | Updated for Windows 10, version 1703. | -| Set up School PCs app:
[Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
[Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated. Describes the school-specific settings and policies that Set up School PC configures. Also provides step-by-step instructions for using the latest version of the app to create a provisioning package that you can use to set up student PCs. | +| Set up School PCs app:
[Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
[Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated. Describes the school-specific settings and policies that Set up School PC configures. Also provides step-by-step instructions for using the latest version of the app to create a provisioning package that you can use to set up student PCs. | | Set up using Windows Configuration Designer:
[Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
[Provision student PCs with apps](set-up-students-pcs-with-apps.md) | Updated the information for Windows 10, version 1703. | -| [Take tests in Windows 10 ](take-tests-in-windows-10.md)
[Set up Take a Test on a single PC](take-a-test-single-pc.md)
[Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
[Take a Test app technical reference](take-a-test-app-technical.md) | Updated. Includes new information on ways you can set up the test account and assessment URL and methods for creating and distributing the link. Methods available to you vary depending on whether you're setting up Take a Test on a single PC or multiple PCs. | +| [Take tests in Windows 10](take-tests-in-windows-10.md)
[Set up Take a Test on a single PC](take-a-test-single-pc.md)
[Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
[Take a Test app technical reference](take-a-test-app-technical.md) | Updated. Includes new information on ways you can set up the test account and assessment URL and methods for creating and distributing the link. Methods available to you vary depending on whether you're setting up Take a Test on a single PC or multiple PCs. | ## January 2017 diff --git a/education/windows/create-tests-using-microsoft-forms.md b/education/windows/create-tests-using-microsoft-forms.md index 356dbca7b5..3551b9aa41 100644 --- a/education/windows/create-tests-using-microsoft-forms.md +++ b/education/windows/create-tests-using-microsoft-forms.md @@ -1,33 +1,33 @@ ---- -title: Create tests using Microsoft Forms -ms.reviewer: -manager: dansimp -description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. -keywords: school, Take a Test, Microsoft Forms -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu -author: levinec -ms.author: ellevin -redirect_url: https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms ---- - -# Create tests using Microsoft Forms -**Applies to:** - -- Windows 10 - - -For schools that have an Office 365 Education subscription, teachers can use [Microsoft Forms](https://support.office.com/article/What-is-Microsoft-Forms-6b391205-523c-45d2-b53a-fc10b22017c8) to create a test and then require that students use the Take a Test app to block access to other computers or online resources while completing the test created through Microsoft Forms. - -To do this, teachers can select a check box to make it a secure test. Microsoft Forms will generate a link that you can use to embed into your OneNote or class website. When students are ready to take a test, they can click on the link to start the test. - -Microsoft Forms will perform checks to ensure students are taking the test in a locked down Take a Test session. If not, students are not permitted access to the assessment. - -[Learn how to block Internet access while students complete your form](https://support.office.com/article/6bd7e31d-5be0-47c9-a0dc-c0a74fc48959) - - -## Related topics - -[Take tests in Windows 10](take-tests-in-windows-10.md) +--- +title: Create tests using Microsoft Forms +ms.reviewer: +manager: dansimp +description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. +keywords: school, Take a Test, Microsoft Forms +ms.prod: w10 +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +author: levinec +ms.author: ellevin +redirect_url: https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms +--- + +# Create tests using Microsoft Forms +**Applies to:** + +- Windows 10 + + +For schools that have an Office 365 Education subscription, teachers can use [Microsoft Forms](https://support.office.com/article/What-is-Microsoft-Forms-6b391205-523c-45d2-b53a-fc10b22017c8) to create a test and then require that students use the Take a Test app to block access to other computers or online resources while completing the test created through Microsoft Forms. + +To do this, teachers can select a check box to make it a secure test. Microsoft Forms will generate a link that you can use to embed into your OneNote or class website. When students are ready to take a test, they can click on the link to start the test. + +Microsoft Forms will perform checks to ensure students are taking the test in a locked down Take a Test session. If not, students are not permitted access to the assessment. + +[Learn how to block Internet access while students complete your form](https://support.office.com/article/6bd7e31d-5be0-47c9-a0dc-c0a74fc48959) + + +## Related topics + +[Take tests in Windows 10](take-tests-in-windows-10.md) diff --git a/education/windows/get-minecraft-device-promotion.md b/education/windows/get-minecraft-device-promotion.md index 29c261f768..4864b6d4a0 100644 --- a/education/windows/get-minecraft-device-promotion.md +++ b/education/windows/get-minecraft-device-promotion.md @@ -56,7 +56,7 @@ After that, we’ll add the appropriate number of Minecraft: Education Edition l **To redeem Minecraft: Education Edition licenses** 1. Visit [Minecraft: Education Edition and Windows 10 device promotion](https://educationstore.microsoft.com/store/mee-device-promo?setflight=wsfb_devicepromo) in **Microsoft Store for Education**. - ![Minecraft: Education Edition page in Microsoft Store for Education. ](images/get-mcee-promo.png) + ![Minecraft: Education Edition page in Microsoft Store for Education.](images/get-mcee-promo.png) 2. Sign in to **Microsoft Store for Education** using a school account. If you don’t have one, we’ll help you set one up.
-or- @@ -66,7 +66,7 @@ After that, we’ll add the appropriate number of Minecraft: Education Edition l 3. **On Minecraft Windows 10 device special offer**, click **Submit a device purchase**. - ![Windows 10 device special offer page for Minecraft: Education Edition. Submit a device purchase is highlighted to show customers how to submit info about the devices you purchased. ](images/mcee-benefits.png) + ![Windows 10 device special offer page for Minecraft: Education Edition. Submit a device purchase is highlighted to show customers how to submit info about the devices you purchased.](images/mcee-benefits.png) 4. Provide info for **Proof of Purchase**. Be sure to include a .pdf or .jpg of your invoice, and then click **Next**. diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 5808bdcd4d..ab45a9f0a7 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -1,84 +1,84 @@ ---- -title: Set up School PCs app technical reference overview -description: Describes the purpose of the Set up School PCs app for Windows 10 devices. -keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu -ms.localizationpriority: medium -author: mjcaparas -ms.author: macapara -ms.date: 07/11/2018 -ms.reviewer: -manager: dansimp ---- - -What is Set up School PCs? -================================================= - -**Applies to:** - -- Windows 10 - -The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The -app, which is available for Windows 10 version 1703 and later, configures and saves -school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs. - -If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up -School PCs app will create a setup file. This file joins the PC to your Azure Active Directory tenant. The app also helps set up PCs for use with or without Internet connectivity. - - -## Join PC to Azure Active Directory -If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up -School PCs app creates a setup file that joins your PC to your Azure Active -Directory tenant. - -The app also helps set up PCs for use with or without Internet connectivity. - -## List of Set up School PCs features -The following table describes the Set up School PCs app features and lists each type of Intune subscription. An X indicates that the feature is available with the specific subscription. - -| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | -|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|----------|------------|------------------| -| **Fast sign-in** | X | X | X | X | -| Students sign in and start using the computer in under a minute, even on initial sign-in. | | | | | -| **Custom Start experience** | X | X | X | X | -| Necessary classroom apps are pinned to Start and unnecessary apps are removed. | | | | | -| **Guest account, no sign-in required** | X | X | X | X | -| Set up computers for use by anyone with or without an account. | | | | | -| **School policies** | X | X | X | X | -| Settings create a relevant, useful learning environment and optimal computer performance. | | | | | -| **Azure AD Join** | | X | X | X | -| Computers join with your existing Azure AD or Office 365 subscription for centralized management. | | | | | -| **Single sign-on to Office 365** | | | X | X | -| Students sign in with their IDs to access all Office 365 web apps or installed Office apps. | | | | | -| **Take a Test app** | | | | X | -| Administer quizzes and assessments through test providers such as Smarter Balanced. | | | | | -| [Settings roaming](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) **via Azure AD** | | | | X | -| Synchronize student and application data across devices for a personalized experience. | | | | | - +--- +title: Set up School PCs app technical reference overview +description: Describes the purpose of the Set up School PCs app for Windows 10 devices. +keywords: shared cart, shared PC, school, set up school pcs +ms.prod: w10 +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: mjcaparas +ms.author: macapara +ms.date: 07/11/2018 +ms.reviewer: +manager: dansimp +--- + +What is Set up School PCs? +================================================= + +**Applies to:** + +- Windows 10 + +The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The +app, which is available for Windows 10 version 1703 and later, configures and saves +school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs. + +If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up +School PCs app will create a setup file. This file joins the PC to your Azure Active Directory tenant. The app also helps set up PCs for use with or without Internet connectivity. + + +## Join PC to Azure Active Directory +If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up +School PCs app creates a setup file that joins your PC to your Azure Active +Directory tenant. + +The app also helps set up PCs for use with or without Internet connectivity. + +## List of Set up School PCs features +The following table describes the Set up School PCs app features and lists each type of Intune subscription. An X indicates that the feature is available with the specific subscription. + +| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | +|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|----------|------------|------------------| +| **Fast sign-in** | X | X | X | X | +| Students sign in and start using the computer in under a minute, even on initial sign-in. | | | | | +| **Custom Start experience** | X | X | X | X | +| Necessary classroom apps are pinned to Start and unnecessary apps are removed. | | | | | +| **Guest account, no sign-in required** | X | X | X | X | +| Set up computers for use by anyone with or without an account. | | | | | +| **School policies** | X | X | X | X | +| Settings create a relevant, useful learning environment and optimal computer performance. | | | | | +| **Azure AD Join** | | X | X | X | +| Computers join with your existing Azure AD or Office 365 subscription for centralized management. | | | | | +| **Single sign-on to Office 365** | | | X | X | +| Students sign in with their IDs to access all Office 365 web apps or installed Office apps. | | | | | +| **Take a Test app** | | | | X | +| Administer quizzes and assessments through test providers such as Smarter Balanced. | | | | | +| [Settings roaming](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) **via Azure AD** | | | | X | +| Synchronize student and application data across devices for a personalized experience. | | | | | + > [!NOTE] -> If your school uses Active Directory, use [Windows Configuration -> Designer](set-up-students-pcs-to-join-domain.md) -> to configure your PCs to join the domain. You can only use the Set up School -> PCs app to set up PCs that are connected to Azure AD. - - - -## Next steps -Learn more about setting up devices with the Set up School PCs app. -* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) -* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) -* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md) -* [Set up Windows 10 devices for education](set-up-windows-10.md) - -When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). - - - - - - - - +> If your school uses Active Directory, use [Windows Configuration +> Designer](set-up-students-pcs-to-join-domain.md) +> to configure your PCs to join the domain. You can only use the Set up School +> PCs app to set up PCs that are connected to Azure AD. + + + +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) +* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) +* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + + + + + + + diff --git a/mdop/TOC.md b/mdop/TOC.md index edac2c521e..91a625282c 100644 --- a/mdop/TOC.md +++ b/mdop/TOC.md @@ -1,21 +1,21 @@ # [Microsoft Desktop Optimization Pack](index.md) ## [Advanced Group Policy Management](agpm/index.md) -## [Application Virtualization]() +## Application Virtualization ### [Application Virtualization 5](appv-v5/index.md) ### [Application Virtualization 4](appv-v4/index.md) ### [SoftGrid Application Virtualization](softgrid-application-virtualization.md) -## [Diagnostics and Recovery Toolset]() +## Diagnostics and Recovery Toolset ### [Diagnostics and Recovery Toolset 10](dart-v10/index.md) ### [Diagnostics and Recovery Toolset 8](dart-v8/index.md) ### [Diagnostics and Recovery Toolset 7](dart-v7/index.md) ### [Diagnostics and Recovery Toolset 6.5](dart-v65.md) -## [Microsoft Bitlocker Administration and Monitoring]() +## Microsoft Bitlocker Administration and Monitoring ### [Microsoft Bitlocker Administration and Monitoring 2.5](mbam-v25/index.md) ### [Microsoft Bitlocker Administration and Monitoring 2](mbam-v2/index.md) ### [Microsoft Bitlocker Administration and Monitoring 1](mbam-v1/index.md) -## [Microsoft Enterprise Desktop Virtualization]() +## Microsoft Enterprise Desktop Virtualization ### [Microsoft Enterprise Desktop Virtualization 2](medv-v2/index.md) -## [User Experience Virtualization]() +## User Experience Virtualization ### [User Experience Virtualization 2](uev-v2/index.md) ### [User Experience Virtualization 1](uev-v1/index.md) ## [MDOP Solutions and Scenarios](solutions/index.md) \ No newline at end of file diff --git a/mdop/appv-v4/applications-results-pane-in-server-management-console.md b/mdop/appv-v4/applications-results-pane-in-server-management-console.md index 5bf7b2615d..bd376a200e 100644 --- a/mdop/appv-v4/applications-results-pane-in-server-management-console.md +++ b/mdop/appv-v4/applications-results-pane-in-server-management-console.md @@ -36,8 +36,6 @@ Organizes the icons in the **Results** pane. **Help** Displays the help system for the Application Virtualization Management Console. -[]() - Right-click any application in the **Results** pane to display a pop-up menu that contains the following elements. **Move** diff --git a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md index 91f7d0618e..f7ffd9de24 100644 --- a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md +++ b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md @@ -90,7 +90,7 @@ App-V does not change your Microsoft Error Reporting settings. If you previously **Important Information:** -Enterprise customers can use Group Policy to configure how Microsoft Error Reporting behaves on their computers. Configuration options include the ability to turn off Microsoft Error Reporting. If you are an administrator and wish to configure Group Policy for Microsoft Error Reporting, technical details are available at . +Enterprise customers can use Group Policy to configure how Microsoft Error Reporting behaves on their computers. Configuration options include the ability to turn off Microsoft Error Reporting. If you are an administrator and wish to configure Group Policy for Microsoft Error Reporting, technical details are available at . ### Microsoft Update diff --git a/mdop/appv-v5/app-v-50-security-considerations.md b/mdop/appv-v5/app-v-50-security-considerations.md index 3359e49b81..f7291b163e 100644 --- a/mdop/appv-v5/app-v-50-security-considerations.md +++ b/mdop/appv-v5/app-v-50-security-considerations.md @@ -126,35 +126,3 @@ The following will help you plan how to ensure that virtualized packages are sec During App-V 5.0 Setup, setup log files are created in the **%temp%** folder of the installing user. - -[]() - -[]() - -[]() - -[]() - -[]() - -[]() - -[]() - -**** - -[]() - - - - - - - - - - - - - - diff --git a/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell.md b/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell.md index e0ab454188..8380e16dff 100644 --- a/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell.md +++ b/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell.md @@ -41,332 +41,119 @@ Before attempting this procedure, you should read and understand the information 2. To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. - ``` syntax + ```powershell <# - ``` - - ``` syntax .SYNOPSIS - ``` - - ``` syntax This PowerShell script will take an array of account names and try to convert each of them to the corresponding SID in standard and hexadecimal formats. - ``` - ``` syntax .DESCRIPTION - ``` - - ``` syntax This is a PowerShell script that converts any number of Active Directory (AD) user or machine accounts into formatted Security Identifiers (SIDs) both in the standard format and in the hexadecimal format used by SQL server when running SQL scripts. - ``` - ``` syntax .INPUTS - ``` - - ``` syntax The account(s) to convert to SID format. This can be a single account name or an array of account names. Please see examples below. - ``` - ``` syntax .OUTPUTS - ``` - - ``` syntax A list of account names with the corresponding SID in standard and hexadecimal formats - ``` - ``` syntax .EXAMPLE - ``` - - ``` syntax .\ConvertToSID.ps1 DOMAIN\user_account1 DOMAIN\machine_account1$ DOMAIN\user_account2 | Format-List - ``` - ``` syntax .EXAMPLE - ``` - - ``` syntax $accountsArray = @("DOMAIN\user_account1", "DOMAIN\machine_account1$", "DOMAIN_user_account2") - ``` - ``` syntax .\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\SIDs.txt -Width 200 - ``` - - ``` syntax #> - ``` - ``` syntax - ``` - - []() - - []() - - ``` syntax function ConvertSIDToHexFormat - ``` - { + param([System.Security.Principal.SecurityIdentifier]$sidToConvert) - param(\[System.Security.Principal.SecurityIdentifier\]$sidToConvert) - - ``` syntax - ``` - - ``` syntax $sb = New-Object System.Text.StringBuilder - ``` - ``` syntax - [int] $binLength = $sidToConvert.BinaryLength - ``` + [int] $binLength = $sidToConvert.BinaryLength - ``` syntax - [Byte[]] $byteArray = New-Object Byte[] $binLength - ``` + [Byte[]] $byteArray = New-Object Byte[] $binLength - ``` syntax $sidToConvert.GetBinaryForm($byteArray, 0) - ``` - ``` syntax foreach($byte in $byteArray) - ``` - - ``` syntax { - ``` - - ``` syntax - $sb.Append($byte.ToString("X2")) |Out-Null - ``` - - ``` syntax + $sb.Append($byte.ToString("X2")) |Out-Null } - ``` - - ``` syntax return $sb.ToString() - ``` - - ``` syntax } - ``` - ``` syntax - [string[]]$myArgs = $args - ``` + [string[]]$myArgs = $args + + - ``` syntax if(($myArgs.Length -lt 1) -or ($myArgs[0].CompareTo("/?") -eq 0)) - ``` - { - - ``` syntax - [string]::Format("{0}====== Description ======{0}{0}" + - ``` - - ``` syntax - " Converts any number of user or machine account names to string and hexadecimal SIDs.{0}" + - ``` - - ``` syntax + [string]::Format("{0}====== Description ======{0}{0}" + + " Converts any number of user or machine account names to string and hexadecimal SIDs.{0}" + " Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.exe DOMAIN\\Account1 DOMAIN\\Account2 ...'){0}" + - ``` - - ``` syntax " The output is written to the console in the format 'Account name SID as string SID as hexadecimal'{0}" + - ``` - - ``` syntax " And can be written out to a file using standard PowerShell redirection{0}" + - ``` - - ``` syntax - " Please specify user accounts in the format 'DOMAIN\username'{0}" + - ``` - - ``` syntax + " Please specify user accounts in the format 'DOMAIN\username'{0}" + " Please specify machine accounts in the format 'DOMAIN\machinename$'{0}" + - ``` - - ``` syntax - " For more help content, please run 'Get-Help ConvertToSID.ps1'{0}" + - ``` - - ``` syntax + " For more help content, please run 'Get-Help ConvertToSID.ps1'{0}" + "{0}====== Arguments ======{0}" + - ``` - ``` syntax - "{0} /? Show this help message", [Environment]::NewLine) - ``` - ``` syntax - { - ``` - ``` syntax + "{0} /? Show this help message", [Environment]::NewLine) + } else - ``` - - ``` syntax - { + { #If an array was passed in, try to split it - ``` - - ``` syntax if($myArgs.Length -eq 1) - ``` - - ``` syntax { - ``` - - ``` syntax $myArgs = $myArgs.Split(' ') - ``` - - ``` syntax } - ``` - - ``` syntax #Parse the arguments for account names - ``` - - ``` syntax foreach($accountName in $myArgs) - ``` - - ``` syntax - { - ``` - - ``` syntax + { [string[]] $splitString = $accountName.Split('\') # We're looking for the format "DOMAIN\Account" so anything that does not match, we reject - ``` - ``` syntax if($splitString.Length -ne 2) - ``` - - ``` syntax { - ``` - - ``` syntax $message = [string]::Format("{0} is not a valid account name. Expected format 'Domain\username' for user accounts or 'DOMAIN\machinename$' for machine accounts.", $accountName) - ``` - ``` syntax Write-Error -Message $message - ``` - - ``` syntax continue - ``` - - ``` syntax } - ``` - ``` syntax - - ``` - - ``` syntax #Convert any account names to SIDs - ``` - - ``` syntax try - ``` - - ``` syntax { - ``` - - ``` syntax [System.Security.Principal.NTAccount] $account = New-Object System.Security.Principal.NTAccount($splitString[0], $splitString[1]) - ``` - ``` syntax [System.Security.Principal.SecurityIdentifier] $SID = [System.Security.Principal.SecurityIdentifier]($account.Translate([System.Security.Principal.SecurityIdentifier])) - ``` - - ``` syntax } - ``` - - ``` syntax catch [System.Security.Principal.IdentityNotMappedException] - ``` - - ``` syntax { - ``` - - ``` syntax $message = [string]::Format("Failed to translate account object '{0}' to a SID. Please verify that this is a valid user or machine account.", $account.ToString()) - ``` - ``` syntax Write-Error -Message $message - ``` - ``` syntax continue - ``` - - ``` syntax } - ``` - - ``` syntax #Convert regular SID to binary format used by SQL - ``` - ``` syntax $hexSIDString = ConvertSIDToHexFormat $SID - ``` - ``` syntax - $SIDs = New-Object PSObject - ``` - ``` syntax $SIDs | Add-Member NoteProperty Account $accountName - ``` - ``` syntax $SIDs | Add-Member NoteProperty SID $SID.ToString() - ``` - ``` syntax $SIDs | Add-Member NoteProperty Hexadecimal $hexSIDString - ``` - - ``` syntax Write-Output $SIDs - ``` - - ``` syntax } - ``` - - ``` syntax } ``` @@ -384,12 +171,3 @@ Before attempting this procedure, you should read and understand the information [Administering App-V by Using PowerShell](administering-app-v-by-using-powershell.md) - - - - - - - - - diff --git a/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md b/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md index d40e38cbd7..5cabf37196 100644 --- a/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md +++ b/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md @@ -3,7 +3,7 @@ title: How to Install the App-V Databases and Convert the Associated Security Id description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell author: dansimp ms.assetid: 2be6fb72-f3a6-4550-bba1-6defa78ca08a -ms.reviewer: +ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: mdop, appcompat, virtualization @@ -41,335 +41,96 @@ Before attempting this procedure, you should read and understand the information 2. To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. - ``` syntax + ```powershell <# - ``` - - ``` syntax .SYNOPSIS - ``` - - ``` syntax This PowerShell script will take an array of account names and try to convert each of them to the corresponding SID in standard and hexadecimal formats. - ``` - - ``` syntax .DESCRIPTION - ``` - - ``` syntax This is a PowerShell script that converts any number of Active Directory (AD) user or machine accounts into formatted Security Identifiers (SIDs) both in the standard format and in the hexadecimal format used by SQL server when running SQL scripts. - ``` - - ``` syntax .INPUTS - ``` - - ``` syntax The account(s) to convert to SID format. This can be a single account name or an array of account names. Please see examples below. - ``` - - ``` syntax .OUTPUTS - ``` - - ``` syntax A list of account names with the corresponding SID in standard and hexadecimal formats - ``` - - ``` syntax .EXAMPLE - ``` - - ``` syntax .\ConvertToSID.ps1 DOMAIN\user_account1 DOMAIN\machine_account1$ DOMAIN\user_account2 | Format-List - ``` - - ``` syntax .EXAMPLE - ``` - - ``` syntax $accountsArray = @("DOMAIN\user_account1", "DOMAIN\machine_account1$", "DOMAIN_user_account2") - ``` - - ``` syntax .\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\SIDs.txt -Width 200 - ``` - - ``` syntax #> - ``` - ``` syntax - ``` - - []() - - []() - - ``` syntax function ConvertSIDToHexFormat - ``` - { param(\[System.Security.Principal.SecurityIdentifier\]$sidToConvert) - ``` syntax - ``` - - ``` syntax $sb = New-Object System.Text.StringBuilder - ``` - - ``` syntax - [int] $binLength = $sidToConvert.BinaryLength - ``` - - ``` syntax - [Byte[]] $byteArray = New-Object Byte[] $binLength - ``` - - ``` syntax + [int] $binLength = $sidToConvert.BinaryLength + [Byte[]] $byteArray = New-Object Byte[] $binLength $sidToConvert.GetBinaryForm($byteArray, 0) - ``` - - ``` syntax foreach($byte in $byteArray) - ``` - - ``` syntax { - ``` - - ``` syntax - $sb.Append($byte.ToString("X2")) |Out-Null - ``` - - ``` syntax + $sb.Append($byte.ToString("X2")) |Out-Null } - ``` - - ``` syntax return $sb.ToString() - ``` - - ``` syntax } - ``` - - ``` syntax [string[]]$myArgs = $args - ``` - - ``` syntax if(($myArgs.Length -lt 1) -or ($myArgs[0].CompareTo("/?") -eq 0)) - ``` - { - ``` syntax [string]::Format("{0}====== Description ======{0}{0}" + - ``` - - ``` syntax - " Converts any number of user or machine account names to string and hexadecimal SIDs.{0}" + - ``` - - ``` syntax + " Converts any number of user or machine account names to string and hexadecimal SIDs.{0}" + " Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.exe DOMAIN\\Account1 DOMAIN\\Account2 ...'){0}" + - ``` - - ``` syntax " The output is written to the console in the format 'Account name SID as string SID as hexadecimal'{0}" + - ``` - - ``` syntax " And can be written out to a file using standard PowerShell redirection{0}" + - ``` - - ``` syntax - " Please specify user accounts in the format 'DOMAIN\username'{0}" + - ``` - - ``` syntax + " Please specify user accounts in the format 'DOMAIN\username'{0}" + " Please specify machine accounts in the format 'DOMAIN\machinename$'{0}" + - ``` - - ``` syntax - " For more help content, please run 'Get-Help ConvertToSID.ps1'{0}" + - ``` - - ``` syntax + " For more help content, please run 'Get-Help ConvertToSID.ps1'{0}" + "{0}====== Arguments ======{0}" + - ``` - - ``` syntax - "{0} /? Show this help message", [Environment]::NewLine) - ``` - - ``` syntax - { - ``` - - ``` syntax + "{0} /? Show this help message", [Environment]::NewLine) + } else - ``` - - ``` syntax - { + { #If an array was passed in, try to split it - ``` - - ``` syntax if($myArgs.Length -eq 1) - ``` - - ``` syntax { - ``` - - ``` syntax $myArgs = $myArgs.Split(' ') - ``` - - ``` syntax } - ``` - - ``` syntax #Parse the arguments for account names - ``` - - ``` syntax foreach($accountName in $myArgs) - ``` - - ``` syntax - { - ``` - - ``` syntax + { [string[]] $splitString = $accountName.Split('\') # We're looking for the format "DOMAIN\Account" so anything that does not match, we reject - ``` - - ``` syntax if($splitString.Length -ne 2) - ``` - - ``` syntax { - ``` - - ``` syntax $message = [string]::Format("{0} is not a valid account name. Expected format 'Domain\username' for user accounts or 'DOMAIN\machinename$' for machine accounts.", $accountName) - ``` - - ``` syntax Write-Error -Message $message - ``` - - ``` syntax continue - ``` - - ``` syntax } - ``` - ``` syntax - - ``` - - ``` syntax #Convert any account names to SIDs - ``` - - ``` syntax try - ``` - - ``` syntax { - ``` - - ``` syntax [System.Security.Principal.NTAccount] $account = New-Object System.Security.Principal.NTAccount($splitString[0], $splitString[1]) - ``` - - ``` syntax [System.Security.Principal.SecurityIdentifier] $SID = [System.Security.Principal.SecurityIdentifier]($account.Translate([System.Security.Principal.SecurityIdentifier])) - ``` - - ``` syntax } - ``` - - ``` syntax catch [System.Security.Principal.IdentityNotMappedException] - ``` - - ``` syntax { - ``` - - ``` syntax $message = [string]::Format("Failed to translate account object '{0}' to a SID. Please verify that this is a valid user or machine account.", $account.ToString()) - ``` - - ``` syntax Write-Error -Message $message - ``` - - ``` syntax continue - ``` - - ``` syntax } - ``` - - ``` syntax #Convert regular SID to binary format used by SQL - ``` - - ``` syntax $hexSIDString = ConvertSIDToHexFormat $SID - ``` - ``` syntax - $SIDs = New-Object PSObject - ``` - - ``` syntax $SIDs | Add-Member NoteProperty Account $accountName - ``` - - ``` syntax $SIDs | Add-Member NoteProperty SID $SID.ToString() - ``` - - ``` syntax $SIDs | Add-Member NoteProperty Hexadecimal $hexSIDString - ``` - - ``` syntax Write-Output $SIDs - ``` - - ``` syntax } - ``` - - ``` syntax } - ``` - 3. Run the script you saved in step one of this procedure passing the accounts to convert as arguments. For example, @@ -384,12 +145,3 @@ Before attempting this procedure, you should read and understand the information [Administering App-V 5.1 by Using PowerShell](administering-app-v-51-by-using-powershell.md) - - - - - - - - - diff --git a/mdop/dart-v7/TOC.md b/mdop/dart-v7/TOC.md index e96ad44e5f..5688dce81f 100644 --- a/mdop/dart-v7/TOC.md +++ b/mdop/dart-v7/TOC.md @@ -26,7 +26,7 @@ ### [Recovering Computers Using DaRT 7.0](recovering-computers-using-dart-70-dart-7.md) #### [How to Recover Local Computers Using the DaRT Recovery Image](how-to-recover-local-computers-using-the-dart-recovery-image-dart-7.md) #### [How to Recover Remote Computers Using the DaRT Recovery Image](how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md) -### [Diagnosing System Failures with Crash Analyzer ](diagnosing-system-failures-with-crash-analyzer--dart-7.md) +### [Diagnosing System Failures with Crash Analyzer](diagnosing-system-failures-with-crash-analyzer--dart-7.md) #### [How to Run the Crash Analyzer on an End-user Computer](how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-7.md) #### [How to Run the Crash Analyzer in Stand-alone Mode on a Computer Other than an End-user Computer](how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-7.md) #### [How to Ensure that Crash Analyzer Can Access Symbol Files](how-to-ensure-that-crash-analyzer-can-access-symbol-files-dart-7.md) diff --git a/mdop/dart-v8/TOC.md b/mdop/dart-v8/TOC.md index b27e1ffa91..e6b9c3194c 100644 --- a/mdop/dart-v8/TOC.md +++ b/mdop/dart-v8/TOC.md @@ -1,7 +1,7 @@ # [Diagnostics and Recovery Toolset 8](index.md) ## [Getting Started with DaRT 8.0](getting-started-with-dart-80-dart-8.md) ### [About DaRT 8.0](about-dart-80-dart-8.md) -#### [Release Notes for DaRT 8.0 ](release-notes-for-dart-80--dart-8.md) +#### [Release Notes for DaRT 8.0](release-notes-for-dart-80--dart-8.md) ### [About DaRT 8.0 SP1](about-dart-80-sp1.md) #### [Release Notes for DaRT 8.0 SP1](release-notes-for-dart-80-sp1.md) ### [About DaRT 8.1](about-dart-81.md) @@ -27,12 +27,12 @@ ### [Recovering Computers Using DaRT 8.0](recovering-computers-using-dart-80-dart-8.md) #### [How to Recover Local Computers by Using the DaRT Recovery Image](how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-8.md) #### [How to Recover Remote Computers by Using the DaRT Recovery Image](how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-8.md) -### [Diagnosing System Failures with Crash Analyzer ](diagnosing-system-failures-with-crash-analyzer--dart-8.md) +### [Diagnosing System Failures with Crash Analyzer](diagnosing-system-failures-with-crash-analyzer--dart-8.md) #### [How to Run the Crash Analyzer on an End-user Computer](how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-8.md) #### [How to Run the Crash Analyzer in Stand-alone Mode on a Computer Other than an End-user Computer](how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-8.md) #### [How to Ensure that Crash Analyzer Can Access Symbol Files](how-to-ensure-that-crash-analyzer-can-access-symbol-files.md) ### [Security and Privacy for DaRT 8.0](security-and-privacy-for-dart-80-dart-8.md) -#### [Security Considerations for DaRT 8.0 ](security-considerations-for-dart-80--dart-8.md) +#### [Security Considerations for DaRT 8.0](security-considerations-for-dart-80--dart-8.md) #### [DaRT 8.0 Privacy Statement](dart-80-privacy-statement-dart-8.md) ### [Administering DaRT 8.0 Using PowerShell](administering-dart-80-using-powershell-dart-8.md) #### [How to Perform DaRT Tasks by Using PowerShell Commands](how-to-perform-dart-tasks-by-using-powershell-commands-dart-8.md) diff --git a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md index 3c22c4bb2d..185ace5f1b 100644 --- a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md +++ b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md @@ -26,8 +26,7 @@ MDOP Group Policy templates are available for download in a self-extracting, com **How to download and deploy the MDOP Group Policy templates** -1. Download the MDOP Group Policy templates from [Microsoft Desktop Optimization Pack Group Policy Administrative Templates - ](https://www.microsoft.com/en-us/download/details.aspx?id=55531). +1. Download the MDOP Group Policy templates from [Microsoft Desktop Optimization Pack Group Policy Administrative Templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531). 2. Run the downloaded file to extract the template folders. diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md index 9ad697322f..1eacd30123 100644 --- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md +++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md @@ -50,7 +50,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M - Escrow TPM OwnerAuth For Windows 7, MBAM must own the TPM for escrow to occur. For Windows 8.1, Windows 10 RTM and Windows 10 version 1511, escrow of TPM OwnerAuth is supported. - For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/en-us/windows/security/hardware-protection/tpm/change-the-tpm-owner-password) for further details. + For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/windows/security/hardware-protection/tpm/change-the-tpm-owner-password) for further details. - Escrow recovery keys and recovery key packages @@ -69,7 +69,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M **MBAM\_Machine WMI Class** **PrepareTpmAndEscrowOwnerAuth:** Reads the TPM OwnerAuth and sends it to the MBAM recovery database by using the MBAM recovery service. If the TPM is not owned and auto-provisioning is not on, it generates a TPM OwnerAuth and takes ownership. If it fails, an error code is returned for troubleshooting. - **Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/en-us/windows/security/hardware-protection/tpm/change-the-tpm-owner-password) for further details. + **Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/windows/security/hardware-protection/tpm/change-the-tpm-owner-password) for further details. | Parameter | Description | | -------- | ----------- | @@ -182,7 +182,7 @@ Here are a list of common error messages: 3. Name the step **Persist TPM OwnerAuth** 4. Set the command line to `cscript.exe "%SCRIPTROOT%/SaveWinPETpmOwnerAuth.wsf"` - **Note:** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/en-us/windows/security/hardware-protection/tpm/change-the-tpm-owner-password) for further details. + **Note:** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/windows/security/hardware-protection/tpm/change-the-tpm-owner-password) for further details. 3. In the **State Restore** folder, delete the **Enable BitLocker** task. diff --git a/mdop/medv-v1/TOC.md b/mdop/medv-v1/TOC.md index a07eff22f1..c6dd794c5c 100644 --- a/mdop/medv-v1/TOC.md +++ b/mdop/medv-v1/TOC.md @@ -73,9 +73,9 @@ ## [Troubleshooting MED-V](troubleshooting-med-v.md) ## [Technical Reference](technical-referencemedv-10-sp1.md) ### [MED-V Reporting](med-v-reporting.md) -#### [How to Generate Reports ](how-to-generate-reports-medvv2.md) +#### [How to Generate Reports](how-to-generate-reports-medvv2.md) #### [How to Work with Reports](how-to-work-with-reports.md) -### [MED-V Trim Transfer Technology ](med-v-trim-transfer-technology-medvv2.md) +### [MED-V Trim Transfer Technology](med-v-trim-transfer-technology-medvv2.md) ### [How to Back Up and Restore a MED-V Server](how-to-back-up-and-restore-a-med-v-server.md) ### [How to Share Folders Between the Host and the MED-V Workspace](how-to-share-folders-between-the-host-and-the-med-v-workspace.md) ### [How to Set MED-V Workspace Deletion Options](how-to-set-med-v-workspace-deletion-options.md) diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md index e42cdb492c..abca437dda 100644 --- a/store-for-business/TOC.md +++ b/store-for-business/TOC.md @@ -31,7 +31,7 @@ ### [Understand billing profiles](billing-profile.md) ## [Manage settings in the Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md) ### [Update account settings](update-microsoft-store-for-business-account-settings.md) -### [Manage user accounts ](manage-users-and-groups-microsoft-store-for-business.md) +### [Manage user accounts](manage-users-and-groups-microsoft-store-for-business.md) ## [Device Guard signing portal](device-guard-signing-portal.md) ### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) ### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md index 7c7b84e370..ecc4e1f38e 100644 --- a/store-for-business/billing-understand-your-invoice-msfb.md +++ b/store-for-business/billing-understand-your-invoice-msfb.md @@ -111,7 +111,7 @@ If you have third-party services in your bill, the name and address of each publ If prices were converted to your local currency, the exchange rates are listed in this section at the bottom of the invoice. All Azure charges are priced in USD and third-party services are priced in the seller's currency. ## Next steps -If there are Azure charges on your invoice that you would like more details on, see [Understand the Azure charges on your Microsoft Customer Agreement invoice](https://docs.microsoft.com/en-us/azure/billing/billing-understand-your-invoice-mca). +If there are Azure charges on your invoice that you would like more details on, see [Understand the Azure charges on your Microsoft Customer Agreement invoice](https://docs.microsoft.com/azure/billing/billing-understand-your-invoice-mca). ## Need help? Contact us. diff --git a/store-for-business/sign-up-microsoft-store-for-business.md b/store-for-business/sign-up-microsoft-store-for-business.md index ac226cffdb..42f4df57b1 100644 --- a/store-for-business/sign-up-microsoft-store-for-business.md +++ b/store-for-business/sign-up-microsoft-store-for-business.md @@ -74,7 +74,7 @@ Before signing up for Microsoft Store, make sure you're the global administrator Be sure to save the portal sign-in page and your user ID info. Click **You're ready to go**. - ![Image showing sign-in page and user ID for Microsoft Store for Business. ](images/wsfb-onboard-5.png) + ![Image showing sign-in page and user ID for Microsoft Store for Business.](images/wsfb-onboard-5.png) - At this point, you'll have an Azure AD directory created with one user account. That user account is the global administrator. You can use that account to sign in to Store for Business. diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md index 110f01c7b0..0bd3d8166a 100644 --- a/windows/application-management/TOC.md +++ b/windows/application-management/TOC.md @@ -37,7 +37,7 @@ ##### [How to Deploy the App-V Databases by Using SQL Scripts](app-v/appv-deploy-appv-databases-with-sql-scripts.md) ##### [How to Install the Publishing Server on a Remote Computer](app-v/appv-install-the-publishing-server-on-a-remote-computer.md) ##### [How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md) -##### [How to install the Management Server on a Standalone Computer and Connect it to the Database ](app-v/appv-install-the-management-server-on-a-standalone-computer.md) +##### [How to install the Management Server on a Standalone Computer and Connect it to the Database](app-v/appv-install-the-management-server-on-a-standalone-computer.md) ##### [About App-V Reporting](app-v/appv-reporting.md) ##### [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](app-v/appv-install-the-reporting-server-on-a-standalone-computer.md) #### [App-V Deployment Checklist](app-v/appv-deployment-checklist.md) @@ -56,17 +56,17 @@ ##### [How to Create a Virtual Application Package Using an App-V Package Accelerator](app-v/appv-create-a-virtual-application-package-package-accelerator.md) #### [Administering App-V Virtual Applications by Using the Management Console](app-v/appv-administering-virtual-applications-with-the-management-console.md) ##### [About App-V Dynamic Configuration](app-v/appv-dynamic-configuration.md) -##### [How to Connect to the Management Console ](app-v/appv-connect-to-the-management-console.md) +##### [How to Connect to the Management Console](app-v/appv-connect-to-the-management-console.md) ##### [How to Add or Upgrade Packages by Using the Management Console](app-v/appv-add-or-upgrade-packages-with-the-management-console.md) -##### [How to Configure Access to Packages by Using the Management Console ](app-v/appv-configure-access-to-packages-with-the-management-console.md) -##### [How to Publish a Package by Using the Management Console ](app-v/appv-publish-a-packages-with-the-management-console.md) -##### [How to Delete a Package in the Management Console ](app-v/appv-delete-a-package-with-the-management-console.md) +##### [How to Configure Access to Packages by Using the Management Console](app-v/appv-configure-access-to-packages-with-the-management-console.md) +##### [How to Publish a Package by Using the Management Console](app-v/appv-publish-a-packages-with-the-management-console.md) +##### [How to Delete a Package in the Management Console](app-v/appv-delete-a-package-with-the-management-console.md) ##### [How to Add or Remove an Administrator by Using the Management Console](app-v/appv-add-or-remove-an-administrator-with-the-management-console.md) ##### [How to Register and Unregister a Publishing Server by Using the Management Console](app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md) ##### [How to Create a Custom Configuration File by Using the App-V Management Console](app-v/appv-create-a-custom-configuration-file-with-the-management-console.md) ##### [How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console](app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md) ##### [How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console](app-v/appv-customize-virtual-application-extensions-with-the-management-console.md) -##### [How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console ](app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md) +##### [How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console](app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md) #### [Managing Connection Groups](app-v/appv-managing-connection-groups.md) ##### [About the Connection Group Virtual Environment](app-v/appv-connection-group-virtual-environment.md) ##### [About the Connection Group File](app-v/appv-connection-group-file.md) @@ -86,14 +86,14 @@ #### [Maintaining App-V](app-v/appv-maintaining-appv.md) ##### [How to Move the App-V Server to Another Computer](app-v/appv-move-the-appv-server-to-another-computer.md) #### [Administering App-V by Using Windows PowerShell](app-v/appv-administering-appv-with-powershell.md) -##### [How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help ](app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md) +##### [How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help](app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md) ##### [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md) ##### [How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md) ##### [How to Modify Client Configuration by Using Windows PowerShell](app-v/appv-modify-client-configuration-with-powershell.md) ##### [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md) ##### [How to Apply the User Configuration File by Using Windows PowerShell](app-v/appv-apply-the-user-configuration-file-with-powershell.md) ##### [How to Apply the Deployment Configuration File by Using Windows PowerShell](app-v/appv-apply-the-deployment-configuration-file-with-powershell.md) -##### [How to Sequence a Package by Using Windows PowerShell ](app-v/appv-sequence-a-package-with-powershell.md) +##### [How to Sequence a Package by Using Windows PowerShell](app-v/appv-sequence-a-package-with-powershell.md) ##### [How to Create a Package Accelerator by Using Windows PowerShell](app-v/appv-create-a-package-accelerator-with-powershell.md) ##### [How to Enable Reporting on the App-V Client by Using Windows PowerShell](app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md) ##### [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md) diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index a9cb94cced..7edad5cf25 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -69,7 +69,7 @@ This log is not enabled by default. You can enable this log by expanding **Event ![screenshot of event viewer](images/capi.png) The following article explains how to analyze CAPI2 event logs: -[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29). +[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29). When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication: diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md index 02586be4b6..dbd429f2e5 100644 --- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -237,8 +237,8 @@ This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disas ### Resources -[802.11 Wireless Tools and Settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))
-[Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)
+[802.11 Wireless Tools and Settings](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))
+[Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)
## Example ETW capture diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index 7c2db0122d..9302d7316d 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -170,7 +170,7 @@ Supported operations are Get, Add, Replace If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten. If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail. In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate -CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/library/windows/desktop/aa381414(v=vs.85).aspx +CRYPT_DATA_BLOB on MSDN can be found at https://msdn.microsoft.com/library/windows/desktop/aa381414(v=vs.85).aspx diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index b8cce9175a..bd5208972b 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -24,7 +24,7 @@ For information about the bridge WMI provider classes that map to these CSPs, se Additional lists: - [List of CSPs supported in Windows Holographic](#hololens) -- [List of CSPs supported in Microsoft Surface Hub ](#surfacehubcspsupport) +- [List of CSPs supported in Microsoft Surface Hub](#surfacehubcspsupport) - [List of CSPs supported in Windows 10 IoT Core](#iotcoresupport) diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md index 36057caacf..d395f091cd 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md @@ -387,7 +387,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - These settings are read by the Enrollment Status Page (ESP) during the the Device Preparation phase. These setting are used to orchestrate any setup activities prior to provisioning the device in the Device Setup phase of the ESP. + These settings are read by the Enrollment Status Page (ESP) during the Device Preparation phase. These setting are used to orchestrate any setup activities prior to provisioning the device in the Device Setup phase of the ESP. diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md index f7c3018c82..40733a7170 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md @@ -12,7 +12,7 @@ ms.date: 05/21/2019 # EnrollmentStatusTracking CSP -During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar to configure ESP for blocking the device use until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/enrollment-status). +During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar to configure ESP for blocking the device use until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status). ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. See [DMClient CSP](dmclient-csp.md) for more information. diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index fda1c7d218..3d84dac6fa 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -476,7 +476,7 @@ The following list of data points are verified by the DHA-Service in DHA-Report - [CodeIntegrityEnabled](#codeintegrityenabled) - [TestSigningEnabled](#testsigningenabled) - [SafeMode](#safemode) -- [WinPE ](#winpe) +- [WinPE](#winpe) - [ELAMDriverLoaded](#elamdriverloaded) *** - [VSMEnabled](#vsmenabled) - [PCRHashAlgorithmID](#pcrhashalgorithmid) diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index 781e0924d0..b9bc55a06a 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -42,11 +42,11 @@ The MDM security baseline includes policies that cover the following areas: - And much more For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see: -- [MDM Security baseline for Windows 10, version 1903](http://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1903-MDM-SecurityBaseLine-Document.zip) +- [MDM Security baseline for Windows 10, version 1903](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1903-MDM-SecurityBaseLine-Document.zip) -- [MDM Security baseline for Windows 10, version 1809](http://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip) + - [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip) -For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](https://docs.microsoft.com/en-us/intune/security-baseline-settings-windows) +For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index bf819d4ba5..6c8d9e4c41 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -87,7 +87,7 @@ If you enable this policy setting, Windows is allowed to install or update any d If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. -Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -198,7 +198,7 @@ This setting allows device installation based on the serial number of a removabl If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. -Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -494,7 +494,7 @@ If you enable this policy setting, Windows is prevented from installing a device If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. -Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. > [!TIP] @@ -596,7 +596,7 @@ If you enable this policy setting, Windows is prevented from installing or updat If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. -Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 6f746062f9..69b9a21645 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -2850,7 +2850,7 @@ ADMX Info: This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading. > [!Caution] -> If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the [out-of-date ActiveX control blocking feature](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. +> If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the [out-of-date ActiveX control blocking feature](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. If you disable or do not configure this setting, IE continues to download updated versions of VersionList.XML. diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index b8ebc7042d..16470df06b 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -106,6 +106,19 @@ ADMX Info: - GP ADMX file name: *Printing.admx* + + +Example +``` +Name: Point and Print Enable Oma-URI: ./Device/Vendor/MSFT/Policy/Config/Printers/PointAndPrintRestrictions +Data type: String Value: + + + + + +``` +
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 3781130045..99b3c5e4f3 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -632,7 +632,7 @@ The following list shows the supported values: Allow the device to send diagnostic and usage telemetry data, such as Watson. -For more information about diagnostic data, including what is and what is not collected by Windows, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization). +For more information about diagnostic data, including what is and what is not collected by Windows, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization). The following tables describe the supported values: diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 82449daa56..23687813bb 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -1655,11 +1655,11 @@ If disabled or not configured, extensions defined as part of this policy get ign Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) @@ -11032,11 +11032,11 @@ If disabled or not configured, extensions defined as part of this policy get ign Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) @@ -23030,11 +23030,11 @@ If disabled or not configured, extensions defined as part of this policy get ign Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) @@ -51684,11 +51684,11 @@ If disabled or not configured, extensions defined as part of this policy get ign Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index df735b07d8..dffd9c60c8 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -104,7 +104,7 @@ The XML below is for Windows 10, version 1809. XML describing the network configuration and follows Windows WLAN_profile schema. - Link to schema: http://msdn.microsoft.com/library/windows/desktop/ms707341(v=vs.85).aspx + Link to schema: https://msdn.microsoft.com/library/windows/desktop/ms707341(v=vs.85).aspx diff --git a/windows/client-management/troubleshoot-networking.md b/windows/client-management/troubleshoot-networking.md index 9562483162..57398a2764 100644 --- a/windows/client-management/troubleshoot-networking.md +++ b/windows/client-management/troubleshoot-networking.md @@ -29,7 +29,7 @@ The following topics are available to help you troubleshoot common problems rela [802.1X authenticated wired access overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831831(v=ws.11))
[802.1X authenticated wireless access overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994700(v%3dws.11))
[Wireless cccess deployment overview](https://docs.microsoft.com/windows-server/networking/core-network-guide/cncg/wireless/b-wireless-access-deploy-overview)
-[TCP/IP technical reference](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379473(v=ws.10))
+[TCP/IP technical reference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379473(v=ws.10))
[Network Monitor](https://docs.microsoft.com/windows/desktop/netmon2/network-monitor)
[RPC and the network](https://docs.microsoft.com/windows/desktop/rpc/rpc-and-the-network)
[How RPC works](https://docs.microsoft.com/windows/desktop/rpc/how-rpc-works)
diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 42fb6ef17e..26d48d6ccb 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -142,7 +142,7 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols 4. Start the install and choose **Debugging Tools for Windows**. This will install the WinDbg tool. 5. Open the WinDbg tool and set the symbol path by clicking **File** and then clicking **Symbol File Path**.
a. If the computer is connected to the Internet, enter the [Microsoft public symbol server](https://docs.microsoft.com/windows-hardware/drivers/debugger/microsoft-public-symbols) (https://msdl.microsoft.com/download/symbols) and click **OK**. This is the recommended method.
- b. If the computer is not connected to the Internet, you must specify a local [symbol path](https://docs.microsoft.com/en-in/windows-hardware/drivers/debugger/symbol-path). + b. If the computer is not connected to the Internet, you must specify a local [symbol path](https://docs.microsoft.com/windows-hardware/drivers/debugger/symbol-path). 6. Click on **Open Crash Dump**, and then open the memory.dmp file that you copied. See the example below. ![WinDbg](images/windbg.png) 7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. This will enter the command !analyze -v in the prompt at the bottom of the page. diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index 31c0d456f6..576ee3a7c0 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -129,7 +129,7 @@ If the computer is no longer frozen and now is running in a good state, use the 3. On some physical computers, you may generate a nonmakeable interruption (NMI) from the Web Interface feature (such as DRAC, iLo, and RSA). However, by default, this setting will stop the system without creating a memory dump. - To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change. + To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change. > [!NOTE] > This is applicable only for Windows 7, Windows Server 2008 R2, and earlier versions of Windows. For Windows 8 Windows Server 2012, and later versions of Windows, the NMICrashDump registry key is no longer required, and an NMI interruption will result in [a Stop error that follows a memory dump data collection](https://support.microsoft.com/help/2750146). diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index afcec998a5..7d787f544d 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -49,26 +49,26 @@ These are the top Microsoft Support solutions for the most common issues experie ## Solutions related to installing Windows Updates -- [How does Windows Update work](https://docs.microsoft.com/en-us/windows/deployment/update/how-windows-update-works) -- [Windows Update log files](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-logs) -- [Windows Update troubleshooting](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting) -- [Windows Update common errors and mitigation](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-errors) -- [Windows Update - additional resources](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-resources) +- [How does Windows Update work](https://docs.microsoft.com/windows/deployment/update/how-windows-update-works) +- [Windows Update log files](https://docs.microsoft.com/windows/deployment/update/windows-update-logs) +- [Windows Update troubleshooting](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting) +- [Windows Update common errors and mitigation](https://docs.microsoft.com/windows/deployment/update/windows-update-errors) +- [Windows Update - additional resources](https://docs.microsoft.com/windows/deployment/update/windows-update-resources) ## Solutions related to installing or upgrading Windows -- [Quick Fixes](https://docs.microsoft.com/en-us/windows/deployment/upgrade/quick-fixes) -- [Troubleshooting upgrade errors](https://docs.microsoft.com/en-us/windows/deployment/upgrade/troubleshoot-upgrade-errors) -- [Resolution procedures](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolution-procedures) +- [Quick Fixes](https://docs.microsoft.com/windows/deployment/upgrade/quick-fixes) +- [Troubleshooting upgrade errors](https://docs.microsoft.com/windows/deployment/upgrade/troubleshoot-upgrade-errors) +- [Resolution procedures](https://docs.microsoft.com/windows/deployment/upgrade/resolution-procedures) - [0xc1800118 error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus) - [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/en-in/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system) ## Solutions related to BitLocker -- [BitLocker recovery guide](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan) -- [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock) -- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker) -- [BitLocker Group Policy settings](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) +- [BitLocker recovery guide](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan) +- [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock) +- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker) +- [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) ## Solutions related to Bugchecks or Stop Errors - [Troubleshooting Stop error problems for IT Pros](https://support.microsoft.com/help/3106831/troubleshooting-stop-error-problems-for-it-pros) @@ -92,8 +92,8 @@ These are the top Microsoft Support solutions for the most common issues experie - [Modern apps are blocked by security software when you start the applications on Windows 10 Version 1607](https://support.microsoft.com/help/4016973/modern-apps-are-blocked-by-security-software-when-you-start-the-applic) ## Solutions related to wireless networking and 802.1X authentication -- [Advanced Troubleshooting Wireless Network](Connectivity]https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-wireless-network-connectivity) -- [Advanced Troubleshooting 802.1x Authentication](https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-802-authentication) -- [Troubleshooting Windows 802.11 Wireless Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10)) -- [Troubleshooting Windows Secure 802.3 Wired Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749352(v%3dws.10)) +- [Advanced Troubleshooting Wireless Network](Connectivity]https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-wireless-network-connectivity) +- [Advanced Troubleshooting 802.1x Authentication](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-802-authentication) +- [Troubleshooting Windows 802.11 Wireless Connections](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10)) +- [Troubleshooting Windows Secure 802.3 Wired Connections](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-vista/cc749352(v%3dws.10)) - [Windows 10 devices can't connect to an 802.1X environment](https://support.microsoft.com/kb/3121002) diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/windows-libraries.md index c6dc6eab15..b5977c0973 100644 --- a/windows/client-management/windows-libraries.md +++ b/windows/client-management/windows-libraries.md @@ -117,7 +117,7 @@ See the [Library Description Schema](https://go.microsoft.com/fwlink/?LinkId=159 ### Concepts -- [Windows Search Features ](https://technet.microsoft.com/library/dd744686.aspx) +- [Windows Search Features](https://technet.microsoft.com/library/dd744686.aspx) - [Windows Indexing Features](https://technet.microsoft.com/library/dd744700.aspx) - [Federated Search Features](https://technet.microsoft.com/library/dd744682.aspx) - [Administrative How-to Guides](https://technet.microsoft.com/library/ee461108.aspx) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 6e4fc5d47e..cca3071cad 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -214,7 +214,7 @@ The topics in this library have been updated for Windows 10, version 1709 (also | New or changed topic | Description | | --- | --- | | [Configure cellular settings for tablets and PCs](provisioning-apn.md) | New | -| [ Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added MDM policies for privacy settings | +| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added MDM policies for privacy settings | ## April 2017 diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 7475992145..c3491784d7 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -251,7 +251,7 @@ The following table describes some features that have interoperability issues we Customers sometimes use virtual machines (VMs) to test configurations before deploying those configurations to physical devices. If you use a VM to test your single-app kiosk configuration, you need to know how to connect to the VM properly. -A single-app kiosk kiosk configuration runs an app above the lockscreen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V. +A single-app kiosk configuration runs an app above the lockscreen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V. When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session. diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index 1e484e0795..6fd35e9786 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -45,7 +45,7 @@ Shell Launcher v2 replaces `explorer.exe` with `customshellhost.exe`. This new e In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers additional enhancements: - You can use a custom Windows desktop application that can then launch UWP apps, such as **Settings** and **Touch Keyboard**. - From a custom UWP shell, you can launch secondary views and run on multiple monitors. -- The custom shell app runs in full screen, and and can run other apps in full screen on user’s demand. +- The custom shell app runs in full screen, and can run other apps in full screen on user’s demand. For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2). diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index 38d6cdbf27..d67437503a 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -166,8 +166,8 @@ For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.c - [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md) -- [Administering UE-V ](uev-administering-uev.md) +- [Administering UE-V](uev-administering-uev.md) -- [Troubleshooting UE-V ](uev-troubleshooting.md) +- [Troubleshooting UE-V](uev-troubleshooting.md) - [Technical Reference for UE-V](uev-technical-reference.md) diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index 794ec9df43..7e2ed82e70 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -402,8 +402,8 @@ The UE-V template generator must be installed on a device that uses an NTFS file - [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md) -- [Administering UE-V ](uev-administering-uev.md) +- [Administering UE-V](uev-administering-uev.md) -- [Troubleshooting UE-V ](uev-troubleshooting.md) +- [Troubleshooting UE-V](uev-troubleshooting.md) - [Technical Reference for UE-V](uev-technical-reference.md) diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md index 84502cd211..70054cae5a 100644 --- a/windows/configuration/ue-v/uev-release-notes-1607.md +++ b/windows/configuration/ue-v/uev-release-notes-1607.md @@ -131,8 +131,8 @@ This section contains hotfixes and KB articles for UE-V. - [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md) -- [Administering UE-V ](uev-administering-uev.md) +- [Administering UE-V](uev-administering-uev.md) -- [Troubleshooting UE-V ](uev-troubleshooting.md) +- [Troubleshooting UE-V](uev-troubleshooting.md) - [Technical Reference for UE-V](uev-technical-reference.md) diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index c8086eebd5..be459e9731 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -141,7 +141,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star | [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names. | X | | | | | | [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | X | X | X | | X | [ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | X | X | | | | -| [SendIntranetTraffictoInternetExplorer ](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | X | | | | | +| [SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | X | | | | | | [SetDefaultSearchEngine](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | X | X | X | | X | | [SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | Specify a custom URL for the Home button. You should also enable the [ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) setting and select the **Show the home button; clicking the home button loads a specific URL** option. | X | | | | | | [SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | Specify a custom URL for a New tab page. | X | | | | | diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md index bfdff060a4..292ef2be02 100644 --- a/windows/configuration/wcd/wcd-start.md +++ b/windows/configuration/wcd/wcd-start.md @@ -34,7 +34,7 @@ Use StartLayout to select the `LayoutModification.xml` file that applies a custo >[!NOTE] >The XML file that defines the Start layout for Windows 10 Mobile must be named `LayoutModification.xml`. -For more information, see [Start layout XML for mobile editions of Windows 10 ](../mobile-devices/lockdown-xml.md)). +For more information, see [Start layout XML for mobile editions of Windows 10](../mobile-devices/lockdown-xml.md)). ## StartLayoutFilePath diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 53c27e86c3..00ed8b7866 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -23,13 +23,13 @@ ms.topic: article This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization. -- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://docs.microsoft.com/en-us/windows/whats-new/index). +- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/index). - For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history). ## Recent additions to this page [SetupDiag](#setupdiag) 1.4.1 is released.
-The [Windows ADK for Windows 10, version 1903](https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install) is available.
+The [Windows ADK for Windows 10, version 1903](https://docs.microsoft.com/windows-hardware/get-started/adk-install) is available.
New [Windows Autopilot](#windows-autopilot) content is available.
[Windows 10 Subscription Activation](#windows-10-subscription-activation) now supports Windows 10 Education. @@ -49,7 +49,7 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic ## Windows 10 servicing and support - [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon! -- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. @@ -88,7 +88,7 @@ The following Windows Autopilot features are available in Windows 10, version 19 Windows 10 Education support has been added to Windows 10 Subscription Activation. -With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation). +With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation). ### SetupDiag @@ -135,14 +135,14 @@ For more information, see [MBR2GPT.EXE](mbr-to-gpt.md). MDT build 8456 (12/19/2018) is available, including support for Windows 10, version 1809, and Windows Server 2019. -For more information about MDT, see the [MDT resource page](https://docs.microsoft.com/en-us/sccm/mdt/). +For more information about MDT, see the [MDT resource page](https://docs.microsoft.com/sccm/mdt/). ### Windows Assessment and Deployment Kit (ADK) The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. See the following topics: -- [What's new in ADK kits and tools](https://docs.microsoft.com/en-us/windows-hardware/get-started/what-s-new-in-kits-and-tools) +- [What's new in ADK kits and tools](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools) - [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) @@ -178,7 +178,7 @@ The following topics provide a change history for Windows 10 ITPro TechNet libra [Overview of Windows as a service](update/waas-overview.md)
[Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md) -
[Windows 10 release information](https://docs.microsoft.com/en-us/windows/windows-10/release-information) +
[Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information)
[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications)
[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md) diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md index 829b1efc16..2d91a632b5 100644 --- a/windows/deployment/update/waas-morenews.md +++ b/windows/deployment/update/waas-morenews.md @@ -16,6 +16,12 @@ ms.topic: article Here's more news about [Windows as a service](windows-as-a-service.md):
    +
  • Windows 10, version 1809 designated for broad deployment - March 28, 2019
    • +
  • Data, insights and listening to improve the customer experience - March 6, 2019
    • +
  • Getting to know the Windows update history pages - February 21, 2019
    • +
  • Windows Update for Business and the retirement of SAC-T - February 14, 2019
    • +
  • Application compatibility in the Windows ecosystem - January 15, 2019
    • +
  • Windows monthly security and quality updates overview - January 10, 2019
  • Driver quality in the Windows ecosystem - December 19, 2018
  • Modern Desktop Podcast - Episode 001 – Windows 10 Monthly Quality Updates - December 18, 2018
  • Measuring Delivery Optimization and its impact to your network - December 13, 2018
    • diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index b983785b2f..b9df3fe9ee 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -104,7 +104,7 @@ At this point, the IT administrator can set a policy to pause the update. In thi ![illustration of rings with pause quality update check box selected](images/waas-wufb-pause.png) -Now all devices are paused from updating for 35 days. When the the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again. +Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again. diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index ea7165bc4c..3dba405f93 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -21,20 +21,19 @@ Find the tools and resources you need to help deploy and support Windows as a se Find the latest and greatest news on Windows 10 deployment and servicing. **Discovering the Windows 10 Update history pages** -> [!VIDEO https://www.youtube-nocookie.com/embed/GADIXBf9R58] +> [!VIDEO https://www.youtube-nocookie.com/embed/mTnAb9XjMPY] -Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. The Windows update history page is for anyone looking to gain an immediate, precise understanding of particular Windows update issues. +Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. Bookmark the Windows release health dashboard for near real-time information on known issues, workarounds, and resolutions--as well as the current status of the latest feature update rollout. The latest news: [See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). @@ -44,9 +43,11 @@ Written by IT pros for IT pros, sharing real world examples and scenarios for Wi -**NEW** Classifying Windows updates in common deployment tools +**NEW** Deployment rings: The hidden [strategic] gem of Windows as a service -NEW Express updates for Windows Server 2016 re-enabled for November 2018 update +Classifying Windows updates in common deployment tools + +Express updates for Windows Server 2016 re-enabled for November 2018 update 2019 SHA-2 Code Signing Support requirement for Windows and WSUS diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index 8024b7af27..ba8e94c735 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -28,13 +28,13 @@ Before deploying a device using Windows Autopilot, the device must be registered When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers" section of the [Windows Autopilot information page](https://www.microsoft.com/en-us/windowsforbusiness/windows-autopilot). -Before an OEM can register devices on behalf of an organization, the organization must grant the OEM permission to do so. This process is initiated by the OEM, with approval granted by an Azure AD global administrator from the organization. See the "Customer Consent" section of the [Customer consent page](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/registration-auth#oem-authorization). +Before an OEM can register devices on behalf of an organization, the organization must grant the OEM permission to do so. This process is initiated by the OEM, with approval granted by an Azure AD global administrator from the organization. See the "Customer Consent" section of the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#oem-authorization). ## Reseller, distributor, or partner registration Customers may purchase devices from resellers, distributors, or other partners. As long as these resellers, distributors, and partners are part of the [Cloud Solution Partners (CSP) program](https://partner.microsoft.com/en-us/cloud-solution-provider), they too can register devices on behalf of the customer. -As with OEMs, CSP parnters must be granted permission to register devices on behalf of an organization. This follows the process described on the [Customer consent page](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/registration-auth#csp-authorization). The CSP partner initiates a request to establish a relationship with the organization, with approval granted by a global administrator from the organization. Once approved, CSP partners add devices using [Partner Center](https://partner.microsoft.com/en-us/pcv/dashboard/overview), either directly through the web site or via available APIs that can automate the same tasks. +As with OEMs, CSP parnters must be granted permission to register devices on behalf of an organization. This follows the process described on the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#csp-authorization). The CSP partner initiates a request to establish a relationship with the organization, with approval granted by a global administrator from the organization. Once approved, CSP partners add devices using [Partner Center](https://partner.microsoft.com/en-us/pcv/dashboard/overview), either directly through the web site or via available APIs that can automate the same tasks. Windows Autopilot does not require delegated administrator permissions when establishing the relationship between the CSP partner and the organization. As part of the approval process performed by the global administrator, the global administrator can choose to uncheck the "Include delegated administration permissions" checkbox. @@ -42,9 +42,9 @@ Windows Autopilot does not require delegated administrator permissions when esta If an existing device is already running Windows 10 version 1703 or later and enrolled in an MDM service such an Intune, that MDM service can ask the device for the hardwareh ID (also known as a hardware hash). Once it has that, it can automatically register the device with Windows Autopilot. -For instructions on how to do this with Microsoft Intune, see [Create an Autopilot deployment profile](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-deployment-profile) documentation describing the "Convert all targeted devices to Autopilot" setting. +For instructions on how to do this with Microsoft Intune, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile) documentation describing the "Convert all targeted devices to Autopilot" setting. -Also note that when using the [Windows Autopilot for existing devices](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/existing-devices) scenario, it is not necessary to pre-register the devices with Windows Autopilot. Instead, a configuration file (AutopilotConfigurationFile.json) containing all the Windows Autopilot profile settings is used; the device can be registered with Windows Autopilot after the fact using the same "Convert all targeted devices to Autopilot" setting. +Also note that when using the [Windows Autopilot for existing devices](https://docs.microsoft.com/windows/deployment/windows-autopilot/existing-devices) scenario, it is not necessary to pre-register the devices with Windows Autopilot. Instead, a configuration file (AutopilotConfigurationFile.json) containing all the Windows Autopilot profile settings is used; the device can be registered with Windows Autopilot after the fact using the same "Convert all targeted devices to Autopilot" setting. ## Manual registration diff --git a/windows/deployment/windows-autopilot/bitlocker.md b/windows/deployment/windows-autopilot/bitlocker.md index a3a91da1f5..11d6e7b42f 100644 --- a/windows/deployment/windows-autopilot/bitlocker.md +++ b/windows/deployment/windows-autopilot/bitlocker.md @@ -25,7 +25,7 @@ ms.topic: article With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encrytion algorithm is not applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins. -The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use. +The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use. To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices: @@ -51,4 +51,4 @@ Windows 10, version 1809 or later. ## See also -[Bitlocker overview](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview) +[Bitlocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 5cd9c37d9a..f2f6408b2f 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -394,7 +394,7 @@ Optional: see the following video for an overview of the process. > [!video https://www.youtube.com/embed/IpLIZU_j7Z0] -First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview) to create a new one. +First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one. Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page. @@ -462,7 +462,7 @@ Click on **OK** and then click on **Create**. #### Assign the profile -Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading. +Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading. To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**: @@ -564,7 +564,7 @@ Windows Autopilot will now take over to automatically join your device into Azur ## Remove devices from Autopilot -To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/en-us/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below. +To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below. ### Delete (deregister) Autopilot device @@ -758,7 +758,7 @@ In the app **Assignments** pane, select **Save**. At this point, you have completed steps to add a Win32 app to Intune. -For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/en-us/intune/apps-win32-app-management). +For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management). ### Add Office 365 @@ -826,7 +826,7 @@ In the app **Assignments** pane, select **Save**. At this point, you have completed steps to add Office to Intune. -For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add-office365). +For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365). If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate: diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md index 401c84e8fe..e23bd3a77c 100644 --- a/windows/deployment/windows-autopilot/enrollment-status.md +++ b/windows/deployment/windows-autopilot/enrollment-status.md @@ -1,76 +1,56 @@ ---- -title: Windows Autopilot Enrollment Status page -ms.reviewer: -manager: laurawi -description: Gives an overview of the enrollment status page capabilities, configuration -keywords: Autopilot Plug and Forget, Windows 10 -ms.prod: w10 -ms.technology: Windows -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -ms.localizationpriority: medium -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot Enrollment Status page - -**Applies to** - -- Windows 10 - -The Windows Autopilot Enrollment Status Page displays the status of the complete device configuration process. Incorporating feedback from customers, this provides information to the user to show that the device is being configured. The Enrollment Status Page can be also configured to prevent access to the desktop until the configuration process is complete. - - ![Enrollment status page](images/enrollment-status-page.png) - -From Windows 10 version 1803 onwards, you can opt out of the account setup phase. If it is skipped, settings will be applied for users when they access their desktop for the first time. - -## Available settings - - The following settings can be configured to customize behavior of the enrollment status page: - -
-
SettingYesNo -
Show app and profile installation progressThe enrollment status page is displayed.The enrollment status page is not displayed. -
Block device use until all apps and profiles are installedThe settings in this table are made available to customize behavior of the enrollment status page, so that the user can address potential installation issues. -The enrollment status page is displayed with no additional options to address installation failures. -
Allow users to reset device if installation error occursA Reset device button is displayed if there is an installation failure.The Reset device button is not displayed if there is an installation failure. -
Allow users to use device if installation error occursA Continue anyway button is displayed if there is an installation failure.The Continue anyway button is not displayed if there is an installation failure. -
Show error when installation takes longer than specified number of minutesSpecify the number of minutes to wait for installation to complete. A default value of 60 minutes is entered. -
Show custom message when an error occursA text box is provided where you can specify a custom message to display in case of an installation error.The default message is displayed:
Oh no! Something didn't do what it was supposed to. Please contact your IT department. -
Allow users to collect logs about installation errorsIf there is an installation error, a Collect logs button is displayed.
If the user clicks this button they are asked to choose a location to save the log file MDMDiagReport.cab		The Collect logs button is not displayed if there is an installation error. -
Block device use until these required apps are installed if they are assigned to the user/deviceChoose All or Selected.

If Selected is chosen, a Select apps button is displayed that enables you to choose which apps must be installed prior to enabling device use. -
- -See the following example: - - ![Enrollment status page settings](images/esp-settings.png) - -## Installation progress tracking - -The Enrollment Status page tracks a subset of the available MDM CSP policies that are delivered to the device as part of the complete device configuration process. The specific types of policies that are tracked include: - -- Certain types of app installations. - - Enterprise modern apps (Appx/MSIX) installed by the [Enterprise Modern App Managment CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisemodernappmanagement-csp). - - Enterprise desktop apps (single-file MSIs) installed by the [Enterprise Desktop App Management CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisedesktopappmanagement-csp). -- Certain device configuration policies. - -The following types of policies and installations are not tracked: - -- Intune Management Extensions PowerShell scripts -- Office 365 ProPlus installations** -- System Center Configuration Manager apps, packages, and task sequences - -**The ability to track Office 365 ProPlus installations was added with Windows 10, version 1809.
- -## More information - -For more information on configuring the Enrollment Status page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).
-For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP documentation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
-For more information about blocking for app installation: -- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/). -- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514). +--- +title: Windows Autopilot Enrollment Status page +ms.reviewer: +manager: laurawi +description: Gives an overview of the enrollment status page capabilities, configuration +keywords: Autopilot Plug and Forget, Windows 10 +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +ms.localizationpriority: medium +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot Enrollment Status page + +**Applies to** + +- Windows 10, version 1803 and later + +The Enrollment Status Page (ESP) displays the status of the complete device configuration process when an MDM managed user signs into a device for the very first time. The ESP will help users understand the progress of device provisioning and ensures the device has met the organizations desired state before the user can access the desktop for the first time. + +The ESP will track the installation of applications, security policies, certificates and network connections. Within Intune, an administrator can deploy ESP profiles to a licensed Intune user and configure specific settings within the ESP profile; a few of these settings are: force the installation of specified applications, allow users to collect troubleshooting logs, specify what a user can do if device setup fails. For more information, see [how to setup the Enrollment Status Page in Intune.] (https://docs.microsoft.com/en-us/intune/windows-enrollment-status). + + ![Enrollment status page](images/enrollment-status-page.png) + + +## Installation progress tracking + +The Enrollment Status page tracks a subset of the available MDM CSP policies that are delivered to the device as part of the complete device configuration process. The specific types of policies that are tracked include: + +- Certain types of app installations. + - Enterprise modern apps (Appx/MSIX) installed by the [Enterprise Modern App Managment CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisemodernappmanagement-csp). + - Enterprise desktop apps (single-file MSIs) installed by the [Enterprise Desktop App Management CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisedesktopappmanagement-csp). +- Certain device configuration policies. + +The following types of policies and installations are not tracked: + +- Intune Management Extensions PowerShell scripts +- Office 365 ProPlus installations** +- System Center Configuration Manager apps, packages, and task sequences + +**The ability to track Office 365 ProPlus installations was added with Windows 10, version 1809.
+ +## More information + +For more information on configuring the Enrollment Status Page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).
+For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP documentation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
+For more information about blocking for app installation: +- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/). +- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514). diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md index aa49b12f4f..fb3a5b3593 100644 --- a/windows/deployment/windows-autopilot/existing-devices.md +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -303,7 +303,7 @@ The Task Sequence will download content, reboot, format the drives and install W ### Register the device for Windows Autopilot -Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. Once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset. You can enable automatic registration for an assigned group using the **Convert all targeted devices to Autopilot** setting. For more information, see [Create an Autopilot deployment profile](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-deployment-profile). +Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. Once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset. You can enable automatic registration for an assigned group using the **Convert all targeted devices to Autopilot** setting. For more information, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile). Also see [Adding devices to Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/add-devices). diff --git a/windows/deployment/windows-autopilot/index.md b/windows/deployment/windows-autopilot/index.md index f3911a5db3..0b030458a3 100644 --- a/windows/deployment/windows-autopilot/index.md +++ b/windows/deployment/windows-autopilot/index.md @@ -45,7 +45,7 @@ This guide is intended for use by an IT-specialist, system architect, or busines - + diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md index 65e1e3a384..4981294bac 100644 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md @@ -2883,7 +2883,7 @@ This security group was introduced in Windows Server 2012, and it has not chang - + diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 1bd0ee3c7b..364908841f 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -515,7 +515,7 @@ The following table shows the Group Policy settings that are used to deny networ 2. Double-click **Deny log on through Remote Desktop Services**. - 3. Click **Add User or Group**, type type **Local account and member of Administrators group**, and > **OK**. + 3. Click **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**. 8. Link the GPO to the first **Workstations** OU as follows: diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 15e3791181..6b0c32bc57 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -1,6 +1,6 @@ --- -title: Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments -description: Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments +title: Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments +description: Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust ms.prod: w10 ms.mktglfcycl: deploy @@ -16,34 +16,44 @@ localizationpriority: medium ms.date: 08/20/2018 ms.reviewer: --- -# Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments +# Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments **Applies to** - Windows 10, version 1702 or later +- Windows Server, versions 2016 and 2019 - Hybrid or On-Premises deployment - Key trust +> [!NOTE] +>There was an issue with key trust on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044). + ## How many is adequate -How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 includes the KDC AS Requests performance counter. You can use these counters to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication--it remains unchanged. + +How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2019 includes the KDC AS Requests performance counter. You can use this counter to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication - it remains unchanged. -Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 domain controller. + +Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2019 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2019 domain controller. -Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario: + +Determining an adequate number of Windows Server 2019 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2019) to a deployment of existing domain controllers (Windows Server 2008R2, Windows Server 2012R2 or Windows Server 2016) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario: + Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following: ![dc-chart1](images/plan/dc-chart1.png) -The environment changes. The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following: + +The environment changes. The first change includes DC1 upgraded to Windows Server 2019 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following: ![dc-chart2](images/plan/dc-chart2.png) -The Windows Server 2016 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2- 10 only support password and certificate trust authentication; only a Windows Server 2016 domain controller supports authentication public key trust authentication. The Windows Server 2016 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will be bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 domain controller is added, but without deploying Windows Hello for Business to anymore clients? +The Windows Server 2019 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2 - 10 only support password and certificate trust authentication; only a Windows Server 2019 domain controller supports public key trust authentication. The Windows Server 2019 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will bear more of the authentication load, and easily become overloaded. What if another Windows Server 2019 domain controller is added, but without deploying Windows Hello for Business to any more clients? + ![dc-chart3](images/plan/dc-chart3.png) -Upgrading another Windows Server 2016 domain controller distributes the public key trust authentication across two domain controllers--each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2016 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016, but the number of WHFB clients remains the same. +Upgrading another Windows Server 2019 domain controller distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2019, but the number of WHFB clients remains the same. ![dc-chart4](images/plan/dc-chart4.png) @@ -51,7 +61,7 @@ Domain controllers 1 through 5 now share the public key trust authentication loa ![dc-chart5](images/plan/dc-chart5.png) -You'll notice the distribution did not change. Each Windows Server 2016 domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentication decreased across the older domain controllers. +You'll notice the distribution did not change. Each Windows Server 2019 domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume of 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentications decreased across the older domain controllers. There are several conclusions here: * Upgrading domain controllers changes the distribution of new authentication, but doesn't change the distribution of older authentication. @@ -62,6 +72,8 @@ There are several conclusions here: The preceding was an example to show why it's unrealistic to have a "one-size-fits-all" number to describe what "an adequate amount" means. In the real world, authentication is not evenly distributed across domain controllers. + + ## Determining total AS Request load Each organization needs to have a baseline of the AS request load that occurs in their environment. Windows Server provides the KDC AS Requests performance counter that helps you determine this. @@ -83,13 +95,15 @@ Add the number of authentications for each domain controller for the median time Review the distribution of authentication. Hopefully, none of these are above 70 percent. It's always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller are to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business. ## Monitoring Authentication -Using the same methods previously described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. This gives you a baseline for your environment from which you can form a statement such as + +Using the same methods described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2019. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. It gives you a baseline for your environment to where you can form a statement such as: + ```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."``` Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment. -Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 domain controllers. If there is only one Windows Server 2016 domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible. +Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2019 domain controllers. If there is only one Windows Server 2019 domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible. Increasing the number of domain controllers distributes the volume of authentication, but doesn't change it. Therefore, as you add more domain controllers, the burden of authentication, for which each domain controller is responsible, decreases. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index d3ab610a58..da3bf064e5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -36,7 +36,7 @@ Sign-in the AD FS server with *Domain Admin* equivalent credentials. 2. Type the following command ```PowerShell - Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication + Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true ``` diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 1573d9e947..561401fa44 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -100,7 +100,7 @@ Organizations using older directory synchronization technology, such as DirSync ## Federation with Azure -You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2. +You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/whatis-phs) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2. ### Section Review diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md index b9cdc2e5ae..0cfc09e68c 100644 --- a/windows/security/identity-protection/hello-for-business/reset-security-key.md +++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md @@ -24,7 +24,7 @@ ms.reviewer: >This operation will wipe everything from your security key and reset it to factory defaults.
**All data and credentials will be cleared.** -A [Microsoft-compatible security key](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key) can be reset via Settings app ( Settings > Accounts > Sign-in options > Security key ). +A [Microsoft-compatible security key](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key) can be reset via Settings app ( Settings > Accounts > Sign-in options > Security key ).
Follow the instructions in the Settings app and look for specific instructions based on your security key manufacturer below: diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index 10a0b0a26c..33bbc7b730 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -82,7 +82,7 @@ Credential providers must be registered on a computer running Windows, and they ## Smart card subsystem architecture -Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](https://www.pcscworkgroup.com/). Each smart card must have a Credential Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware. +Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](https://www.pcscworkgroup.com/). Each smart card must have a Cryptographic Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware. ### Base CSP and smart card minidriver architecture @@ -334,7 +334,7 @@ The following properties are supported in versions of Windows designated in the ### Implications for CSPs in Windows -Credential Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach is not recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES. +Cryptographic Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach is not recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES. If a smart card is registered by a CSP and a smart card minidriver, the one that was installed most recently will be used to communicate with the smart card. diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 1478ec896f..c3f0286d24 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -89,11 +89,11 @@ Some things that you can check on the device are: - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) - [Details on the TPM standard](https://www.microsoft.com/en-us/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM) -- [TPM Base Services Portal](https://docs.microsoft.com/en-us/windows/desktop/TBS/tpm-base-services-portal) -- [TPM Base Services API](https://docs.microsoft.com/en-us/windows/desktop/api/_tbs/) +- [TPM Base Services Portal](https://docs.microsoft.com/windows/desktop/TBS/tpm-base-services-portal) +- [TPM Base Services API](https://docs.microsoft.com/windows/desktop/api/_tbs/) - [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) - [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) -- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/en-us/blog/device-provisioning-identity-attestation-with-tpm/) -- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/en-us/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/) +- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/) +- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/) - [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx) - [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx) diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index d251a04493..dff04d8807 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -165,7 +165,7 @@ Use Windows Event Forwarding to collect and aggregate your WIP audit events. You 2. In the console tree under **Application and Services Logs\Microsoft\Windows**, click **EDP-Audit-Regular** and **EDP-Audit-TCB**. ## Collect WIP audit logs using Azure Monitor -You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.](https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs) +You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs) **To view the WIP events in Azure Monitor** 1. Use an existing or create a new Log Analytics workspace. @@ -179,7 +179,7 @@ You can collect audit logs using Azure Monitor. See [Windows event log data sour >[!NOTE] >If using Windows Events Logs, the event log names can be found under Properties of the event in the Events folder (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB). -3. Download Microsoft [Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation). +3. Download Microsoft [Monitoring Agent](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation). 4. To get MSI for Intune installation as stated in the Azure Monitor article, extract: MMASetup-.exe /c /t: Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**. diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index fef2b942c2..47cc545f94 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -565,7 +565,7 @@ After you create and deploy your WIP policy to your employees, Windows begins to ## Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings. -![Advanced optional settings ](images/wip-azure-advanced-settings-optional.png) +![Advanced optional settings](images/wip-azure-advanced-settings-optional.png) **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index c65af63ce9..736efd6668 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -1,88 +1,88 @@ ---- -title: -# Fine-tune Windows Information Policy (WIP) with WIP Learning -description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company. -ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2 -ms.reviewer: -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dulcemontemayor -ms.author: dolmont -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 02/26/2019 ---- - -# Fine-tune Windows Information Protection (WIP) with WIP Learning -**Applies to:** - -- Windows 10, version 1703 and later -- Windows 10 Mobile, version 1703 and later - -With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune. - -The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly. - -In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list. - -## Access the WIP Learning reports - -1. Open the [Azure portal](http://portal.azure.com/). - -1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**. - -1. Click **Intune** > **Client apps** > **App protection status** > **Reports**. - - ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) - -1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**. - - ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) - -Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. - -## Use the WIP section of Device Health - -You can use Device Health to adjust your WIP protection policy. See [Using Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-using#windows-information-protection) to learn more. - -If you want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information. - -Once you have WIP policies in place, by using the WIP section of Device Health, you can: - -- Reduce disruptive prompts by adding rules to allow data sharing from approved apps. -- Tune WIP rules by confirming that certain apps are allowed or denied by current policy. - -## Use Device Health and Intune to adjust WIP protection policy - -The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). - -1. In **Device Health** click the app you want to add to your policy and copy the publisher information. - -2. In Intune, click **App protection policies** and then choose the app policy you want to add an application to. - -3. Click **Protected apps**, and then click **Add Apps**. - -4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). - - ![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png) - -5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above. - - ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png) - -6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**). - -7. Copy the name of the executable (for example, snippingtool.exe) and paste it in **FILE** (required). - -8. Type the version number of the app into **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny** - -When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) - ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +--- +title: +# Fine-tune Windows Information Policy (WIP) with WIP Learning +description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company. +ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2 +ms.reviewer: +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: dulcemontemayor +ms.author: dolmont +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 02/26/2019 +--- + +# Fine-tune Windows Information Protection (WIP) with WIP Learning +**Applies to:** + +- Windows 10, version 1703 and later +- Windows 10 Mobile, version 1703 and later + +With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune. + +The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly. + +In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list. + +## Access the WIP Learning reports + +1. Open the [Azure portal](http://portal.azure.com/). + +1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**. + +1. Click **Intune** > **Client apps** > **App protection status** > **Reports**. + + ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) + +1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**. + + ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) + +Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. + +## Use the WIP section of Device Health + +You can use Device Health to adjust your WIP protection policy. See [Using Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-using#windows-information-protection) to learn more. + +If you want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information. + +Once you have WIP policies in place, by using the WIP section of Device Health, you can: + +- Reduce disruptive prompts by adding rules to allow data sharing from approved apps. +- Tune WIP rules by confirming that certain apps are allowed or denied by current policy. + +## Use Device Health and Intune to adjust WIP protection policy + +The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). + +1. In **Device Health** click the app you want to add to your policy and copy the publisher information. + +2. In Intune, click **App protection policies** and then choose the app policy you want to add an application to. + +3. Click **Protected apps**, and then click **Add Apps**. + +4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). + + ![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png) + +5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above. + + ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png) + +6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**). + +7. Copy the name of the executable (for example, snippingtool.exe) and paste it in **FILE** (required). + +8. Type the version number of the app into **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny** + +When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 19cc428023..3946fe4807 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -849,8 +849,8 @@ ####### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md) ####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md) ###### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md) -###### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md) -###### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md) +###### [Registry (Global Object Access Auditing)](auditing/registry-global-object-access-auditing.md) +###### [File System (Global Object Access Auditing)](auditing/file-system-global-object-access-auditing.md) diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md index 72efcaeaae..d454c05905 100644 --- a/windows/security/threat-protection/auditing/event-4697.md +++ b/windows/security/threat-protection/auditing/event-4697.md @@ -114,11 +114,11 @@ This event generates when new service was installed in the system. | 0x2 | ​File System Driver | ​A file system driver, which is also a Kernel device driver. | | 0x8 | ​Recognizer Driver | ​A file system driver used during startup to determine the file systems present on the system. | | 0x10 | ​Win32 Own Process | ​A Win32 program that can be started by the Service Controller and that obeys the service control protocol. This type of Win32 service runs in a process by itself (this is the most common). | -| 0x20 | ​Win32 Share Process | ​A Win32 service that can share a process with other Win32 services.
(see: | -| 0x110 | ​Interactive Own Process | ​A service that should be run as a standalone process and can communicate with the desktop.
(see: ) | +| 0x20 | ​Win32 Share Process | ​A Win32 service that can share a process with other Win32 services.
(see: | +| 0x110 | ​Interactive Own Process | ​A service that should be run as a standalone process and can communicate with the desktop.
(see: ) | | 0x120 | Interactive Share Process | A service that can share address space with other services of the same type and can communicate with the desktop. | -- **Service Start Type** \[Type = HexInt32\]: The service start type can have one of the following values (see: : +- **Service Start Type** \[Type = HexInt32\]: The service start type can have one of the following values (see: : | Value | Service Type | Description | |-------|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md index 55bc44dda3..9722578bab 100644 --- a/windows/security/threat-protection/auditing/event-5065.md +++ b/windows/security/threat-protection/auditing/event-5065.md @@ -20,7 +20,7 @@ ms.author: dansimp - Windows Server 2016 -This event generates in [BCryptConfigureContext](https://msdn.microsoft.com/es-es/vstudio/aa375379)() function. This is a Cryptographic Next Generation (CNG) function. +This event generates in [BCryptConfigureContext](https://msdn.microsoft.com/vstudio/aa375379)() function. This is a Cryptographic Next Generation (CNG) function. This event generates when configuration information was changed for existing CNG context. diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index 1ea71b62ad..910939ae7e 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -161,7 +161,7 @@ For example, this custom profile allows installation and usage of USB devices wi ![Custom profile](images/custom-profile-allow-device-ids.png) -Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. +Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. For a SyncML example that allows installation of specific device IDs, see [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceids). To allow specific device classes, see [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdevicesetupclasses). Allowing installation of specific devices requires also enabling [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings). diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 39593c240a..ac3e78109d 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -1,172 +1,172 @@ ---- -title: FIPS 140 Validation -description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140. -ms.prod: w10 -audience: ITPro -author: dulcemontemayor -ms.author: dolmont -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/03/2018 -ms.reviewer: ---- - - -# FIPS 140 Validation - -On this page - - - [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo) - - [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd) - - [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd) - - [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve) - - [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac) - - [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac) - - [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac) - - [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg) - -Updated: March 2018 - - - -## Introduction - -This document provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard, *Federal Information Processing Standard (FIPS) 140 – Security Requirements for Cryptographic Modules* \[FIPS 140\]. - -### Audience - -This document is primarily focused on providing information for three parties: - -[Procurement Officer](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Responsible for verifying that Microsoft products (or even third-party applications) are either FIPS 140 validated or utilize a Microsoft FIPS 140 validated cryptographic module. - -[System Integrator](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Responsible for ensuring that Microsoft Products are configured properly to use only FIPS 140 validated cryptographic modules. - -[Software Developer](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Responsible for building software products that utilize Microsoft FIPS 140 validated cryptographic modules. - -### Document Map - -This document is broken into seven major sections: - -[FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_overview) – Provides an overview of the FIPS 140 standard as well as provides some historical information about the standard. - -[Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Provides information on how Microsoft products are FIPS 140 validated. - -[Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Describes how to configure and verify that Microsoft Products are being used in a manner consistent with the product’s FIPS 140 Security Policy. - -[Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Identifies how developers can leverage the Microsoft FIPS 140 validated cryptographic modules. - -[FAQ](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_faq) – Frequently Asked Questions. - -[Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) – Explains Microsoft cryptographic architecture and identifies specific modules that are FIPS 140 validated. - -[Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#_cryptographic_algorithms) – Lists the cryptographic algorithm, modes, states, key sizes, Windows versions, and corresponding cryptographic algorithm validation certificates. - -## FIPS 140 Overview - -### FIPS 140 Standard - -FIPS 140 is a US government and Canadian government standard that defines a minimum set of the security requirements for products that implement cryptography. This standard is designed for cryptographic modules that are used to secure sensitive but unclassified information. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the US National Institute of Standards and Technology (NIST) and the Communications Security Establishment of Canada (CSEC). - -The current standard defines four-levels of increasing security, 1 through 4. Most software products (including all Microsoft products) are tested against the Level 1 security requirements. - -### Applicability of the FIPS standard - -Within the US Federal government, the FIPS 140 standard applies to any security system (whether hardware, firmware, software, or a combination thereof) to be used by agencies for protecting sensitive but unclassified information. Some agencies have expanded its use by requiring that the modules to be procured for secret systems also meet the FIPS 140 requirements. - -The FIPS 140 standard has also been used by different standards bodies, specification groups, nations, and private institutions as a requirement or guideline for those products (e.g. – Digital Cinema Systems Specification). - -### History of 140-1 - -FIPS 140-1 is the original working version of the standard made official on January 11, 1994. The standard remained in effect until FIPS 140-2 became mandatory for new products on May 25, 2002. - -### FIPS 140-2 - -FIPS 140-2 is currently the active version of the standard. - -### Microsoft FIPS Support Policy - -Microsoft actively maintains FIPS 140 validation for its cryptographic modules. - -### FIPS Mode of Operation - -The common term “FIPS mode” is used in this document and Security Policy documents. When a cryptographic module contains both FIPS-approved and non-FIPS approved security methods, it must have a "FIPS mode of operation" to ensure only FIPS-approved security methods may be used. When a module is in "FIPS mode", a non-FIPS approved method cannot be used instead of a FIPS-approved method. - -## Microsoft Product Validation (Information for Procurement Officers and Auditors) - -This section provides information for Procurement Officers and Auditors who are responsible for ensuring that Microsoft products with FIPS 140 validated cryptographic modules are used in their organization. The goal of this section is to provide an overview of the Microsoft developed products and modules and explain how the validated cryptographic modules are used. - -### Microsoft Product Relationship with CNG and CAPI libraries - -Rather than validate individual components and products, Microsoft chooses to validate only the underlying cryptographic modules. Subsequently, many Windows components and Microsoft products are built to rely on the Cryptographic API: Next Generation (CNG) and legacy Cryptographic API (CAPI) FIPS 140 validated cryptographic modules. Windows components and Microsoft products use the documented application programming interfaces (APIs) for each of the modules to access various cryptographic services. - -The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic modules: - - - Schannel Security Package - - Remote Desktop Protocol (RDP) Client - - Encrypting File System (EFS) - - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) - - BitLocker® Drive Full-volume Encryption - - IPsec Settings of Windows Firewall - -## Information for System Integrators - -This section provides information for System Integrators and Auditors who are responsible for deploying Microsoft products in a manner consistent with the product’s FIPS 140 Security Policy. - -There are two steps to ensure that Microsoft products operate in FIPS mode: - -1. Selecting/Installing FIPS 140 validated cryptographic modules -2. Setting FIPS local/group security policy flag. - -### Step 1 – Selecting/Installing FIPS 140 Validated Cryptographic Modules - -Systems Integrators must ensure that all cryptographic modules installed are, in fact, FIPS 140 validated. This can be accomplished by cross-checking the version number of the installed module with the list of validated binaries. The list of validated CAPI binaries is identified in the [CAPI Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_capi_validated_cryptographic) section below and the list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section below. There are similar sections for all other validated cryptographic modules. - -The version number of the installed binary is found by right-clicking the module file and clicking on the Version or Details tab. Cryptographic modules are stored in the "windows\\system32" or "windows\\system32\\drivers" directory. - -### Step 2 – Setting FIPS Local/Group Security Policy Flag - -The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, which is used by many Microsoft products to determine whether to operate in a FIPS-approved mode. When this policy is set, the validated cryptographic modules in Windows will also operate in a FIPS-approved mode. - -**Note** – There is no enforcement of the FIPS policy by the operating system or the validated cryptographic modules. Instead, each individual application must check this flag and enforce the Security Policy of the validated cryptographic modules. - -#### Instructions on Setting the FIPS Local/Group Security Policy Flag - -While there are alternative methods for setting the FIPS local/group security policy flag, the following method is included as a guide to users with Administrative privileges. This description is for the Local Security Policy, but the Group Security Policy may be set in a similar manner. - -1. Open the 'Run' menu by pressing the combination 'Windows Key + R'. -2. Type 'secpol.msc' and press 'Enter' or click the 'Ok' button. -3. In the Local Security Policy management console window that opens, use the left tab to navigate to the Local Policies -\> Security Options. -4. Scroll down the right pane and double-click 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'. -5. In the properties window, select the 'Enabled' option and click the 'Apply' button. - -#### Microsoft Components and Products That Utilize FIPS Local/Group Security Policy - -The following list details some of the Microsoft components that use the cryptographic functionality implemented by either CNG or legacy CAPI. When the FIPS Local/Group Security Policy is set, the following components will enforce the validated module Security Policy. - - - Schannel Security Package - - Remote Desktop Protocol (RDP) Client - - Encrypting File System (EFS) - - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) - - BitLocker® Drive Full-volume Encryption - - IPsec Settings of Windows Firewall - -#### Effects of Setting FIPS Local/Group Security Policy Flag - -When setting the FIPS local/group security policy flag, the behavior of several Microsoft components and products are affected. The most noticeable difference will be that the components enforcing this setting will only use those algorithms approved or allowed in FIPS mode. The specific changes to the products listed above are: - +--- +title: FIPS 140 Validation +description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140. +ms.prod: w10 +audience: ITPro +author: dulcemontemayor +ms.author: dolmont +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +ms.localizationpriority: medium +ms.date: 04/03/2018 +ms.reviewer: +--- + + +# FIPS 140 Validation + +On this page + + - [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo) + - [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd) + - [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd) + - [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve) + - [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac) + - [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac) + - [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac) + - [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg) + +Updated: March 2018 + + + +## Introduction + +This document provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard, *Federal Information Processing Standard (FIPS) 140 – Security Requirements for Cryptographic Modules* \[FIPS 140\]. + +### Audience + +This document is primarily focused on providing information for three parties: + +[Procurement Officer](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Responsible for verifying that Microsoft products (or even third-party applications) are either FIPS 140 validated or utilize a Microsoft FIPS 140 validated cryptographic module. + +[System Integrator](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Responsible for ensuring that Microsoft Products are configured properly to use only FIPS 140 validated cryptographic modules. + +[Software Developer](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Responsible for building software products that utilize Microsoft FIPS 140 validated cryptographic modules. + +### Document Map + +This document is broken into seven major sections: + +[FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_overview) – Provides an overview of the FIPS 140 standard as well as provides some historical information about the standard. + +[Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Provides information on how Microsoft products are FIPS 140 validated. + +[Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Describes how to configure and verify that Microsoft Products are being used in a manner consistent with the product’s FIPS 140 Security Policy. + +[Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Identifies how developers can leverage the Microsoft FIPS 140 validated cryptographic modules. + +[FAQ](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_faq) – Frequently Asked Questions. + +[Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) – Explains Microsoft cryptographic architecture and identifies specific modules that are FIPS 140 validated. + +[Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#_cryptographic_algorithms) – Lists the cryptographic algorithm, modes, states, key sizes, Windows versions, and corresponding cryptographic algorithm validation certificates. + +## FIPS 140 Overview + +### FIPS 140 Standard + +FIPS 140 is a US government and Canadian government standard that defines a minimum set of the security requirements for products that implement cryptography. This standard is designed for cryptographic modules that are used to secure sensitive but unclassified information. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the US National Institute of Standards and Technology (NIST) and the Communications Security Establishment of Canada (CSEC). + +The current standard defines four-levels of increasing security, 1 through 4. Most software products (including all Microsoft products) are tested against the Level 1 security requirements. + +### Applicability of the FIPS standard + +Within the US Federal government, the FIPS 140 standard applies to any security system (whether hardware, firmware, software, or a combination thereof) to be used by agencies for protecting sensitive but unclassified information. Some agencies have expanded its use by requiring that the modules to be procured for secret systems also meet the FIPS 140 requirements. + +The FIPS 140 standard has also been used by different standards bodies, specification groups, nations, and private institutions as a requirement or guideline for those products (e.g. – Digital Cinema Systems Specification). + +### History of 140-1 + +FIPS 140-1 is the original working version of the standard made official on January 11, 1994. The standard remained in effect until FIPS 140-2 became mandatory for new products on May 25, 2002. + +### FIPS 140-2 + +FIPS 140-2 is currently the active version of the standard. + +### Microsoft FIPS Support Policy + +Microsoft actively maintains FIPS 140 validation for its cryptographic modules. + +### FIPS Mode of Operation + +The common term “FIPS mode” is used in this document and Security Policy documents. When a cryptographic module contains both FIPS-approved and non-FIPS approved security methods, it must have a "FIPS mode of operation" to ensure only FIPS-approved security methods may be used. When a module is in "FIPS mode", a non-FIPS approved method cannot be used instead of a FIPS-approved method. + +## Microsoft Product Validation (Information for Procurement Officers and Auditors) + +This section provides information for Procurement Officers and Auditors who are responsible for ensuring that Microsoft products with FIPS 140 validated cryptographic modules are used in their organization. The goal of this section is to provide an overview of the Microsoft developed products and modules and explain how the validated cryptographic modules are used. + +### Microsoft Product Relationship with CNG and CAPI libraries + +Rather than validate individual components and products, Microsoft chooses to validate only the underlying cryptographic modules. Subsequently, many Windows components and Microsoft products are built to rely on the Cryptographic API: Next Generation (CNG) and legacy Cryptographic API (CAPI) FIPS 140 validated cryptographic modules. Windows components and Microsoft products use the documented application programming interfaces (APIs) for each of the modules to access various cryptographic services. + +The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic modules: + + - Schannel Security Package + - Remote Desktop Protocol (RDP) Client + - Encrypting File System (EFS) + - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) + - BitLocker® Drive Full-volume Encryption + - IPsec Settings of Windows Firewall + +## Information for System Integrators + +This section provides information for System Integrators and Auditors who are responsible for deploying Microsoft products in a manner consistent with the product’s FIPS 140 Security Policy. + +There are two steps to ensure that Microsoft products operate in FIPS mode: + +1. Selecting/Installing FIPS 140 validated cryptographic modules +2. Setting FIPS local/group security policy flag. + +### Step 1 – Selecting/Installing FIPS 140 Validated Cryptographic Modules + +Systems Integrators must ensure that all cryptographic modules installed are, in fact, FIPS 140 validated. This can be accomplished by cross-checking the version number of the installed module with the list of validated binaries. The list of validated CAPI binaries is identified in the [CAPI Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_capi_validated_cryptographic) section below and the list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section below. There are similar sections for all other validated cryptographic modules. + +The version number of the installed binary is found by right-clicking the module file and clicking on the Version or Details tab. Cryptographic modules are stored in the "windows\\system32" or "windows\\system32\\drivers" directory. + +### Step 2 – Setting FIPS Local/Group Security Policy Flag + +The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, which is used by many Microsoft products to determine whether to operate in a FIPS-approved mode. When this policy is set, the validated cryptographic modules in Windows will also operate in a FIPS-approved mode. + +**Note** – There is no enforcement of the FIPS policy by the operating system or the validated cryptographic modules. Instead, each individual application must check this flag and enforce the Security Policy of the validated cryptographic modules. + +#### Instructions on Setting the FIPS Local/Group Security Policy Flag + +While there are alternative methods for setting the FIPS local/group security policy flag, the following method is included as a guide to users with Administrative privileges. This description is for the Local Security Policy, but the Group Security Policy may be set in a similar manner. + +1. Open the 'Run' menu by pressing the combination 'Windows Key + R'. +2. Type 'secpol.msc' and press 'Enter' or click the 'Ok' button. +3. In the Local Security Policy management console window that opens, use the left tab to navigate to the Local Policies -\> Security Options. +4. Scroll down the right pane and double-click 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'. +5. In the properties window, select the 'Enabled' option and click the 'Apply' button. + +#### Microsoft Components and Products That Utilize FIPS Local/Group Security Policy + +The following list details some of the Microsoft components that use the cryptographic functionality implemented by either CNG or legacy CAPI. When the FIPS Local/Group Security Policy is set, the following components will enforce the validated module Security Policy. + + - Schannel Security Package + - Remote Desktop Protocol (RDP) Client + - Encrypting File System (EFS) + - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) + - BitLocker® Drive Full-volume Encryption + - IPsec Settings of Windows Firewall + +#### Effects of Setting FIPS Local/Group Security Policy Flag + +When setting the FIPS local/group security policy flag, the behavior of several Microsoft components and products are affected. The most noticeable difference will be that the components enforcing this setting will only use those algorithms approved or allowed in FIPS mode. The specific changes to the products listed above are: + - Schannel Security Package forced to negotiate sessions using TLS. The following supported Cipher Suites are disabled: - + - - TLS\_RSA\_WITH\_RC4\_128\_SHA - TLS\_RSA\_WITH\_RC4\_128\_MD5 - SSL\_CK\_RC4\_128\_WITH\_MD5 - SSL\_CK\_DES\_192\_EDE3\_CBC\_WITH\_MD5 - TLS\_RSA\_WITH\_NULL\_MD5 - TLS\_RSA\_WITH\_NULL\_SHA - + - The set of cryptographic algorithms that a Remote Desktop Protocol (RDP) server will use is scoped to: - + - - CALG\_RSA\_KEYX - RSA public key exchange algorithm - CALG\_3DES - Triple DES encryption algorithm - CALG\_AES\_128 - 128 bit AES @@ -175,6916 +175,6916 @@ When setting the FIPS local/group security policy flag, the behavior of several - CALG\_SHA\_256 - 256 bit SHA hashing algorithm - CALG\_SHA\_384 - 384 bit SHA hashing algorithm - CALG\_SHA\_512 - 512 bit SHA hashing algorithm - + - Any Microsoft .NET Framework applications, such as Microsoft ASP.NET or Windows Communication Foundation (WCF), only allow algorithm implementations that are validated to FIPS 140, meaning only classes that end in "CryptoServiceProvider" or "Cng" can be used. Any attempt to create an instance of other cryptographic algorithm classes or create instances that use non-allowed algorithms will cause an InvalidOperationException exception. - + - Verification of ClickOnce applications fails unless the client computer has .NET Framework 2.0 SP1 or later service pack installed or .NET Framework 3.5 or later installed. - + - On Windows Vista and Windows Server 2008 and later, BitLocker Drive Encryption switches from AES-128 using the elephant diffuser to using the approved AES-256 encryption. Recovery passwords are not created or backed up. Instead, backup a recovery key on a local drive or on a network share. To use the recovery key, put the key on a USB device and plug the device into the computer. - -Please be aware that selection of FIPS mode can limit product functionality (See ). - -## Information for Software Developers - -This section is targeted at developers who wish to build their own applications using the FIPS 140 validated cryptographic modules. - -Each of the validated cryptographic modules defines a series of rules that must be followed. The security rules for each validated cryptographic module are specified in the Security Policy document. Links to each of the Security Policy documents is provided in the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section below. Generally, the restriction in Microsoft validated cryptographic modules is limiting the use of cryptography to only FIPS Approved cryptographic algorithms, modes, and key sizes. - -### Using Microsoft Cryptographic Modules in a FIPS mode of operation - -No matter whether developing with native languages or using .NET, it is important to first check whether the CNG modules for the target system are FIPS validated. The list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section. - -When developing using CNG directly, it is the responsibility of the developer to follow the security rules outlined in the FIPS 140 Security Policy for each module. The security policy for each module is provided on the CMVP website. Links to each of the Security Policy documents is provided in the tables below. It is important to remember that setting the FIPS local/group security policy Flag (discussed above) does not affect the behavior of the modules when used for developing custom applications. - -If you are developing your application using .NET instead of using the native libraries, then setting the FIPS local policy flag will generate an exception when an improper .NET class is used for cryptography (i.e. the cryptographic classes whose names end in "Managed"). The names of these allowed classes end with "Cng", which use the CNG binaries or "CryptoServiceProvider", which use the legacy CAPI binaries. - -### Key Strengths and Validity Periods - -NIST Special Publication 800-131A Revision 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, dated November 2015, \[[SP 800-131A](http://dx.doi.org/10.6028/nist.sp.800-131ar1)\], offers guidance for moving to stronger cryptographic keys and algorithms. This does not replace NIST SP 800-57, Recommendation for Key Management Part 1: General, \[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\], but gives more specific guidance. One of the most important topics discussed in these publications deals with the key strengths of FIPS Approved algorithms and their validity periods. When developing applications that use FIPS Approved algorithms, it is also extremely important to select appropriate key sizes based on the security lifetimes recommended by NIST. - -## FIPS 140 FAQ - -The following are answers to commonly asked questions for the FIPS 140-2 validation of Microsoft products. - -1. How does FIPS 140 relate to the Common Criteria? - **Answer:** These are two separate security standards with different, but complementary, purposes. FIPS 140 is a standard designed specifically for validating product modules that implement cryptography. On the other hand, Common Criteria is designed to help evaluate security functions in IT products. - In many cases, Common Criteria evaluations will rely on FIPS 140 validations to provide assurance that cryptographic functionality is implemented properly. -2. How does FIPS 140 relate to Suite B? - **Answer:** Suite B is simply a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. - The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140 standard. -3. There are so many modules listed on the NIST website for each release, how are they related and how do I tell which one applies to me? - **Answer:** Microsoft strives to validate all releases of its cryptographic modules. Each module provides a different set of cryptographic algorithms. If you are required to use only FIPS validated cryptographic modules, you simply need to verify that the version being used appears on the validation list. - Please see the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140)section for a complete list of Microsoft validated modules. -4. My application links against crypt32.dll, cryptsp.dll, advapi32.dll, bcrypt.dll, bcryptprimitives.dll, or ncrypt.dll. What do I need to do to assure I’m using FIPS 140 validated cryptographic modules? - **Answer:** crypt32.dll, cryptsp.dll, advapi32.dll, and ncrypt.dll are intermediary libraries that will offload all cryptographic operations to the FIPS validated cryptographic modules. Bcrypt.dll itself is a validated cryptographic module for Windows Vista and Windows Server 2008. For Windows 7 and Windows Server 2008 R2 and later, bcryptprimitives.dll is the validated module, but bcrypt.dll remains as one of the libraries to link against. - You must first verify that the underlying CNG cryptographic module is validated. Once verified, you'll need to confirm that you're using the module correctly in FIPS mode (See [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) section for details). -5. What does "When operated in FIPS mode" mean on certificates? - **Answer:** This caveat identifies that a required configuration and security rules must be followed in order to use the cryptographic module in a manner consistent with its FIPS 140 Security Policy. The security rules are defined in the Security Policy for the module and usually revolve around using only FIPS Approved cryptographic algorithms and key sizes. Please see the Security Policy for the specific security rules for each cryptographic module (See [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section for links to each policy). -6. Which FIPS validated module is called when Windows 7 or Windows 8 is configured to use the FIPS setting in the wireless configuration? - **Answer:** CNG is used. This setting tells the wireless driver to call FIPS 140-2 validated cryptographic modules instead of using the driver’s own cryptography, if any. -7. Is BitLocker to Go FIPS 140-2 validated? - **Answer:** There are two separate parts for BitLocker to Go. One part is simply a native feature of BitLocker and as such, it uses FIPS 140-2 validated cryptographic modules. The other part is the BitLocker to Go Reader application for down-level support of older operating systems such as Windows XP and Windows Vista. The Reader application does not use FIPS 140-2 validated cryptographic modules. -8. Are applications FIPS 140-2 validated? - **Answer:** Microsoft only has low-level cryptographic modules in Windows FIPS 140-2 validated, not high-level applications. A better question is whether a certain application calls a FIPS 140-2 validated cryptographic module in the underlying Windows OS. That question needs to be directed to the company/product group that created the application of interest. -9. How can Systems Center Operations Manager 2012 be configured to use FIPS 140-2 validated cryptographic modules? - **Answer:** See [http://technet.microsoft.com/library/hh914094.aspx](https://technet.microsoft.com/library/hh914094.aspx) - -## Microsoft FIPS 140 Validated Cryptographic Modules - -### Modules By Operating System - -The following tables identify the Cryptographic Modules for an operating system. - -#### Windows - -##### Windows 10 Creators Update (Version 1703) - -Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile - -
User-driven modeRequirements and validation steps for deploying a new Azure Active Directory (AAD) joined or hybrid AAD-joined Windows 10 device are provided. -
Self-deploying modeRequirements and validation steps for deploying a new Windows 10 device device with little to no user interaction are provided. +
Self-deploying modeRequirements and validation steps for deploying a new Windows 10 device with little to no user interaction are provided.
Windows Autopilot ResetUsing Windows Autopilot Reset, a device can be restored to its original settings, taking it back to a business-ready state. Both local and remote reset scenarios are discussed.
Windows Autopilot for white glove deploymentRequirements and procedures are described that enable additional policies and apps to be delivered to a Windows Autopilot device.
Support for existing devicesThis topic describes how Windows Autopilot can be used to convert Windows 7 or Windows 8.1 domain-joined computers to AAD-joined computers running Windows 10. diff --git a/windows/deployment/windows-autopilot/registration-auth.md b/windows/deployment/windows-autopilot/registration-auth.md index 413adf3a32..452de96733 100644 --- a/windows/deployment/windows-autopilot/registration-auth.md +++ b/windows/deployment/windows-autopilot/registration-auth.md @@ -44,7 +44,7 @@ For a CSP to register Windows Autopilot devices on behalf of a customer, the cus ![Request a reseller relationship](images/csp1.png) - Select the checkbox indicating whether or not you want delegated admin rights: ![Delegated rights](images/csp2.png) - - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/en-us/partner-center/customers_revoke_admin_privileges + - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges - Send the template above to the customer via email. 2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page: diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md index e2fb1ecaa1..bcddf84201 100644 --- a/windows/deployment/windows-autopilot/self-deploying.md +++ b/windows/deployment/windows-autopilot/self-deploying.md @@ -1,71 +1,71 @@ ---- -title: Windows Autopilot Self-Deploying mode (Preview) -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot Self-Deploying mode - -**Applies to: Windows 10, version 1809 or later** - -Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection). - -Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned. - ->[!NOTE] ->Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory. - -Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. - ->[!NOTE] ->Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. - -![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) - -## Requirements - -Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. The devices must also support TPM device attestation. (All newly-manufactured Windows devices should meet these requirements.) - ->[!NOTE] ->If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error. (Hyper-V virtual TPMs are not supported.) - -In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. - -## Step by step - -In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed: - -- Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.) -- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. Ensure that the profile has been assigned to the device before attempting to deploy that device. -- Boot the device, connecting it to Wi-fi if required, then wait for the provisioning process to complete. - -## Validation - -When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed: - -- Once connected to a network, the Autopilot profile will be downloaded. -- If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available. Otherwise, manual steps are required: - - If multiple languages are preinstalled in Windows 10, the user must pick a language. - - The user must pick a locale and a keyboard layout, and optionally a second keyboard layout. -- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network. -- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). -- The device will join Azure Active Directory. -- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services). -- The [enrollment status page](enrollment-status.md) will be displayed. -- Depending on the device settings deployed, the device will either: - - Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials. - - Automatically sign in as a local account, for devices configured as a kiosk or digital signage. - -In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. +--- +title: Windows Autopilot Self-Deploying mode (Preview) +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot Self-Deploying mode + +**Applies to: Windows 10, version 1809 or later** + +Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection). + +Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned. + +>[!NOTE] +>Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory. + +Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. + +>[!NOTE] +>Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. + +![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) + +## Requirements + +Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. The devices must also support TPM device attestation. (All newly-manufactured Windows devices should meet these requirements.) + +>[!NOTE] +>If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error. (Hyper-V virtual TPMs are not supported.) + +In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. + +## Step by step + +In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed: + +- Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.) +- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. Ensure that the profile has been assigned to the device before attempting to deploy that device. +- Boot the device, connecting it to Wi-fi if required, then wait for the provisioning process to complete. + +## Validation + +When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed: + +- Once connected to a network, the Autopilot profile will be downloaded. +- If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available. Otherwise, manual steps are required: + - If multiple languages are preinstalled in Windows 10, the user must pick a language. + - The user must pick a locale and a keyboard layout, and optionally a second keyboard layout. +- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network. +- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). +- The device will join Azure Active Directory. +- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services). +- The [enrollment status page](enrollment-status.md) will be displayed. +- Depending on the device settings deployed, the device will either: + - Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials. + - Automatically sign in as a local account, for devices configured as a kiosk or digital signage. + +In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index 0b60714d75..cce649aaf6 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -1,99 +1,99 @@ ---- -title: Windows Autopilot User-Driven Mode -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot user-driven mode - -Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: - -- Unbox the device, plug it in, and turn it on. -- Choose a language, locale and keyboard. -- Connect it to a wireless or wired network with internet access. -- Specify your e-mail address and password for your organization account. - -After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be supressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available. - -Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. - -## Available user-driven modes - -The following options are available for user-driven deployment: - -- [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain. -- [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. - -### User-driven mode for Azure Active Directory join - -In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: - -- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. -- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. -- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. - -For each device that will be deployed using user-driven deployment, these additional steps are needed: - -- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. -- Ensure an Autopilot profile has been assigned to the device: - - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. - - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. - - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. - -Also see the [Validation](#validation) section below. - -### User-driven mode for hybrid Azure Active Directory join - -Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan). - -#### Requirements - -To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: - -- A Windows Autopilot profile for user-driven mode must be created and - - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. -- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group. -- The device must be running Windows 10, version 1809 or later. -- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user). -- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements.md). -- The Intune Connector for Active Directory must be installed. - - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. -- If using Proxy, WPAD Proxy settings option must be enabled and configured. - -**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default. - -#### Step by step instructions - -See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). - -Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. - -## Validation - -When performing a user-driven deployment using Windows Autopilot, the following end-user experience should be observed: - -- If multiple languages are preinstalled in Windows 10, the user must pick a language. -- The user must pick a locale and a keyboard layout, and optionally a second keyboard layout. -- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network. -- Once connected to a network, the Autopilot profile will be downloaded. -- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). -- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text. -- Once correct credentials have been entered, the device will join Azure Active Directory. -- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services). -- If configured, the [enrollment status page](enrollment-status.md) will be displayed. -- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided. -- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks. - -In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. +--- +title: Windows Autopilot User-Driven Mode +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot user-driven mode + +Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: + +- Unbox the device, plug it in, and turn it on. +- Choose a language, locale and keyboard. +- Connect it to a wireless or wired network with internet access. +- Specify your e-mail address and password for your organization account. + +After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be supressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available. + +Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. + +## Available user-driven modes + +The following options are available for user-driven deployment: + +- [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain. +- [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. + +### User-driven mode for Azure Active Directory join + +In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: + +- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. +- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. +- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. + +For each device that will be deployed using user-driven deployment, these additional steps are needed: + +- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. +- Ensure an Autopilot profile has been assigned to the device: + - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. + - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. + - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. + +Also see the [Validation](#validation) section below. + +### User-driven mode for hybrid Azure Active Directory join + +Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan). + +#### Requirements + +To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: + +- A Windows Autopilot profile for user-driven mode must be created and + - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. +- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group. +- The device must be running Windows 10, version 1809 or later. +- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user). +- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements.md). +- The Intune Connector for Active Directory must be installed. + - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. +- If using Proxy, WPAD Proxy settings option must be enabled and configured. + +**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default. + +#### Step by step instructions + +See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). + +Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. + +## Validation + +When performing a user-driven deployment using Windows Autopilot, the following end-user experience should be observed: + +- If multiple languages are preinstalled in Windows 10, the user must pick a language. +- The user must pick a locale and a keyboard layout, and optionally a second keyboard layout. +- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network. +- Once connected to a network, the Autopilot profile will be downloaded. +- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). +- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text. +- Once correct credentials have been entered, the device will join Azure Active Directory. +- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services). +- If configured, the [enrollment status page](enrollment-status.md) will be displayed. +- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided. +- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks. + +In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 720370ca95..5ef4bd2feb 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -1,122 +1,121 @@ ---- -title: Windows Autopilot requirements -ms.reviewer: -manager: laurawi -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot requirements - -**Applies to: Windows 10** - -Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met. - -**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot). - -## Software requirements - -- Windows 10 version 1703 (semi-annual channel) or higher is required. -- The following editions are supported: - - Windows 10 Pro - - Windows 10 Pro Education - - Windows 10 Pro for Workstations - - Windows 10 Enterprise - - Windows 10 Education - - Windows 10 Enterprise 2019 LTSC - -## Networking requirements - -Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following: - -- Ensure DNS name resolution for internet DNS names -- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP) - -In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the required services. For additional details about each of these services and their specific requirements, review the following details: - -
ServiceInformation -
Windows Autopilot Deployment Service and Windows ActivationAfter a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 builds 18204 and above, the following URLs are used:
-
  • https://ztd.dds.microsoft.com
    • -
  • https://cs.dds.microsoft.com
- -For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See Windows activation or validation fails with error code 0x8004FE33 for details about problems that might occur when you connect to the Internet through a proxy server. -
Azure Active DirectoryUser credentials are validated by Azure Active Directory, and the device can also be joined to Azure Active Directory. See Office 365 IP Address and URL Web service for more information. -
IntuneOnce authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: Intune network configuration requirements and bandwidth. -
Windows UpdateDuring the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see How to solve connection problems concerning Windows Update or Microsoft Update.
- -If Windows Update is inaccessible, the AutoPilot process will still continue but critical updates will not be available. - -
Delivery OptimizationWhen downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
- -If the Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer). - -
Network Time Protocol (NTP) SyncWhen a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible. -
Domain Name Services (DNS)To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP.  This DNS server must be able to resolve internet names. -
Diagnostics dataTo enable Windows Analytics and related diagnostics capabilities, see Configure Windows diagnostic data in your organization.
- -If diagnostic data cannot be sent, the Autopilot process will still continue, but services that depend on diagnostic data, such as Windows Analytics, will not work. -
Network Connection Status Indicator (NCSI)Windows must be able to tell that the device is able to access the internet. For more information, see Network Connection Status Indicator (NCSI). - -www.msftconnecttest.com must be resolvable via DNS and accessible via HTTP. -
Windows Notification Services (WNS)This service is used to enable Windows to receive notifications from apps and services. See Microsoft Store for more information.
- -If the WNS services are not available, the Autopilot process will still continue without notifications. -
Microsoft Store, Microsoft Store for BusinessApps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
- -If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps. - -
Office 365As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above). -
Certificate revocation lists (CRLs)Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains. -
- -## Licensing requirements - -Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs: - -To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required: - - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business) - - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline) - - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx) - - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune). - - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features. - - [Intune for Education subscriptions](https://docs.microsoft.com/en-us/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features. - - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/en-us/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service). - -Additionally, the following are also recommended (but not required): -- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services). -- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise. - -## Configuration requirements - -Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios. - -- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services. -- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties). -- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise. - -Specific scenarios will then have additional requirements. Generally, there are two specific tasks: - -- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details. -- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information. - -See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details. - -For a walkthrough for some of these and related steps, see this video: -
 
- - -There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications). - -## Related topics - -[Configure Autopilot deployment](configure-autopilot.md) +--- +title: Windows Autopilot requirements +ms.reviewer: +manager: laurawi +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot requirements + +**Applies to: Windows 10** + +Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met. + +**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot). + +## Software requirements + +- Windows 10 version 1703 (semi-annual channel) or higher is required. +- The following editions are supported: + - Windows 10 Pro + - Windows 10 Pro Education + - Windows 10 Pro for Workstations + - Windows 10 Enterprise + - Windows 10 Education + - Windows 10 Enterprise 2019 LTSC + +## Networking requirements + +Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following: + +- Ensure DNS name resolution for internet DNS names +- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP) + +In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the required services. For additional details about each of these services and their specific requirements, review the following details: + +
ServiceInformation +
Windows Autopilot Deployment Service and Windows ActivationAfter a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 builds 18204 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com.
+ +For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See Windows activation or validation fails with error code 0x8004FE33 for details about problems that might occur when you connect to the Internet through a proxy server. +
Azure Active DirectoryUser credentials are validated by Azure Active Directory, and the device can also be joined to Azure Active Directory. See Office 365 IP Address and URL Web service for more information. +
IntuneOnce authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: Intune network configuration requirements and bandwidth. +
Windows UpdateDuring the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see How to solve connection problems concerning Windows Update or Microsoft Update.
+ +If Windows Update is inaccessible, the AutoPilot process will still continue but critical updates will not be available. + +
Delivery OptimizationWhen downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
+ +If the Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer). + +
Network Time Protocol (NTP) SyncWhen a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible. +
Domain Name Services (DNS)To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP.  This DNS server must be able to resolve internet names. +
Diagnostics dataTo enable Windows Analytics and related diagnostics capabilities, see Configure Windows diagnostic data in your organization.
+ +If diagnostic data cannot be sent, the Autopilot process will still continue, but services that depend on diagnostic data, such as Windows Analytics, will not work. +
Network Connection Status Indicator (NCSI)Windows must be able to tell that the device is able to access the internet. For more information, see Network Connection Status Indicator (NCSI). + +www.msftconnecttest.com must be resolvable via DNS and accessible via HTTP. +
Windows Notification Services (WNS)This service is used to enable Windows to receive notifications from apps and services. See Microsoft Store for more information.
+ +If the WNS services are not available, the Autopilot process will still continue without notifications. +
Microsoft Store, Microsoft Store for BusinessApps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
+ +If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps. + +
Office 365As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above). +
Certificate revocation lists (CRLs)Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains. +
Hybrid AAD joinHybrid AAD can be join, the machine should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode +
+ +## Licensing requirements + +Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs: + +To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required: + - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business) + - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline) + - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx) + - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune). + - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features. + - [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features. + - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service). + +Additionally, the following are also recommended (but not required): +- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services). +- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise. + +## Configuration requirements + +Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios. + +- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services. +- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties). +- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise. + +Specific scenarios will then have additional requirements. Generally, there are two specific tasks: + +- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details. +- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information. + +See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details. + +For a walkthrough for some of these and related steps, see this video: +
 
+ + +There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications). + +## Related topics + +[Configure Autopilot deployment](configure-autopilot.md) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md index 8e06edad48..d58d236a4f 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md @@ -48,7 +48,7 @@ Additional requirements and configuration details apply with each scenario; see **Applies to: Windows 10, version 1709 and above** -The Intune Service Administrator role is required to perform this task. For more information, see [Add users and grant administrative permission to Intune](https://docs.microsoft.com/en-us/intune/users-add). +The Intune Service Administrator role is required to perform this task. For more information, see [Add users and grant administrative permission to Intune](https://docs.microsoft.com/intune/users-add). IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state. diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md index ec85b05086..3422c91127 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md @@ -1,68 +1,68 @@ ---- -title: Windows Autopilot scenarios and capabilities -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot scenarios and capabilities - -**Applies to: Windows 10** - -## Scenarios - -Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management). - -The following Windows Autopilot scenarios are described in this guide: - - -
ScenarioMore information -
Deploy devices that will be set up by a member of the organization and configured for that person[Windows Autopilot user-driven mode](user-driven.md) -
Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.[Windows Autopilot self-deploying mode](self-deploying.md) -
Re-deploy a device in a business-ready state.[Windows Autopilot Reset](windows-autopilot-reset.md) -
Pre-provision a device with up-to-date applications, policies and settings.[White glove](white-glove.md) -
Deploy Windows 10 on an existing Windows 7 or 8.1 device[Windows Autopilot for existing devices](existing-devices.md) -
- -## Windows Autopilot capabilities - -### Windows Autopilot is self-updating during OOBE - -Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly. Windows will alert the user that the device is checking for, downloading and installing the updates. - -### Cortana voiceover and speech recognition during OOBE - -In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs. - -If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default. - -HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions - -The key value is a DWORD with **0** = disabled and **1** = enabled. - -| Value | Description | -| --- | --- | -| 0 | Cortana voiceover is disabled | -| 1 | Cortana voiceover is enabled | -| No value | Device will fall back to default behavior of the edition | - -To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce). - -### Bitlocker encryption - -With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md) - -## Related topics - -[Windows Autopilot: What's new](windows-autopilot-whats-new.md) +--- +title: Windows Autopilot scenarios and capabilities +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot scenarios and capabilities + +**Applies to: Windows 10** + +## Scenarios + +Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management). + +The following Windows Autopilot scenarios are described in this guide: + + +
ScenarioMore information +
Deploy devices that will be set up by a member of the organization and configured for that person[Windows Autopilot user-driven mode](user-driven.md) +
Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.[Windows Autopilot self-deploying mode](self-deploying.md) +
Re-deploy a device in a business-ready state.[Windows Autopilot Reset](windows-autopilot-reset.md) +
Pre-provision a device with up-to-date applications, policies and settings.[White glove](white-glove.md) +
Deploy Windows 10 on an existing Windows 7 or 8.1 device[Windows Autopilot for existing devices](existing-devices.md) +
+ +## Windows Autopilot capabilities + +### Windows Autopilot is self-updating during OOBE + +Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly. Windows will alert the user that the device is checking for, downloading and installing the updates. + +### Cortana voiceover and speech recognition during OOBE + +In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs. + +If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default. + +HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions + +The key value is a DWORD with **0** = disabled and **1** = enabled. + +| Value | Description | +| --- | --- | +| 0 | Cortana voiceover is disabled | +| 1 | Cortana voiceover is enabled | +| No value | Device will fall back to default behavior of the edition | + +To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce). + +### Bitlocker encryption + +With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md) + +## Related topics + +[Windows Autopilot: What's new](windows-autopilot-whats-new.md) diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md index d728e20c8b..7ad46ca665 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -61,5 +61,5 @@ Windows 10 version 1703 or higher is required to use Windows Autopilot. See [Win ## Related topics -[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot)
+[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot)
[Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) \ No newline at end of file diff --git a/windows/eulas/index.md b/windows/eulas/index.md index 2eb00343d3..daa4838aac 100644 --- a/windows/eulas/index.md +++ b/windows/eulas/index.md @@ -1,12 +1,12 @@ ---- -title: Windows 10 - Testing in live -description: What are Windows, UWP, and Win32 apps -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile -ms.author: elizapo -author: lizap -ms.localizationpriority: medium ---- -# Testing non-editability +--- +title: Windows 10 - Testing in live +description: What are Windows, UWP, and Win32 apps +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +ms.author: elizapo +author: lizap +ms.localizationpriority: medium +--- +# Testing non-editability diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index 07465d680b..f1560f3a73 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -46,7 +46,7 @@ Using the Diagnostic Data Viewer for PowerShell requires administrative (elevate ### Install the Diagnostic Data Viewer for PowerShell >[!IMPORTANT] - >It is recommended to visit the documentation on [Getting Started](https://docs.microsoft.com/en-us/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. + >It is recommended to visit the documentation on [Getting Started](https://docs.microsoft.com/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within an elevated PowerShell session: ```powershell @@ -106,9 +106,9 @@ The Diagnostic Data Viewer for PowerShell provides you with the following featur - **View your diagnostic events.** Running `PS C:\> Get-DiagnosticData`, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. - Each event is displayed as a PowerShell Object. By default each event shows the event name, the time when it was seen by your Windows device, whether the event is [Basic](https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization), its [diagnostic event category](#view-diagnostic-event-categories), and a detailed JSON view of the information it contains, which shows the event exactly as it was when sent to Microsoft. Microsoft uses this info to continually improve the Windows operating system. + Each event is displayed as a PowerShell Object. By default each event shows the event name, the time when it was seen by your Windows device, whether the event is [Basic](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization), its [diagnostic event category](#view-diagnostic-event-categories), and a detailed JSON view of the information it contains, which shows the event exactly as it was when sent to Microsoft. Microsoft uses this info to continually improve the Windows operating system. -- **View diagnostic event categories.** Each event shows the diagnostic event categories that it belongs to. These categories define how events are used by Microsoft. The categories are shown as numeric identifiers. For more information about these categories, see [Windows Diagnostic Data](https://docs.microsoft.com/en-us/windows/privacy/windows-diagnostic-data). +- **View diagnostic event categories.** Each event shows the diagnostic event categories that it belongs to. These categories define how events are used by Microsoft. The categories are shown as numeric identifiers. For more information about these categories, see [Windows Diagnostic Data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data). To view the diagnostic category represented by each numeric identifier and what the category means, you can run the command: @@ -186,4 +186,4 @@ When resetting the size of your data history to a lower value, be sure to turn o ## Related Links - [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer) -- [Documentation for Diagnostic Data Viewer for PowerShell](https://docs.microsoft.com/en-us/powershell/module/microsoft.diagnosticdataviewer/?view=win10-ps) +- [Documentation for Diagnostic Data Viewer for PowerShell](https://docs.microsoft.com/powershell/module/microsoft.diagnosticdataviewer/?view=win10-ps) diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index 1dd34ad810..e4021e6946 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -1,32 +1,32 @@ -# [Privacy](index.yml) -## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md) -## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md) -## [Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals](Windows-10-and-privacy-compliance.md) -## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md) -## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) -## Diagnostic Data Viewer -### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) -### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md) -## Basic level Windows diagnostic data events and fields -### [Windows 10, version 1903 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) -### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) -### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) -### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) -### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) -## Enhanced level Windows diagnostic data events and fields -### [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) -## Full level categories -### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md) -### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md) -## Manage Windows 10 connection endpoints -### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -### [Manage connections from Windows operating system components to Microsoft services using MDM](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md) -### [Connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) -### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) -### [Connection endpoints for non-Enterprise editions of Windows 10, version 1903](windows-endpoints-1903-non-enterprise-editions.md) -### [Connection endpoints for non-Enterprise editions of Windows 10, version 1809](windows-endpoints-1809-non-enterprise-editions.md) -### [Connection endpoints for non-Enterprise editions of Windows 10, version 1803](windows-endpoints-1803-non-enterprise-editions.md) -### [Connection endpoints for non-Enterprise editions of Windows 10, version 1709](windows-endpoints-1709-non-enterprise-editions.md) - +# [Privacy](index.yml) +## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md) +## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md) +## [Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals](Windows-10-and-privacy-compliance.md) +## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md) +## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) +## Diagnostic Data Viewer +### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) +### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md) +## Basic level Windows diagnostic data events and fields +### [Windows 10, version 1903 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) +### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) +### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) +### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) +### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) +## Enhanced level Windows diagnostic data events and fields +### [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) +## Full level categories +### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md) +### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md) +## Manage Windows 10 connection endpoints +### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +### [Manage connections from Windows operating system components to Microsoft services using MDM](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md) +### [Connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) +### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) +### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) +### [Connection endpoints for non-Enterprise editions of Windows 10, version 1903](windows-endpoints-1903-non-enterprise-editions.md) +### [Connection endpoints for non-Enterprise editions of Windows 10, version 1809](windows-endpoints-1809-non-enterprise-editions.md) +### [Connection endpoints for non-Enterprise editions of Windows 10, version 1803](windows-endpoints-1803-non-enterprise-editions.md) +### [Connection endpoints for non-Enterprise editions of Windows 10, version 1709](windows-endpoints-1709-non-enterprise-editions.md) + diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 4b6a124ff2..fc00e91cc2 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -342,7 +342,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -678,7 +678,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -2457,7 +2457,7 @@ The following fields are available: - **Enumerator** Identifies the bus that enumerated the device. - **HWID** A list of hardware IDs for the device. See [HWID](#hwid). - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -5029,7 +5029,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index a88ae5d6a4..14db4d2683 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -362,7 +362,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -710,7 +710,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -2497,7 +2497,7 @@ The following fields are available: - **Enumerator** Identifies the bus that enumerated the device. - **HWID** A list of hardware IDs for the device. - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -5274,7 +5274,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index ac8f4d3e3c..d6eb2975ad 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -396,7 +396,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -747,7 +747,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -3415,7 +3415,7 @@ The following fields are available: - **Enumerator** Identifies the bus that enumerated the device. - **HWID** A list of hardware IDs for the device. - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -6041,7 +6041,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 765419c245..b5c02de9bd 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -821,7 +821,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1173,7 +1173,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -3914,7 +3914,7 @@ The following fields are available: - **HWID** A list of hardware IDs for the device. - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). - **InstallDate** The date of the most recent installation of the device on the machine. -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -6512,7 +6512,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 9f8a2900c9..54f9081648 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -681,7 +681,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1000,7 +1000,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -3352,7 +3352,7 @@ The following fields are available: - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. - **InstallDate** The date of the most recent installation of the device on the machine. -- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device - **LowerFilters** Lower filter drivers IDs installed for the device @@ -6285,7 +6285,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 12a92da773..12db0fe2fe 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -1,454 +1,454 @@ ---- -description: Use this article to make informed decisions about how you can configure diagnostic data in your organization. -title: Configure Windows diagnostic data in your organization (Windows 10) -keywords: privacy -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 04/29/2019 ---- - -# Configure Windows diagnostic data in your organization - -**Applies to** - -- Windows 10 Enterprise -- Windows 10 Mobile -- Windows Server - -This article applies to Windows and Windows Server diagnostic data only. It describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers. - -Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. Microsoft uses diagnostic data to keep Windows secure and up to date, troubleshoot problems, and make product improvements. - -We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. - -## Overview of Windows diagnostic data - -At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how. - -To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways: - -- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. -- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. -- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. -- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. -- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. -- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. - -In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM. - -For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. - -## Understanding Windows diagnostic data - -Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us. - -The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts. - -### What is Windows diagnostic data? -Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: - -- Keep Windows up to date -- Keep Windows secure, reliable, and performant -- Improve Windows – through the aggregate analysis of the use of Windows -- Personalize Windows engagement surfaces - -Here are some specific examples of Windows diagnostic data: - -- Type of hardware being used -- Applications installed and usage details -- Reliability information on device drivers - -### What is NOT diagnostic data? - -Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request. - -There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. - -If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services). - -The following are specific examples of functional data: - -- Current location for weather -- Bing searches -- Wallpaper and desktop settings synced across multiple devices - -### Diagnostic data gives users a voice - -Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits. - -### Improve app and driver quality - -Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. - -#### Real-world example of how Windows diagnostic data helps -There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. - -### Improve end-user productivity - -Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: - -- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. -- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. -- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. - -**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** - -### Insights into your own organization - -Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - -#### Upgrade Readiness - -Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. - -To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. - -With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer, driver, and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools - -The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. - -## How Microsoft handles diagnostic data - -The diagnostic data is categorized into four levels: - -- [**Security**](#security-level). Information that’s required to help keep Windows and Windows Server secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. - -- [**Basic**](#basic-level). Basic device info, including: quality-related data, app compatibility, and data from the **Security** level. - -- [**Enhanced**](#enhanced-level). Additional insights, including: how Windows, Windows Server, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels. - -- [**Full**](#full-level). Includes information about the websites you browse, how you use apps and features, plus additional information about device health, device activity (sometimes referred to as usage), and enhanced error reporting. At Full, Microsoft also collects the memory state of your device when a system or app crash occurs. It includes data from the **Security**, **Basic**, and **Enhanced** levels. - -Diagnostic data levels are cumulative, meaning each subsequent level includes data collected through lower levels. For more information see the [Diagnostic data levels](#diagnostic-data-levels) section. - -### Data collection - -Windows 10 and Windows Server includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. - -1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. -2. Events are gathered using public operating system event logging and tracing APIs. -3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings. -4. The Connected User Experiences and Telemetry component transmits the diagnostic data. - -Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels. - -### Data transmission - -All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. - -The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day). - -### Endpoints - -The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. - -The following table defines the endpoints for Connected User Experiences and Telemetry component: - -Windows release | Endpoint ---- | --- -Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed| **Diagnostics data** - v10c.vortex-win.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com -Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | **Diagnostics data** - v10.events.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com -Windows 10, version 1709 or earlier | **Diagnostics data** - v10.vortex-win.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com - -The following table defines the endpoints for other diagnostic data services: - -| Service | Endpoint | -| - | - | -| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | -| | ceuswatcab01.blob.core.windows.net | -| | ceuswatcab02.blob.core.windows.net | -| | eaus2watcab01.blob.core.windows.net | -| | eaus2watcab02.blob.core.windows.net | -| | weus2watcab01.blob.core.windows.net | -| | weus2watcab02.blob.core.windows.net | -| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | -| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | -| Microsoft Defender Advanced Threat Protection | https://wdcp.microsoft.com
https://wdcpalt.microsoft.com | - -### Data use and access - -The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. - -### Retention - -Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history. - -## Manage enterprise diagnostic data level - -### Enterprise management - -Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option. - -Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, in **Privacy** > **Diagnostics & feedback**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available. - -IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this article describes how to use group policy to configure levels and settings interface. - - -#### Manage your diagnostic data settings - -Use the steps in this article to set and/or adjust the diagnostic data settings for Windows and Windows Server in your organization. - -> [!IMPORTANT] -> These diagnostic data levels only apply to Windows and Windows Server components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Office 365 ProPlus](/deployoffice/privacy/overview-privacy-controls). - -The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server is **Enhanced**. - -### Configure the diagnostic data level - -You can configure your device's diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. - -Use the appropriate value in the table below when you configure the management policy. - -| Level | Value | -| - | - | -| Security | **0** | -| Basic | **1** | -| Enhanced | **2** | -| Full | **3** | - - > [!NOTE] - > When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used. - -### Use Group Policy to set the diagnostic data level - -Use a Group Policy object to set your organization’s diagnostic data level. - -1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. - -2. Double-click **Allow Telemetry**. - -3. In the **Options** box, select the level that you want to configure, and then click **OK**. - -### Use MDM to set the diagnostic data level - -Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy. - -### Use Registry Editor to set the diagnostic data level - -Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. - -1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**. - -2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**. - -3. Type **AllowTelemetry**, and then press ENTER. - -4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.** - -5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. - -### Additional diagnostic data controls - -There are a few more settings that you can turn off that may send diagnostic data information: - -- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). - -- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. - -- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). - -- Turn off **Improve inking and typing** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. - - > [!NOTE] - > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. - -## Diagnostic data levels - -These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server. - -### Security level - -The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions. - -> [!NOTE] -> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. - -Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered. - -The data gathered at this level includes: - -- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). - -- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. - - > [!NOTE] - > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). - -- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. - - > [!NOTE] - > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender). - - Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. - -For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity. - -No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. - -### Basic level - -The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent. - -This is the default level for Windows 10 Education editions, as well as all desktop editions starting with Windows 10, version 1903. - -The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device. - -The data gathered at this level includes: - -- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Servers in the ecosystem. Examples include: - - - Device attributes, such as camera resolution and display type - - - Internet Explorer version - - - Battery attributes, such as capacity and type - - - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number - - - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware - - - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system - - - Operating system attributes, such as Windows edition and virtualization state - - - Storage attributes, such as number of drives, type, and size - -- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time. - -- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. - -- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. - - - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. - - - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. - - - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS. - - - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. - - - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. - -- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses. - - -### Enhanced level - -The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. - -This level is needed to quickly identify and address Windows and Windows Server quality issues. - -The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device. - -The data gathered at this level includes: - -- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. - -- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. - -- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. - -- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps. - -If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue. - -### Full level - -The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the Basic, Enhanced, and Security levels. - -Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. - -If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem. - -However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: - -- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. - -- Ability to get registry keys. - -- All crash dump types, including heap dumps and full dumps. - -> [!NOTE] -> Crash dumps collected at this diagnostic data level may unintentionally contain personal data, such as portions of memory from a documents, a web page, etc. - -## Limit Enhanced diagnostic data to the minimum required by Windows Analytics - -Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**. - -In Windows 10, version 1709, we introduced the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic. - -- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic. - -- **Some crash dump types.** Triage dumps for user mode and mini dumps for kernel mode. - ->[!NOTE] -> Triage dumps are a type of [minidumps](https://docs.microsoft.com/windows/desktop/debug/minidump-files) that go through a process of user-sensitive information scrubbing. Some user-sensitive information may be missed in the process, and will therefore be sent with the dump. - -### Enable limiting enhanced diagnostic data to the minimum required by Windows Analytics - -1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM. - - a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**. - - -OR- - - b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**. - - -AND- - -2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM. - - a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**. - - -OR- - - b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**. - -## Additional resources - -FAQs - -- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy) -- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) -- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy) -- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy) -- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) -- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq) -- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) -- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) -- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization) - -Blogs - -- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) - -Privacy Statement - -- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) - -TechNet - -- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) - -Web Pages - -- [Privacy at Microsoft](https://privacy.microsoft.com) +--- +description: Use this article to make informed decisions about how you can configure diagnostic data in your organization. +title: Configure Windows diagnostic data in your organization (Windows 10) +keywords: privacy +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 04/29/2019 +--- + +# Configure Windows diagnostic data in your organization + +**Applies to** + +- Windows 10 Enterprise +- Windows 10 Mobile +- Windows Server + +This article applies to Windows and Windows Server diagnostic data only. It describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers. + +Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. Microsoft uses diagnostic data to keep Windows secure and up to date, troubleshoot problems, and make product improvements. + +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. + +## Overview of Windows diagnostic data + +At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how. + +To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways: + +- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. +- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. +- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. +- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. +- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. +- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. + +In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM. + +For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. + +## Understanding Windows diagnostic data + +Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us. + +The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts. + +### What is Windows diagnostic data? +Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: + +- Keep Windows up to date +- Keep Windows secure, reliable, and performant +- Improve Windows – through the aggregate analysis of the use of Windows +- Personalize Windows engagement surfaces + +Here are some specific examples of Windows diagnostic data: + +- Type of hardware being used +- Applications installed and usage details +- Reliability information on device drivers + +### What is NOT diagnostic data? + +Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request. + +There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. + +If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services). + +The following are specific examples of functional data: + +- Current location for weather +- Bing searches +- Wallpaper and desktop settings synced across multiple devices + +### Diagnostic data gives users a voice + +Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits. + +### Improve app and driver quality + +Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. + +#### Real-world example of how Windows diagnostic data helps +There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. + +### Improve end-user productivity + +Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: + +- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. +- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. +- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. + +**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** + +### Insights into your own organization + +Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). + +#### Upgrade Readiness + +Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. + +To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. + +With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer, driver, and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. + +## How Microsoft handles diagnostic data + +The diagnostic data is categorized into four levels: + +- [**Security**](#security-level). Information that’s required to help keep Windows and Windows Server secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. + +- [**Basic**](#basic-level). Basic device info, including: quality-related data, app compatibility, and data from the **Security** level. + +- [**Enhanced**](#enhanced-level). Additional insights, including: how Windows, Windows Server, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels. + +- [**Full**](#full-level). Includes information about the websites you browse, how you use apps and features, plus additional information about device health, device activity (sometimes referred to as usage), and enhanced error reporting. At Full, Microsoft also collects the memory state of your device when a system or app crash occurs. It includes data from the **Security**, **Basic**, and **Enhanced** levels. + +Diagnostic data levels are cumulative, meaning each subsequent level includes data collected through lower levels. For more information see the [Diagnostic data levels](#diagnostic-data-levels) section. + +### Data collection + +Windows 10 and Windows Server includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. + +1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. +2. Events are gathered using public operating system event logging and tracing APIs. +3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings. +4. The Connected User Experiences and Telemetry component transmits the diagnostic data. + +Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels. + +### Data transmission + +All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. + +The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day). + +### Endpoints + +The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. + +The following table defines the endpoints for Connected User Experiences and Telemetry component: + +Windows release | Endpoint +--- | --- +Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed| **Diagnostics data** - v10c.vortex-win.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com +Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | **Diagnostics data** - v10.events.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com +Windows 10, version 1709 or earlier | **Diagnostics data** - v10.vortex-win.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com + +The following table defines the endpoints for other diagnostic data services: + +| Service | Endpoint | +| - | - | +| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | +| | ceuswatcab01.blob.core.windows.net | +| | ceuswatcab02.blob.core.windows.net | +| | eaus2watcab01.blob.core.windows.net | +| | eaus2watcab02.blob.core.windows.net | +| | weus2watcab01.blob.core.windows.net | +| | weus2watcab02.blob.core.windows.net | +| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | +| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | +| Microsoft Defender Advanced Threat Protection | https://wdcp.microsoft.com
https://wdcpalt.microsoft.com | + +### Data use and access + +The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. + +### Retention + +Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history. + +## Manage enterprise diagnostic data level + +### Enterprise management + +Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option. + +Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, in **Privacy** > **Diagnostics & feedback**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available. + +IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this article describes how to use group policy to configure levels and settings interface. + + +#### Manage your diagnostic data settings + +Use the steps in this article to set and/or adjust the diagnostic data settings for Windows and Windows Server in your organization. + +> [!IMPORTANT] +> These diagnostic data levels only apply to Windows and Windows Server components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Office 365 ProPlus](/deployoffice/privacy/overview-privacy-controls). + +The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server is **Enhanced**. + +### Configure the diagnostic data level + +You can configure your device's diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. + +Use the appropriate value in the table below when you configure the management policy. + +| Level | Value | +| - | - | +| Security | **0** | +| Basic | **1** | +| Enhanced | **2** | +| Full | **3** | + + > [!NOTE] + > When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used. + +### Use Group Policy to set the diagnostic data level + +Use a Group Policy object to set your organization’s diagnostic data level. + +1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. + +2. Double-click **Allow Telemetry**. + +3. In the **Options** box, select the level that you want to configure, and then click **OK**. + +### Use MDM to set the diagnostic data level + +Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy. + +### Use Registry Editor to set the diagnostic data level + +Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. + +1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**. + +2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**. + +3. Type **AllowTelemetry**, and then press ENTER. + +4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.** + +5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. + +### Additional diagnostic data controls + +There are a few more settings that you can turn off that may send diagnostic data information: + +- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). + +- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. + +- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). + +- Turn off **Improve inking and typing** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. + + > [!NOTE] + > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. + +## Diagnostic data levels + +These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server. + +### Security level + +The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions. + +> [!NOTE] +> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. + +Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered. + +The data gathered at this level includes: + +- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). + +- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. + + > [!NOTE] + > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). + +- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. + + > [!NOTE] + > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender). + + Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. + +For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity. + +No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. + +### Basic level + +The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent. + +This is the default level for Windows 10 Education editions, as well as all desktop editions starting with Windows 10, version 1903. + +The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device. + +The data gathered at this level includes: + +- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Servers in the ecosystem. Examples include: + + - Device attributes, such as camera resolution and display type + + - Internet Explorer version + + - Battery attributes, such as capacity and type + + - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number + + - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware + + - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system + + - Operating system attributes, such as Windows edition and virtualization state + + - Storage attributes, such as number of drives, type, and size + +- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time. + +- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. + +- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. + + - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. + + - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. + + - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS. + + - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. + + - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. + +- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses. + + +### Enhanced level + +The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. + +This level is needed to quickly identify and address Windows and Windows Server quality issues. + +The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device. + +The data gathered at this level includes: + +- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. + +- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. + +- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. + +- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps. + +If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue. + +### Full level + +The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the Basic, Enhanced, and Security levels. + +Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. + +If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem. + +However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: + +- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. + +- Ability to get registry keys. + +- All crash dump types, including heap dumps and full dumps. + +> [!NOTE] +> Crash dumps collected at this diagnostic data level may unintentionally contain personal data, such as portions of memory from a documents, a web page, etc. + +## Limit Enhanced diagnostic data to the minimum required by Windows Analytics + +Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**. + +In Windows 10, version 1709, we introduced the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic. + +- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic. + +- **Some crash dump types.** Triage dumps for user mode and mini dumps for kernel mode. + +>[!NOTE] +> Triage dumps are a type of [minidumps](https://docs.microsoft.com/windows/desktop/debug/minidump-files) that go through a process of user-sensitive information scrubbing. Some user-sensitive information may be missed in the process, and will therefore be sent with the dump. + +### Enable limiting enhanced diagnostic data to the minimum required by Windows Analytics + +1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM. + + a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**. + + -OR- + + b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**. + + -AND- + +2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM. + + a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**. + + -OR- + + b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**. + +## Additional resources + +FAQs + +- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy) +- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) +- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy) +- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy) +- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) +- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq) +- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) +- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) +- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization) + +Blogs + +- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) + +Privacy Statement + +- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) + +TechNet + +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) + +Web Pages + +- [Privacy at Microsoft](https://privacy.microsoft.com) diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md index d032754214..088f0adccd 100644 --- a/windows/privacy/gdpr-it-guidance.md +++ b/windows/privacy/gdpr-it-guidance.md @@ -1,309 +1,309 @@ ---- -title: Windows and the GDPR-Information for IT Administrators and Decision Makers -description: Use this topic to understand the relationship between users in your organization and Microsoft in the context of the GDPR (General Data Protection Regulation). -keywords: privacy, GDPR, windows, IT -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 05/11/2018 -ms.reviewer: ---- -# Windows and the GDPR: Information for IT Administrators and Decision Makers - -Applies to: -- Windows 10, version 1809 -- Windows 10, version 1803 -- Windows 10, version 1709 -- Windows 10, version 1703 -- Windows 10 Team Edition, version 1703 for Surface Hub -- Windows Server 2019 -- Windows Server 2016 -- Windows Analytics - -This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship. - -For more information about the GDPR, see: -* [Microsoft GDPR Overview](https://aka.ms/GDPROverview) -* [Microsoft Trust Center FAQs about the GDPR](https://aka.ms/gdpr-faq) -* [Microsoft Service Trust Portal (STP)](https://aka.ms/stp) -* [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted) - -## GDPR fundamentals - -Here are some GDPR fundamentals: - -* On May 25, 2018, this EU data privacy law is implemented. It sets a new global bar for data privacy rights, security, and compliance. -* The GDPR is fundamentally about protecting and enabling the privacy rights of individuals – both customers and employees. -* The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice – no matter where data is sent, processed, or stored. -* A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*. - -Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization. - -### What is personal data under the GDPR? - -Article 4 (1) of [the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=en) defines personal data as any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. As defined by the GDPR, personal data includes, but is not limited to: -* Name -* Email address -* Credit card numbers -* IP addresses -* Social media posts -* Location information -* Handwriting patterns -* Voice input to cloud-based speech services - -### Controller and processor under the GDPR: Who does what - -#### Definition - -The GDPR describes specific requirements for allocating responsibility for controller and processor activities related to personal data. Thus, every organization that processes personal data must determine whether it is acting as a controller or processor for a specific scenario. - -* **Controller**: GDPR Article 4 (7) defines the ‘controller’ as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. -* **Processor**: According to the GDPR Article 4 (8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. - -#### Controller scenario - -For example, when an organization is using Microsoft Windows Defender Advanced Threat Protection (ATP) to detect, investigate, and respond to advanced threats on their networks as part of their IT operations, that organization is collecting data from the user’s device – data, that might include personal data. In this scenario, the organization is the *controller* of the respective personal data, since the organization controls the purpose and means of the processing for data being collected from the devices that have Windows Defender ATP enabled. - -#### Processor scenario - -In the controller scenario described above, Microsoft is a *processor* because Microsoft provides data processing services to that controller (in the given example, an organization that subscribed to Windows Defender ATP and enabled it for the user’s device). As processor, Microsoft only processes data on behalf of the enterprise customer and does not have the right to process data beyond their instructions as specified in a written contract, such as the [Microsoft Product Terms and the Microsoft Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx). - -## GDPR relationship between a Windows 10 user and Microsoft - -For Windows 10 services, Microsoft usually is the controller (with exceptions, such as Windows Defender ATP). The following sections describe what that means for the related data. - -### Types of data exchanged with Microsoft - -Microsoft collects data from or generates data through interactions with users of Windows 10 devices. This information can contain personal data, as defined in [Article 4 (1) of the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN), that may be used to provide, support, and improve Windows 10 services. - -Microsoft discloses data collection and privacy practices in detail, for example: -* As part of the Windows 10 installation; -* In the Windows 10 privacy settings; -* Via the web-based [Microsoft Privacy dashboard](https://account.microsoft.com/privacy); and -* In the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). - -It is important to differentiate between two distinct types of data Windows services are dealing with. - -#### Windows functional data - -A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows *functional data*. Some Windows components and applications connecting to Microsoft services also exchange Windows functional data to provide user functionality. - -Some other examples of Windows functional data: -* The Weather app which can use the device’s location to retrieve local weather or community news. -* Wallpaper and desktop settings that are synchronized across multiple devices. - -For more info on how IT Professionals can manage Windows functional data sent from an organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). - -#### Windows diagnostic data - -Windows diagnostic data is used to keep the operating system secure and up-to-date, troubleshoot problems, and make product improvements. The data is encrypted before being sent back to Microsoft. - -Some examples of diagnostic data include: -* The type of hardware being used, information about installed apps and usage details, and reliability data on drivers running on the device. -* For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for the needs of the user. - -Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data). - ->[!IMPORTANT] ->Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services. - -### Windows services where Microsoft is the processor under the GDPR - -Most Windows 10 services are controller services in terms of the GDPR – for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/windowsforbusiness/windows-atp). - ->[!NOTE] ->Both Windows Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)). - -#### Windows Analytics - -[Windows Analytics](https://www.microsoft.com/en-us/windowsforbusiness/windows-analytics) is a service that provides rich, actionable information for helping organizations to gain deep insights into the operational efficiency and health of the Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise into the Windows Analytics service. - -Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Windows Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10. - -As a result, in terms of the GDPR, the organization that has subscribed to Windows Analytics is acting as the controller, while Microsoft is the processor for Windows Analytics. ->[!NOTE] ->The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes. - ->[!IMPORTANT] ->Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. - -#### Windows Defender ATP - -[Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) is cloud-based service that collects and analyzes usage data from an organization’s devices to detect security threats. Some of the data can contain personal data as defined by the GDPR. Enrolled devices transmit usage data to Microsoft datacenters, where that data is analyzed, processed, and stored. The security operations center (SOC) of the organization can view the analyzed data using the [Windows Defender ATP portal](https://securitycenter.windows.com/). - -As a result, in terms of the GDPR, the organization that has subscribed to Windows Defender ATP is acting as the controller, while Microsoft is the processor for Windows Defender ATP. - ->[!NOTE] ->The IT organization must explicitly enable Windows Defender ATP for a device after the organization subscribes. - -#### At a glance – Windows 10 services GDPR mode of operations - -The following table lists in what GDPR mode – controller or processor – Windows 10 services are operating. - -| Service | Microsoft GDPR mode of operation | -| --- | --- | -| Windows Functional data | Controller or Processor* | -| Windows Diagnostic data | Controller | -| Windows Analytics | Processor | -| Windows Defender Advanced Threat Detection (ATP) | Processor | - -*Table 1: Windows 10 GDPR modes of operations for different Windows 10 services* - -*/*Depending on which application/feature this is referring to.* - -## Windows diagnostic data and Windows 10 - - -### Recommended Windows 10 settings - -Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques. - -* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). - ->[!NOTE] ->For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). - -* For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”. - ->[!NOTE] ->For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10. - -### Additional information for Windows Analytics - -Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”. - -Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics. - ->[!NOTE] ->Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy -). - -## Controlling Windows 10 data collection and notification about it - -Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the user and the IT organization have the ability to control the transmission of that data to Microsoft. - -### Adjusting privacy settings by the user - -A user has the ability to adjust additional privacy settings in Windows by navigating to *Start > Settings > Privacy*. For example, a user can control if location is enabled or disabled, whether or not to transmit feedback on inking and typing input to Microsoft for improving the personal accuracy of these services, or if Windows collects activities for syncing it with other devices. - -For a standard user in an organization, some privacy settings might be controlled by their IT department. This is done using Group Policies or Mobile Device Management (MDM) settings. If this is the case, the user will see an alert that says ‘Some settings are hidden or managed by your organization’ when they navigate to *Start > Settings > Privacy*. As such, the user can only change some settings, but not all. - -### Users can lower the diagnostic level - -Starting with Windows 10, version 1803, a user can change the Windows diagnostics data level for their device below to what was set by their IT department. Organizations can allow or disallow this feature by configuring the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface** or the MDM policy **ConfigureTelemetryOptInSettingsUx**. - -If an IT organization has not disabled this policy, users within the organization can change their own Windows diagnostic data collection level in *Start > Settings > Privacy > Diagnostics & feedback*. For example, if the IT organization enabled this policy and set the level to “Full”, a user can modify the Windows diagnostics data level setting to “Basic”. - -### Notification at logon - -Windows 10, version 1803, and later can provide users with a notification during their logon. If the IT organization has not disabled the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in change notifications** or the MDM policy **ConfigureTelemetryOptInChangeNotification**, Windows diagnostic data notifications can appear at logon so that the users of a device are aware of the data collection. - -This notification can also be shown when the diagnostic level for the device was changed. For instance, if the diagnostic level on the device is set to “Basic” and the IT organization changes it to “Full”, users will be notified on their next logon. - -### Diagnostic Data Viewer (DDV) - -In Windows 10, version 1803 and later, users can invoke the [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) to see what Windows diagnostic data is collected on their local device. This app lets a user review the diagnostic data collected on his device that is being sent to Microsoft. The DDV groups the information into simple categories based on how it is used by Microsoft. - -A user can turn on Windows diagnostic data viewing by going to go to *Start > Settings > Privacy > Diagnostics & feedback*. Under the ‘Diagnostic data viewer’ section, the user has to enable the ‘If data viewing is enabled, you can see your diagnostics data’ option. After DDV is installed on the device, the user can start it by clicking the ‘Diagnostic Data Viewer’ in the ‘Diagnostic data viewer’ section of *Start > Settings > Privacy > Diagnostics & feedback*. - -Also, the user can delete all Windows diagnostic data collected from the device. This is done by clicking the ‘Delete’ button in the ‘Delete diagnostic data’ section of *Start > Settings > Privacy > Diagnostics & feedback*. - -### Windows 10 personal data services configuration - -Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization. - -IT Professionals that are interested in this configuration, see [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md). - -### Windows 10 connections to Microsoft - -To find out more about the network connections that Windows components make to Microsoft as well as the privacy settings that affect data shared with either Microsoft or apps, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) and [Manage Windows 10 connection endpoints](manage-windows-endpoints.md). These articles describe how these settings can be managed by an IT Professional. - -### At-a-glance: the relationship between an IT organization and the GDPR - -Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT organization can influence that relationship in an enterprise scenario. For example, the IT organization has the ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings. - -## Windows Server - -Windows Server follows the same mechanisms as Windows 10 for handling of personal data – for example, when collecting Windows diagnostic data. - -More detailed information about Windows Server and the GDPR is available at Beginning your General Data Protection Regulation (GDPR) journey for Windows Server. - -### Windows diagnostic data and Windows Server - -The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”. The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”. - -IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings. - -There are two options for deleting Windows diagnostic data from a Windows Server machine: - -- If the “Desktop Experience” option was chosen during the installation of Windows Server 2019, then there are the same options available for an IT administrator that end users have with Windows 10, version 1803 and version 1809, to submit a request for deleting that device’s diagnostic data. This is done by clicking the **Delete** button in the **Delete diagnostic data** section of **Start > Settings > Privacy > Diagnostics & feedback**. -- Microsoft has provided a [PowerShell cmdlet](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata) that IT administrators can use to delete Windows diagnostic data via the command line on a machine running Windows Server 2016 or Windows Server 2019. This cmdlet provides the same functionality for deleting Windows diagnostic data as with Desktop Experience on Windows Server 2019. For more information, see [the PowerShell Gallery](https://www.powershellgallery.com/packages/WindowsDiagnosticData). - -### Backups and Windows Server - -Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data. - -- Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control. For example, for exporting personal data contained in a backup, the organization needs to restore the appropriate backup sets to facilitate the respective data subject request (DSR). -- The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to restore the data in order to exercise the respective DSR. - -## Windows 10 Team Edition, Version 1703 for Surface Hub - -Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store. - ->[!NOTE] ->Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this. - -An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub). - -## Further reading - -### Optional settings / features that further improve the protection of personal data - -Personal data protection is one of the goals of the GDPR. One way of improving personal data protection is to use the modern and advanced security features of Windows 10. An IT organization can learn more at [Mitigate threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10) and [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure). - ->[!NOTE] ->Some of these features might require a particular Windows hardware, such as a computer with a Trusted Platform Module (TPM) chip, and can depend on a particular Windows product (such as Windows 10 E5). - -### Windows Security Baselines - -Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines). - -### Windows Restricted Traffic Limited Functionality Baseline - -To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887). - ->[!IMPORTANT] ->Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security configuration of a device in the organization and are therefore not recommended. - -### Microsoft Trust Center and Service Trust Portal - -Please visit our [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr) to obtain additional resources and to learn more about how Microsoft can help you fulfill specific GDPR requirements. There you can find lots of useful information about the GDPR, including how Microsoft is helping customers to successfully master the GDPR, a FAQ list, and a list of [resources for GDPR compliance](https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/resources). Also, please check out the [Compliance Manager](https://aka.ms/compliancemanager) of the Microsoft [Service Trust Portal (STP)](https://aka.ms/stp) and [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted). - -### Additional resources - -#### FAQs - -* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) -* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) -* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) -* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) - -#### Blogs - -* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) - -#### Privacy Statement - -* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) - -#### Other resources - -* [Privacy at Microsoft](https://privacy.microsoft.com/) +--- +title: Windows and the GDPR-Information for IT Administrators and Decision Makers +description: Use this topic to understand the relationship between users in your organization and Microsoft in the context of the GDPR (General Data Protection Regulation). +keywords: privacy, GDPR, windows, IT +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 05/11/2018 +ms.reviewer: +--- +# Windows and the GDPR: Information for IT Administrators and Decision Makers + +Applies to: +- Windows 10, version 1809 +- Windows 10, version 1803 +- Windows 10, version 1709 +- Windows 10, version 1703 +- Windows 10 Team Edition, version 1703 for Surface Hub +- Windows Server 2019 +- Windows Server 2016 +- Windows Analytics + +This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship. + +For more information about the GDPR, see: +* [Microsoft GDPR Overview](https://aka.ms/GDPROverview) +* [Microsoft Trust Center FAQs about the GDPR](https://aka.ms/gdpr-faq) +* [Microsoft Service Trust Portal (STP)](https://aka.ms/stp) +* [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted) + +## GDPR fundamentals + +Here are some GDPR fundamentals: + +* On May 25, 2018, this EU data privacy law is implemented. It sets a new global bar for data privacy rights, security, and compliance. +* The GDPR is fundamentally about protecting and enabling the privacy rights of individuals – both customers and employees. +* The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice – no matter where data is sent, processed, or stored. +* A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*. + +Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization. + +### What is personal data under the GDPR? + +Article 4 (1) of [the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=en) defines personal data as any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. As defined by the GDPR, personal data includes, but is not limited to: +* Name +* Email address +* Credit card numbers +* IP addresses +* Social media posts +* Location information +* Handwriting patterns +* Voice input to cloud-based speech services + +### Controller and processor under the GDPR: Who does what + +#### Definition + +The GDPR describes specific requirements for allocating responsibility for controller and processor activities related to personal data. Thus, every organization that processes personal data must determine whether it is acting as a controller or processor for a specific scenario. + +* **Controller**: GDPR Article 4 (7) defines the ‘controller’ as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. +* **Processor**: According to the GDPR Article 4 (8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. + +#### Controller scenario + +For example, when an organization is using Microsoft Windows Defender Advanced Threat Protection (ATP) to detect, investigate, and respond to advanced threats on their networks as part of their IT operations, that organization is collecting data from the user’s device – data, that might include personal data. In this scenario, the organization is the *controller* of the respective personal data, since the organization controls the purpose and means of the processing for data being collected from the devices that have Windows Defender ATP enabled. + +#### Processor scenario + +In the controller scenario described above, Microsoft is a *processor* because Microsoft provides data processing services to that controller (in the given example, an organization that subscribed to Windows Defender ATP and enabled it for the user’s device). As processor, Microsoft only processes data on behalf of the enterprise customer and does not have the right to process data beyond their instructions as specified in a written contract, such as the [Microsoft Product Terms and the Microsoft Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx). + +## GDPR relationship between a Windows 10 user and Microsoft + +For Windows 10 services, Microsoft usually is the controller (with exceptions, such as Windows Defender ATP). The following sections describe what that means for the related data. + +### Types of data exchanged with Microsoft + +Microsoft collects data from or generates data through interactions with users of Windows 10 devices. This information can contain personal data, as defined in [Article 4 (1) of the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN), that may be used to provide, support, and improve Windows 10 services. + +Microsoft discloses data collection and privacy practices in detail, for example: +* As part of the Windows 10 installation; +* In the Windows 10 privacy settings; +* Via the web-based [Microsoft Privacy dashboard](https://account.microsoft.com/privacy); and +* In the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). + +It is important to differentiate between two distinct types of data Windows services are dealing with. + +#### Windows functional data + +A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows *functional data*. Some Windows components and applications connecting to Microsoft services also exchange Windows functional data to provide user functionality. + +Some other examples of Windows functional data: +* The Weather app which can use the device’s location to retrieve local weather or community news. +* Wallpaper and desktop settings that are synchronized across multiple devices. + +For more info on how IT Professionals can manage Windows functional data sent from an organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). + +#### Windows diagnostic data + +Windows diagnostic data is used to keep the operating system secure and up-to-date, troubleshoot problems, and make product improvements. The data is encrypted before being sent back to Microsoft. + +Some examples of diagnostic data include: +* The type of hardware being used, information about installed apps and usage details, and reliability data on drivers running on the device. +* For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for the needs of the user. + +Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data). + +>[!IMPORTANT] +>Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services. + +### Windows services where Microsoft is the processor under the GDPR + +Most Windows 10 services are controller services in terms of the GDPR – for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/windowsforbusiness/windows-atp). + +>[!NOTE] +>Both Windows Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)). + +#### Windows Analytics + +[Windows Analytics](https://www.microsoft.com/en-us/windowsforbusiness/windows-analytics) is a service that provides rich, actionable information for helping organizations to gain deep insights into the operational efficiency and health of the Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise into the Windows Analytics service. + +Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Windows Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10. + +As a result, in terms of the GDPR, the organization that has subscribed to Windows Analytics is acting as the controller, while Microsoft is the processor for Windows Analytics. +>[!NOTE] +>The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes. + +>[!IMPORTANT] +>Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. + +#### Windows Defender ATP + +[Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) is cloud-based service that collects and analyzes usage data from an organization’s devices to detect security threats. Some of the data can contain personal data as defined by the GDPR. Enrolled devices transmit usage data to Microsoft datacenters, where that data is analyzed, processed, and stored. The security operations center (SOC) of the organization can view the analyzed data using the [Windows Defender ATP portal](https://securitycenter.windows.com/). + +As a result, in terms of the GDPR, the organization that has subscribed to Windows Defender ATP is acting as the controller, while Microsoft is the processor for Windows Defender ATP. + +>[!NOTE] +>The IT organization must explicitly enable Windows Defender ATP for a device after the organization subscribes. + +#### At a glance – Windows 10 services GDPR mode of operations + +The following table lists in what GDPR mode – controller or processor – Windows 10 services are operating. + +| Service | Microsoft GDPR mode of operation | +| --- | --- | +| Windows Functional data | Controller or Processor* | +| Windows Diagnostic data | Controller | +| Windows Analytics | Processor | +| Windows Defender Advanced Threat Detection (ATP) | Processor | + +*Table 1: Windows 10 GDPR modes of operations for different Windows 10 services* + +*/*Depending on which application/feature this is referring to.* + +## Windows diagnostic data and Windows 10 + + +### Recommended Windows 10 settings + +Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques. + +* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). + +>[!NOTE] +>For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). + +* For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”. + +>[!NOTE] +>For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10. + +### Additional information for Windows Analytics + +Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”. + +Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics. + +>[!NOTE] +>Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy +). + +## Controlling Windows 10 data collection and notification about it + +Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the user and the IT organization have the ability to control the transmission of that data to Microsoft. + +### Adjusting privacy settings by the user + +A user has the ability to adjust additional privacy settings in Windows by navigating to *Start > Settings > Privacy*. For example, a user can control if location is enabled or disabled, whether or not to transmit feedback on inking and typing input to Microsoft for improving the personal accuracy of these services, or if Windows collects activities for syncing it with other devices. + +For a standard user in an organization, some privacy settings might be controlled by their IT department. This is done using Group Policies or Mobile Device Management (MDM) settings. If this is the case, the user will see an alert that says ‘Some settings are hidden or managed by your organization’ when they navigate to *Start > Settings > Privacy*. As such, the user can only change some settings, but not all. + +### Users can lower the diagnostic level + +Starting with Windows 10, version 1803, a user can change the Windows diagnostics data level for their device below to what was set by their IT department. Organizations can allow or disallow this feature by configuring the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface** or the MDM policy **ConfigureTelemetryOptInSettingsUx**. + +If an IT organization has not disabled this policy, users within the organization can change their own Windows diagnostic data collection level in *Start > Settings > Privacy > Diagnostics & feedback*. For example, if the IT organization enabled this policy and set the level to “Full”, a user can modify the Windows diagnostics data level setting to “Basic”. + +### Notification at logon + +Windows 10, version 1803, and later can provide users with a notification during their logon. If the IT organization has not disabled the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in change notifications** or the MDM policy **ConfigureTelemetryOptInChangeNotification**, Windows diagnostic data notifications can appear at logon so that the users of a device are aware of the data collection. + +This notification can also be shown when the diagnostic level for the device was changed. For instance, if the diagnostic level on the device is set to “Basic” and the IT organization changes it to “Full”, users will be notified on their next logon. + +### Diagnostic Data Viewer (DDV) + +In Windows 10, version 1803 and later, users can invoke the [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) to see what Windows diagnostic data is collected on their local device. This app lets a user review the diagnostic data collected on his device that is being sent to Microsoft. The DDV groups the information into simple categories based on how it is used by Microsoft. + +A user can turn on Windows diagnostic data viewing by going to go to *Start > Settings > Privacy > Diagnostics & feedback*. Under the ‘Diagnostic data viewer’ section, the user has to enable the ‘If data viewing is enabled, you can see your diagnostics data’ option. After DDV is installed on the device, the user can start it by clicking the ‘Diagnostic Data Viewer’ in the ‘Diagnostic data viewer’ section of *Start > Settings > Privacy > Diagnostics & feedback*. + +Also, the user can delete all Windows diagnostic data collected from the device. This is done by clicking the ‘Delete’ button in the ‘Delete diagnostic data’ section of *Start > Settings > Privacy > Diagnostics & feedback*. + +### Windows 10 personal data services configuration + +Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization. + +IT Professionals that are interested in this configuration, see [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md). + +### Windows 10 connections to Microsoft + +To find out more about the network connections that Windows components make to Microsoft as well as the privacy settings that affect data shared with either Microsoft or apps, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) and [Manage Windows 10 connection endpoints](manage-windows-endpoints.md). These articles describe how these settings can be managed by an IT Professional. + +### At-a-glance: the relationship between an IT organization and the GDPR + +Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT organization can influence that relationship in an enterprise scenario. For example, the IT organization has the ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings. + +## Windows Server + +Windows Server follows the same mechanisms as Windows 10 for handling of personal data – for example, when collecting Windows diagnostic data. + +More detailed information about Windows Server and the GDPR is available at Beginning your General Data Protection Regulation (GDPR) journey for Windows Server. + +### Windows diagnostic data and Windows Server + +The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”. The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”. + +IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings. + +There are two options for deleting Windows diagnostic data from a Windows Server machine: + +- If the “Desktop Experience” option was chosen during the installation of Windows Server 2019, then there are the same options available for an IT administrator that end users have with Windows 10, version 1803 and version 1809, to submit a request for deleting that device’s diagnostic data. This is done by clicking the **Delete** button in the **Delete diagnostic data** section of **Start > Settings > Privacy > Diagnostics & feedback**. +- Microsoft has provided a [PowerShell cmdlet](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata) that IT administrators can use to delete Windows diagnostic data via the command line on a machine running Windows Server 2016 or Windows Server 2019. This cmdlet provides the same functionality for deleting Windows diagnostic data as with Desktop Experience on Windows Server 2019. For more information, see [the PowerShell Gallery](https://www.powershellgallery.com/packages/WindowsDiagnosticData). + +### Backups and Windows Server + +Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data. + +- Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control. For example, for exporting personal data contained in a backup, the organization needs to restore the appropriate backup sets to facilitate the respective data subject request (DSR). +- The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to restore the data in order to exercise the respective DSR. + +## Windows 10 Team Edition, Version 1703 for Surface Hub + +Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store. + +>[!NOTE] +>Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this. + +An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub). + +## Further reading + +### Optional settings / features that further improve the protection of personal data + +Personal data protection is one of the goals of the GDPR. One way of improving personal data protection is to use the modern and advanced security features of Windows 10. An IT organization can learn more at [Mitigate threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10) and [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure). + +>[!NOTE] +>Some of these features might require a particular Windows hardware, such as a computer with a Trusted Platform Module (TPM) chip, and can depend on a particular Windows product (such as Windows 10 E5). + +### Windows Security Baselines + +Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines). + +### Windows Restricted Traffic Limited Functionality Baseline + +To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887). + +>[!IMPORTANT] +>Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security configuration of a device in the organization and are therefore not recommended. + +### Microsoft Trust Center and Service Trust Portal + +Please visit our [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr) to obtain additional resources and to learn more about how Microsoft can help you fulfill specific GDPR requirements. There you can find lots of useful information about the GDPR, including how Microsoft is helping customers to successfully master the GDPR, a FAQ list, and a list of [resources for GDPR compliance](https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/resources). Also, please check out the [Compliance Manager](https://aka.ms/compliancemanager) of the Microsoft [Service Trust Portal (STP)](https://aka.ms/stp) and [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted). + +### Additional resources + +#### FAQs + +* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) +* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) +* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) +* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) + +#### Blogs + +* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) + +#### Privacy Statement + +* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) + +#### Other resources + +* [Privacy at Microsoft](https://privacy.microsoft.com/) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 53034ea742..9f89972a1f 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -18,17 +18,17 @@ ms.date: 3/1/2019 - Windows 10 Enterprise 1903 version and newer -You can use Microsoft InTune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/en-us/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. +You can use Microsoft InTune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. -To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy. +To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy. You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. Note, there is some traffic which is required (i.e. "whitelisted") for the operation of Windows and the Microsoft InTune based management. This traffic includes CRL and OCSP network traffic which will show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Additional whitelisted traffic specifically for MDM managed devices includes Windows Notification Service related traffic as well as some specific Microsoft InTune and Windows Update related traffic. -For more information on Microsoft InTune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/en-us/intune/). +For more information on Microsoft InTune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/). -For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services). +For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services). The endpoints for the MDM “whitelisted” traffic are in the [Whitelisted Traffic](#bkmk-mdm-whitelist). @@ -43,76 +43,76 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt | Setting | MDM Policy | Description | | --- | --- | --- | | 1. Automatic Root Certificates Update | There is intentionally no MDM available for Automatic Root Certificate Update. | This MDM does not exist since it would prevent the operation and management of MDM management of devices. -| 2. Cortana and Search | [Experience/AllowCortana](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Choose whether to let Cortana install and run on the device. **Set to 0 (zero)** -| | [Search/AllowSearchToUseLocation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation) | Choose whether Cortana and Search can provide location-aware search results. **Set to 0 (zero)** -| 3. Date & Time | [Settings/AllowDateTime](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-settings#settings-allowdatetime)| Allows the user to change date and time settings. **Set to 0 (zero)** -| 4. Device metadata retrieval | [DeviceInstallation/PreventDeviceMetadataFromNetwork](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork) | Choose whether to prevent Windows from retrieving device metadata from the Internet. **Set to Enabled** -| 5. Find My Device | [Experience/AllowFindMyDevice](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice)| This policy turns on Find My Device. **Set to 0 (zero)** -| 6. Font streaming | [System/AllowFontProviders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowfontproviders) | Setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. **Set to 0 (zero)** -| 7. Insider Preview builds | [System/AllowBuildPreview](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowbuildpreview) | This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. **Set to 0 (zero)** -| 8. Internet Explorer | The following Microsoft Internet Explorer MDM policies are available in the [Internet Explorer CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer) | -| | [InternetExplorer/AllowSuggestedSites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-allowsuggestedsites) | Recommends websites based on the user’s browsing activity. **Set to Disabled** -| | [InternetExplorer/PreventManagingSmartScreenFilter]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-preventmanagingsmartscreenfilter) | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. **Set to Enabled** -| | [InternetExplorer/DisableFlipAheadFeature]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disableflipaheadfeature) | Determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. **Set to Enabled** -| | [InternetExplorer/DisableHomePageChange]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablehomepagechange) | Determines whether users can change the default Home Page or not. **Set to Enabled** -| | [InternetExplorer/DisableFirstRunWizard]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablefirstrunwizard) | Prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. **Set to Enabled** -| 9. Live Tiles | [Notifications/DisallowTileNotification](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-notifications)| This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. **Set to Enabled** -| 10. Mail synchronization | [Accounts/AllowMicrosoftAccountConnection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection) | Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. **Set to 0 (zero)** -| 11. Microsoft Account | [Accounts/AllowMicrosoftAccountSignInAssistant](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant) | Disable the Microsoft Account Sign-In Assistant. **Set to 0 (zero)** +| 2. Cortana and Search | [Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Choose whether to let Cortana install and run on the device. **Set to 0 (zero)** +| | [Search/AllowSearchToUseLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation) | Choose whether Cortana and Search can provide location-aware search results. **Set to 0 (zero)** +| 3. Date & Time | [Settings/AllowDateTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-allowdatetime)| Allows the user to change date and time settings. **Set to 0 (zero)** +| 4. Device metadata retrieval | [DeviceInstallation/PreventDeviceMetadataFromNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork) | Choose whether to prevent Windows from retrieving device metadata from the Internet. **Set to Enabled** +| 5. Find My Device | [Experience/AllowFindMyDevice](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice)| This policy turns on Find My Device. **Set to 0 (zero)** +| 6. Font streaming | [System/AllowFontProviders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowfontproviders) | Setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. **Set to 0 (zero)** +| 7. Insider Preview builds | [System/AllowBuildPreview](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowbuildpreview) | This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. **Set to 0 (zero)** +| 8. Internet Explorer | The following Microsoft Internet Explorer MDM policies are available in the [Internet Explorer CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer) | +| | [InternetExplorer/AllowSuggestedSites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-allowsuggestedsites) | Recommends websites based on the user’s browsing activity. **Set to Disabled** +| | [InternetExplorer/PreventManagingSmartScreenFilter]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-preventmanagingsmartscreenfilter) | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. **Set to Enabled** +| | [InternetExplorer/DisableFlipAheadFeature]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disableflipaheadfeature) | Determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. **Set to Enabled** +| | [InternetExplorer/DisableHomePageChange]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablehomepagechange) | Determines whether users can change the default Home Page or not. **Set to Enabled** +| | [InternetExplorer/DisableFirstRunWizard]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablefirstrunwizard) | Prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. **Set to Enabled** +| 9. Live Tiles | [Notifications/DisallowTileNotification](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications)| This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. **Set to Enabled** +| 10. Mail synchronization | [Accounts/AllowMicrosoftAccountConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection) | Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. **Set to 0 (zero)** +| 11. Microsoft Account | [Accounts/AllowMicrosoftAccountSignInAssistant](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant) | Disable the Microsoft Account Sign-In Assistant. **Set to 0 (zero)** | 12. Microsoft Edge | | The following Microsoft Edge MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/available-policies). -| | [Browser/AllowAutoFill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | Choose whether employees can use autofill on websites. **Set to 0 (zero)** -| | [Browser/AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | Choose whether employees can send Do Not Track headers. **Set to 0 (zero)** -| | [Browser/AllowMicrosoftCompatbilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | Specify the Microsoft compatibility list in Microsoft Edge. **Set to 0 (zero)** -| | [Browser/AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | Choose whether employees can save passwords locally on their devices. **Set to 0 (zero)** -| | [Browser/AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) | Choose whether the Address Bar shows search suggestions. **Set to 0 (zero)** -| | [Browser/AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Choose whether SmartScreen is turned on or off. **Set to 0 (zero)** -| 13. Network Connection Status Indicator | [Connectivity/DisallowNetworkConnectivityActiveTests](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) | Note: After you apply this policy you must restart the device for the policy setting to take effect. **Set to 1 (one)** -| 14. Offline maps | [AllowOfflineMapsDownloadOverMeteredConnection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-maps)|Allows the download and update of map data over metered connections.
**Set to 0 (zero)** -| | [EnableOfflineMapsAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate)|Disables the automatic download and update of map data. **Set to 0 (zero)** -| 15. OneDrive | [DisableOneDriveFileSync](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync)| Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)** +| | [Browser/AllowAutoFill](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | Choose whether employees can use autofill on websites. **Set to 0 (zero)** +| | [Browser/AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | Choose whether employees can send Do Not Track headers. **Set to 0 (zero)** +| | [Browser/AllowMicrosoftCompatbilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | Specify the Microsoft compatibility list in Microsoft Edge. **Set to 0 (zero)** +| | [Browser/AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | Choose whether employees can save passwords locally on their devices. **Set to 0 (zero)** +| | [Browser/AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) | Choose whether the Address Bar shows search suggestions. **Set to 0 (zero)** +| | [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Choose whether SmartScreen is turned on or off. **Set to 0 (zero)** +| 13. Network Connection Status Indicator | [Connectivity/DisallowNetworkConnectivityActiveTests](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) | Note: After you apply this policy you must restart the device for the policy setting to take effect. **Set to 1 (one)** +| 14. Offline maps | [AllowOfflineMapsDownloadOverMeteredConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps)|Allows the download and update of map data over metered connections.
**Set to 0 (zero)** +| | [EnableOfflineMapsAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate)|Disables the automatic download and update of map data. **Set to 0 (zero)** +| 15. OneDrive | [DisableOneDriveFileSync](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync)| Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)** | 16. Preinstalled apps | N/A | N/A | 17. Privacy settings | | Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. -| 17.1 General | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | This policy setting controls the ability to send inking and typing data to Microsoft. **Set to 0 (zero)** -| 17.2 Location | [System/AllowLocation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowlocation) | Specifies whether to allow app access to the Location service. **Set to 0 (zero)** -| 17.3 Camera | [Camera/AllowCamera](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-camera#camera-allowcamera) | Disables or enables the camera. **Set to 0 (zero)** -| 17.4 Microphone | [Privacy/LetAppsAccessMicrophone](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone) | Specifies whether Windows apps can access the microphone. **Set to 2 (two)** -| 17.5 Notifications | [Notifications/DisallowCloudNotification](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification) | Turn off notifications network usage. **DO NOT TURN OFF WNS Notifications if you want manage your device(s) using Microsoft InTune** -| | [Privacy/LetAppsAccessNotifications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications) | Specifies whether Windows apps can access notifications. **Set to 2 (two)** -| | [Settings/AllowOnlineTips]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-settings#settings-allowonlinetips) | Enables or disables the retrieval of online tips and help for the Settings app. **Set to Disabled** -| 17.6 Speech, Inking, & Typing | [Privacy/AllowInputPersonalization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | This policy specifies whether users on the device have the option to enable online speech recognition. **Set to 0 (zero)** -| | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection)| This policy setting controls the ability to send inking and typing data to Microsoft **Set to 0 (zero)** -| 17.7 Account info | [Privacy/LetAppsAccessAccountInfo](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessaccountinfo) | Specifies whether Windows apps can access account information. **Set to 2 (two)** -| 17.8 Contacts | [Privacy/LetAppsAccessContacts](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscontacts) | Specifies whether Windows apps can access contacts. **Set to 2 (two)** -| 17.9 Calendar | [Privacy/LetAppsAccessCalendar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscalendar) | Specifies whether Windows apps can access the calendar. **Set to 2 (two)** -| 17.10 Call history | [Privacy/LetAppsAccessCallHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscallhistory) | Specifies whether Windows apps can access account information. **Set to 2 (two)** -| 17.11 Email | [Privacy/LetAppsAccessEmail](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessemail) | Specifies whether Windows apps can access email. **Set to 2 (two)** -| 17.12 Messaging | [Privacy/LetAppsAccessMessaging](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging) | Specifies whether Windows apps can read or send messages (text or MMS). **Set to 2 (two)** -| 17.13 Phone calls | [Privacy/LetAppsAccessPhone](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone) | Specifies whether Windows apps can make phone calls. **Set to 2 (two)** -| 17.14 Radios | [Privacy/LetAppsAccessRadios](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessradios) | Specifies whether Windows apps have access to control radios. **Set to 2 (two)** -| 17.15 Other devices | [Privacy/LetAppsSyncWithDevices](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappssyncwithdevices) | Specifies whether Windows apps can sync with devices. **Set to 2 (two)** -| | [Privacy/LetAppsAccessTrustedDevices](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstrusteddevices) | Specifies whether Windows apps can access trusted devices. **Set to 2 (two)** -| 17.16 Feedback & diagnostics | [System/AllowTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Allow the device to send diagnostic and usage telemetry data, such as Watson. **Set to 0 (zero)** -| | [Experience/DoNotShowFeedbackNotifications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotshowfeedbacknotifications)| Prevents devices from showing feedback questions from Microsoft. **Set to 1 (one)** -| 17.17 Background apps | [Privacy/LetAppsRunInBackground](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsruninbackground) | Specifies whether Windows apps can run in the background. **Set to 2 (two)** -| 17.18 Motion | [Privacy/LetAppsAccessMotion](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmotion) | Specifies whether Windows apps can access motion data. **Set to 2 (two)** -| 17.19 Tasks | [Privacy/LetAppsAccessTasks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstasks) | Turn off the ability to choose which apps have access to tasks. **Set to 2 (two)** -| 17.20 App Diagnostics | [Privacy/LetAppsGetDiagnosticInfo](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo) | Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. **Set to 2 (two)** -| 18. Software Protection Platform | [Licensing/DisallowKMSClientOnlineAVSValidation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-licensing#licensing-disallowkmsclientonlineavsvalidation) | Opt out of sending KMS client activation data to Microsoft automatically. **Set to 1 (one)** -| 19. Storage Health | [Storage/AllowDiskHealthModelUpdates](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-storage#storage-allowdiskhealthmodelupdates) | Allows disk health model updates. **Set to 0 (zero)** -| 20. Sync your settings | [Experience/AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | Control whether your settings are synchronized. **Set to 0 (zero)** +| 17.1 General | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | This policy setting controls the ability to send inking and typing data to Microsoft. **Set to 0 (zero)** +| 17.2 Location | [System/AllowLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowlocation) | Specifies whether to allow app access to the Location service. **Set to 0 (zero)** +| 17.3 Camera | [Camera/AllowCamera](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-camera#camera-allowcamera) | Disables or enables the camera. **Set to 0 (zero)** +| 17.4 Microphone | [Privacy/LetAppsAccessMicrophone](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone) | Specifies whether Windows apps can access the microphone. **Set to 2 (two)** +| 17.5 Notifications | [Notifications/DisallowCloudNotification](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification) | Turn off notifications network usage. **DO NOT TURN OFF WNS Notifications if you want manage your device(s) using Microsoft InTune** +| | [Privacy/LetAppsAccessNotifications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications) | Specifies whether Windows apps can access notifications. **Set to 2 (two)** +| | [Settings/AllowOnlineTips]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-allowonlinetips) | Enables or disables the retrieval of online tips and help for the Settings app. **Set to Disabled** +| 17.6 Speech, Inking, & Typing | [Privacy/AllowInputPersonalization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | This policy specifies whether users on the device have the option to enable online speech recognition. **Set to 0 (zero)** +| | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection)| This policy setting controls the ability to send inking and typing data to Microsoft **Set to 0 (zero)** +| 17.7 Account info | [Privacy/LetAppsAccessAccountInfo](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessaccountinfo) | Specifies whether Windows apps can access account information. **Set to 2 (two)** +| 17.8 Contacts | [Privacy/LetAppsAccessContacts](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscontacts) | Specifies whether Windows apps can access contacts. **Set to 2 (two)** +| 17.9 Calendar | [Privacy/LetAppsAccessCalendar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscalendar) | Specifies whether Windows apps can access the calendar. **Set to 2 (two)** +| 17.10 Call history | [Privacy/LetAppsAccessCallHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscallhistory) | Specifies whether Windows apps can access account information. **Set to 2 (two)** +| 17.11 Email | [Privacy/LetAppsAccessEmail](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessemail) | Specifies whether Windows apps can access email. **Set to 2 (two)** +| 17.12 Messaging | [Privacy/LetAppsAccessMessaging](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging) | Specifies whether Windows apps can read or send messages (text or MMS). **Set to 2 (two)** +| 17.13 Phone calls | [Privacy/LetAppsAccessPhone](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone) | Specifies whether Windows apps can make phone calls. **Set to 2 (two)** +| 17.14 Radios | [Privacy/LetAppsAccessRadios](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessradios) | Specifies whether Windows apps have access to control radios. **Set to 2 (two)** +| 17.15 Other devices | [Privacy/LetAppsSyncWithDevices](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappssyncwithdevices) | Specifies whether Windows apps can sync with devices. **Set to 2 (two)** +| | [Privacy/LetAppsAccessTrustedDevices](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstrusteddevices) | Specifies whether Windows apps can access trusted devices. **Set to 2 (two)** +| 17.16 Feedback & diagnostics | [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Allow the device to send diagnostic and usage telemetry data, such as Watson. **Set to 0 (zero)** +| | [Experience/DoNotShowFeedbackNotifications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotshowfeedbacknotifications)| Prevents devices from showing feedback questions from Microsoft. **Set to 1 (one)** +| 17.17 Background apps | [Privacy/LetAppsRunInBackground](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsruninbackground) | Specifies whether Windows apps can run in the background. **Set to 2 (two)** +| 17.18 Motion | [Privacy/LetAppsAccessMotion](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmotion) | Specifies whether Windows apps can access motion data. **Set to 2 (two)** +| 17.19 Tasks | [Privacy/LetAppsAccessTasks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstasks) | Turn off the ability to choose which apps have access to tasks. **Set to 2 (two)** +| 17.20 App Diagnostics | [Privacy/LetAppsGetDiagnosticInfo](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo) | Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. **Set to 2 (two)** +| 18. Software Protection Platform | [Licensing/DisallowKMSClientOnlineAVSValidation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-licensing#licensing-disallowkmsclientonlineavsvalidation) | Opt out of sending KMS client activation data to Microsoft automatically. **Set to 1 (one)** +| 19. Storage Health | [Storage/AllowDiskHealthModelUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-allowdiskhealthmodelupdates) | Allows disk health model updates. **Set to 0 (zero)** +| 20. Sync your settings | [Experience/AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | Control whether your settings are synchronized. **Set to 0 (zero)** | 21. Teredo | No MDM needed | Teredo is **Off by default**. Delivery Optimization (DO) can turn on Teredo, but DO itself is turned Off via MDM. | 22. Wi-Fi Sense | No MDM needed | Wi-Fi Sense is no longer available from Windows 10 version 1803 and newer. -| 23. Windows Defender | [Defender/AllowCloudProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) | Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)** -| | [Defender/SubmitSamplesConsent](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) | Stop sending file samples back to Microsoft. **Set to 2 (two)** -| 23.1 Windows Defender Smartscreen | [Browser/AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Disable Windows Defender Smartscreen. **Set to 0 (zero)** -| 23.2 Windows Defender Smartscreen EnableAppInstallControl | [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol) | Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)** -| 24. Windows Spotlight | [Experience/AllowWindowsSpotlight](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight) | Disable Windows Spotlight. **Set to 0 (zero)** -| 25. Microsoft Store | [ApplicationManagement/DisableStoreOriginatedApps](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps)| Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. **Set to 1 (one)** -| | [ApplicationManagement/AllowAppStoreAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate)| Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)** -| 25.1 Apps for websites | [ApplicationDefaults/EnableAppUriHandlers](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers) | This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)** +| 23. Windows Defender | [Defender/AllowCloudProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) | Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)** +| | [Defender/SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) | Stop sending file samples back to Microsoft. **Set to 2 (two)** +| 23.1 Windows Defender Smartscreen | [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Disable Windows Defender Smartscreen. **Set to 0 (zero)** +| 23.2 Windows Defender Smartscreen EnableAppInstallControl | [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol) | Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)** +| 24. Windows Spotlight | [Experience/AllowWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight) | Disable Windows Spotlight. **Set to 0 (zero)** +| 25. Microsoft Store | [ApplicationManagement/DisableStoreOriginatedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps)| Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. **Set to 1 (one)** +| | [ApplicationManagement/AllowAppStoreAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate)| Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)** +| 25.1 Apps for websites | [ApplicationDefaults/EnableAppUriHandlers](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers) | This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)** | 26. Windows Update Delivery Optimization | | The following Delivery Optimization MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). -| | [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode)| Lets you choose where Delivery Optimization gets or sends updates and apps. **Set to 100 (one hundred)** -| 27. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates. **Set to 5 (five)** +| | [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode)| Lets you choose where Delivery Optimization gets or sends updates and apps. **Set to 100 (one hundred)** +| 27. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates. **Set to 5 (five)** ### Allowed traffic ("Whitelisted traffic") for Microsoft InTune / MDM configurations diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index b8f7179b74..98ab45165f 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -41,7 +41,7 @@ Applying the Windows Restricted Traffic Limited Functionality Baseline is the sa It is recommended that you restart a device after making configuration changes to it. Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. -To use Microsoft InTune cloud based device managment for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). +To use Microsoft InTune cloud based device managment for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. @@ -606,7 +606,7 @@ For a complete list of the Microsoft Edge policies, see [Available policies for Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCSI, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). -In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was [http://www.msftncsi.com](). +In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was `http://www.msftncsi.com`. You can turn off NCSI by doing one of the following: diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md index f9dbed1a8c..d886aa19d1 100644 --- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md @@ -1,295 +1,295 @@ ---- -title: Windows 10, version 1709, connection endpoints for non-Enterprise editions -description: Explains what Windows 10 endpoints are used in non-Enterprise editions. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 6/26/2018 -ms.reviewer: ---- -# Windows 10, version 1709, connection endpoints for non-Enterprise editions - - **Applies to** - -- Windows 10 Home, version 1709 -- Windows 10 Professional, version 1709 -- Windows 10 Education, version 1709 - -In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1709. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 Home - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| *.dscd.akamai.net | HTTP | Used to download content. | -| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | -| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | -| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | -| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. | -| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | -| cdn.onenote.net | HTTP | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | -| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | -| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. | -| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | -| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com | HTTPS | Used to authenticate a device. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. | -| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. | -| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. | -| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. | -| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | -| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. | -| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | -| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | -| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. | -| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | -| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | - -## Windows 10 Pro - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.*.akamai.net | HTTP | Used to download content. | -| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | -| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. | -| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. | -| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. | -| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | -| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | -| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | -| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office. | -| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| fs.microsoft.com | HTTPS | Used to download fonts on demand | -| g.live.com | HTTP | Used by a redirection service to automatically update URLs. | -| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | -| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com | HTTPS | Used to authenticate a device. | -| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oem.twimg.com | HTTP | Used for the Twitter Live Tile. | -| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | -| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. | -| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | -| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. | -| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | -| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | - -## Windows 10 Education - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.dscd.akamai.net | HTTP | Used to download content. | -| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.dspw65.akamai.net | HTTP | Used to download content. | -| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamai.net | HTTP | Used to download content. | -| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | -| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | -| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | -| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | -| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | -| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | -| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com/* | HTTPS | Used to authenticate a device. | -| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. | -| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | -| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | - -| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | -| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | +--- +title: Windows 10, version 1709, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 6/26/2018 +ms.reviewer: +--- +# Windows 10, version 1709, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 1709 +- Windows 10 Professional, version 1709 +- Windows 10 Education, version 1709 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1709. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Home + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | +| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | +| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. | +| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | +| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | +| *.dscd.akamai.net | HTTP | Used to download content. | +| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | +| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | +| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | +| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | +| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | +| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | +| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | +| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | +| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | +| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | +| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. | +| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | +| cdn.onenote.net | HTTP | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | +| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. | +| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | +| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | +| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | +| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | +| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. | +| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. | +| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | +| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | +| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | +| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | +| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | +| login.live.com | HTTPS | Used to authenticate a device. | +| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | +| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | +| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. | +| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. | +| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. | +| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | +| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. | +| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. | +| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. | +| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | +| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | +| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | +| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. | +| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | +| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | +| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. | +| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | +| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | + +## Windows 10 Pro + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.*.akamai.net | HTTP | Used to download content. | +| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. | +| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. | +| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | +| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | +| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | +| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | +| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | +| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | +| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | +| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | +| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | +| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | +| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | +| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | +| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. | +| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. | +| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. | +| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | +| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | +| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | +| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | +| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | +| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | +| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | +| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office. | +| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | +| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| fs.microsoft.com | HTTPS | Used to download fonts on demand | +| g.live.com | HTTP | Used by a redirection service to automatically update URLs. | +| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | +| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | +| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | +| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | +| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | +| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | +| login.live.com | HTTPS | Used to authenticate a device. | +| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | +| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | +| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| oem.twimg.com | HTTP | Used for the Twitter Live Tile. | +| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | +| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | +| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. | +| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | +| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | +| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | +| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | +| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | +| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. | +| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | +| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. | +| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | +| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | + +## Windows 10 Education + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | +| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | +| *.dscd.akamai.net | HTTP | Used to download content. | +| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.dspw65.akamai.net | HTTP | Used to download content. | +| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamai.net | HTTP | Used to download content. | +| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. | +| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates | +| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | +| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | +| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | +| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | +| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | +| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | +| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | +| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | +| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | +| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | +| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | +| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | +| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | +| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office. | +| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | +| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | +| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. | +| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | +| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | +| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | +| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | +| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | +| login.live.com/* | HTTPS | Used to authenticate a device. | +| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | +| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | +| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. | +| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | +| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | +| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | +| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | +| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | +| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | +| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | + +| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | +| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | diff --git a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md index 7b3c0d3958..574818973c 100644 --- a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md @@ -1,165 +1,165 @@ ---- -title: Windows 10, version 1803, connection endpoints for non-Enterprise editions -description: Explains what Windows 10 endpoints are used in non-Enterprise editions. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 6/26/2018 -ms.reviewer: ---- -# Windows 10, version 1803, connection endpoints for non-Enterprise editions - - **Applies to** - -- Windows 10 Home, version 1803 -- Windows 10 Professional, version 1803 -- Windows 10 Education, version 1803 - -In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 Family - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ | HTTP | Enables connections to Windows Update. | -| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com/v3/Delivery/Placement | HTTPS | Used to retrieve Windows Spotlight metadata. | -| client-office365-tas.msedge.net* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | -| config.edge.skype.com/config/* | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com/msdownload/update* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | -| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). | -| fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | -| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | -| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application. | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | -| prod.nexusrules.live.com.akadns.net | HTTPS | Office Telemetry | -| query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. | -| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration.  | -| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | -| sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | -| tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| us.configsvc1.live.com.akadns.net | HTTPS | Microsoft Office configuration related traffic | -| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | -| wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com | HTTPS | Azure front end traffic | - - -## Windows 10 Pro -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | -| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | -| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | -| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| flightingservicewus.cloudapp.net | HTTPS | Insider Program | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | -| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | - - -## Windows 10 Education - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. | -| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. | -| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | -| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | -| cloudtile.photos.microsoft.com.akadns.net | HTTPS | Photos App in MS Store -| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | -| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | -| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | -| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | -| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| flightingservicewus.cloudapp.net | HTTPS | Insider Program | -| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | -| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| onecollector.cloudapp.aria.akadns.net | HTTPS | Office telemetry | -| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | -| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | -| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | -| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | -| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic | -| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | +--- +title: Windows 10, version 1803, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 6/26/2018 +ms.reviewer: +--- +# Windows 10, version 1803, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 1803 +- Windows 10 Professional, version 1803 +- Windows 10 Education, version 1803 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Family + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ | HTTP | Enables connections to Windows Update. | +| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| arc.msn.com/v3/Delivery/Placement | HTTPS | Used to retrieve Windows Spotlight metadata. | +| client-office365-tas.msedge.net* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | +| config.edge.skype.com/config/* | HTTPS | Used to retrieve Skype configuration values. | +| ctldl.windowsupdate.com/msdownload/update* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | +| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). | +| fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. | +| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | +| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application. | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | +| prod.nexusrules.live.com.akadns.net | HTTPS | Office Telemetry | +| query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | +| settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. | +| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration.  | +| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | +| sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | +| tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| us.configsvc1.live.com.akadns.net | HTTPS | Microsoft Office configuration related traffic | +| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | +| wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com | HTTPS | Azure front end traffic | + + +## Windows 10 Pro +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | +| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | +| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| flightingservicewus.cloudapp.net | HTTPS | Insider Program | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | +| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | + + +## Windows 10 Education + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. | +| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | +| cloudtile.photos.microsoft.com.akadns.net | HTTPS | Photos App in MS Store +| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | +| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | +| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | +| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | +| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| flightingservicewus.cloudapp.net | HTTPS | Insider Program | +| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | +| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| onecollector.cloudapp.aria.akadns.net | HTTPS | Office telemetry | +| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | +| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | +| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | +| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic | +| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md index a5005057fc..0b5997a3eb 100644 --- a/windows/privacy/windows-personal-data-services-configuration.md +++ b/windows/privacy/windows-personal-data-services-configuration.md @@ -1,408 +1,408 @@ ---- -title: Windows 10 personal data services configuration -description: An overview of Windows 10 services configuration settings that are used for personal data privacy protection relevant for regulations, such as the General Data Protection Regulation (GDPR) -keywords: privacy, GDPR, windows, IT -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 05/11/2018 -ms.reviewer: ---- -# Windows 10 personal data services configuration - -Applies to: -- Windows 10, version 1803 - -Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization. - -IT Professionals that are interested in applying these settings via group policies can find the configuration for download [here](https://go.microsoft.com/fwlink/?linkid=874149). - -## Introduction - -Microsoft collects data from or generates it through interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, support, and improve Windows 10 services. - -Many Windows 10 services are controller services. A user can manage data collection settings, for example by opening *Start > Settings > Privacy* or by visiting the [Microsoft Privacy dashboard](https://account.microsoft.com/privacy). While this relationship between Microsoft and a user is evident in a consumer type scenario, an IT organization can influence that relationship. For example, the IT department has the ability to configure the Windows diagnostic data level across their organization by using Group Policy, registry, or Mobile Device Management (MDM) settings. - -Below is a collection of settings related to the Windows 10 personal data services configuration that IT Professionals can use as guidance for influencing Windows diagnostic data collection and personal data protection. - -## Windows diagnostic data - -Windows 10 collects Windows diagnostic data—such as usage data, performance data, inking, typing, and utterance data—and sends it back to Microsoft. That data is used for keeping the operating system secure and up-to-date, to troubleshoot problems, and to make product improvements. For users who have turned on "Tailored experiences", that data can also be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. - -The following options for configuring Windows diagnostic data are relevant in this context. - -### Diagnostic level - -This setting determines the amount of Windows diagnostic data sent to Microsoft. - ->[!NOTE] ->In Windows 10, version 1709, Microsoft introduced a new feature: “Limit Enhanced diagnostic data to the minimum required by Windows Analytics”. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics). For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | ->| **Policy Name** | Allow Telemetry | ->| **Default setting** | 2 - Enhanced | ->| **Recommended** | 2 - Enhanced | - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | ->| **Policy Name** | Allow Telemetry | ->| **Default setting** | 2 - Enhanced | ->| **Recommended** | 2 - Enhanced | - ->[!NOTE] ->When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used. - -#### Registry - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | ->| **Value** | AllowTelemetry | ->| **Type** | REG_DWORD | ->| **Setting** | "00000002" | - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKCU\Software\Policies\Microsoft\Windows\DataCollection | ->| **Value** | AllowTelemetry | ->| **Type** | REG_DWORD | ->| **Setting** | "00000002" | - -#### MDM - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **MDM CSP** | System | ->| **Policy** | AllowTelemetry (scope: device and user) | ->| **Default setting** | 2 – Enhanced | ->| **Recommended** | 2 – Allowed | - -### Diagnostic opt-in change notifications - -This setting determines whether a device shows notifications about Windows diagnostic data levels to people on first logon or when changes occur in the diagnostic configuration. - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | ->| **Policy Name** | Configure telemetry opt-in change notifications | ->| **Default setting** | Enabled | ->| **Recommended** | Enabled | - -#### Registry - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | ->| **Value** | DisableTelemetryOptInChangeNotification | ->| **Type** | REG_DWORD | ->| **Setting** | "00000000" | - -#### MDM - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **MDM CSP** | System | ->| **Policy** | ConfigureTelemetryOptInChangeNotification | ->| **Default setting** | 0 – Enabled | ->| **Recommended** | 0 – Enabled | - -### Configure telemetry opt-in setting user interface - -This setting determines whether people can change their own Windows diagnostic data level in *Start > Settings > Privacy > Diagnostics & feedback*. - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | ->| **Policy Name** | Configure telemetry opt-in setting user interface | ->| **Default setting** | Enabled | ->| **Recommended** | Enabled | - -#### Registry - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | ->| **Value** | DisableTelemetryOptInSettingsUx | ->| **Type** | REG_DWORD | ->| **Setting** | "00000001" | - -#### MDM - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **MDM CSP** | System | ->| **Policy** | ConfigureTelemetryOptInSettingsUx | ->| **Default setting** | 0 – Enabled | ->| **Recommended** | 0 – Enabled | - -## Policies affecting personal data protection managed by the Enterprise IT - -There are additional settings usually managed by the Enterprise IT that also affect the protection of personal data. - -The following options for configuring these policies are relevant in this context. - -### BitLocker - -The following settings determine whether fixed and removable drives are protected by the BitLocker Drive Encryption. - -#### Fixed Data Drives - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Fixed Data Drives | ->| **Policy Name** | Deny write access to fixed drives not protected by BitLocker | ->| **Default setting** | Not configured | ->| **Recommended** | Enabled | - -#### Registry - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE | ->| **Value** | FDVDenyWriteAccess | ->| **Type** | REG_DWORD | ->| **Setting** | "00000001" | - -#### MDM - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **MDM CSP** | BitLocker | ->| **Policy** | FixedDrivesRequireEncryption | ->| **Default setting** | Disabled | ->| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#fixeddrivesrequireencryption)) | - -#### Removable Data Drives - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Removable Data Drives | ->| **Policy Name** | Deny write access to removable drives not protected by BitLocker | ->| **Default setting** | Not configured | ->| **Recommended** | Enabled | - -#### Registry - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE | ->| **Value** | RDVDenyWriteAccess | ->| **Type** | REG_DWORD | ->| **Setting** | "00000001" | - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\Software\Policies\Microsoft\FVE | ->| **Value** | RDVDenyCrossOrg | ->| **Type** | REG_DWORD | ->| **Setting** | "00000000" | - -#### MDM - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **MDM CSP** | BitLocker | ->| **Policy** | RemovableDrivesRequireEncryption | ->| **Default setting** | Disabled | ->| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#removabledrivesrequireencryption)) | - -### Privacy – AdvertisingID - -This setting determines if the advertising ID, which preventing apps from using the ID for experiences across apps, is turned off. - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\System\User Profiles | ->| **Policy Name** | Turn off the advertising ID | ->| **Default setting** | Not configured | ->| **Recommended** | Enabled | - -#### Registry - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo | ->| **Value** | DisabledByGroupPolicy | ->| **Type** | REG_DWORD | ->| **Setting** | "00000001" | - -#### MDM - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **MDM CSP** | Privacy | ->| **Policy** | DisableAdvertisingId | ->| **Default setting** | 65535 (default) - Not configured | ->| **Recommended** | 1 – Enabled | - -### Edge - -These settings whether employees send “Do Not Track” from the Microsoft Edge web browser to websites. - ->[!NOTE] ->Please see [this Microsoft blog post](https://blogs.microsoft.com/on-the-issues/2015/04/03/an-update-on-microsofts-approach-to-do-not-track/) for more details on why the “Do Not Track” is no longer the default setting. - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge | ->| **Policy Name** | Configure Do Not Track | ->| **Default setting** | Disabled | ->| **Recommended** | Disabled | - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Microsoft Edge | ->| **Policy Name** | Configure Do Not Track | ->| **Default setting** | Disabled | ->| **Recommended** | Disabled | - -#### Registry - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main | ->| **Value** | DoNotTrack | ->| **Type** | REG_DWORD | ->| **Setting** | "00000000" | - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main | ->| **Value** | DoNotTrack | ->| **Type** | REG_DWORD | ->| **Setting** | "00000000" | - -#### MDM - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **MDM CSP** | Browser | ->| **Policy** | AllowDoNotTrack (scope: device + user) | ->| **Default setting** | 0 (default) – Not allowed | ->| **Recommended** | 0 – Not allowed | - -### Internet Explorer - -These settings whether employees send “Do Not Track” header from the Microsoft Explorer web browser to websites. - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | ->| **Policy Name** | Always send Do Not Track header | ->| **Default setting** | Disabled | ->| **Recommended** | Disabled | - -> [!div class="mx-tableFixed"] ->||| ->|:-|:-| ->| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | ->| **Policy Name** | Always send Do Not Track header | ->| **Default setting** | Disabled | ->| **Recommended** | Disabled | - -#### Registry - -> [!div class="mx-tableFixed"] ->||| ->|:-|:-| ->| **Registry key** | HKLM\Software\Policies\Microsoft\Internet Explorer\Main | ->| **Value** | DoNotTrack | ->| **Type** | REG_DWORD | ->| **Setting** | "00000000" | - -> [!div class="mx-tableFixed"] ->||| ->|:-|:-| ->| **Registry key** | HKCU\Software\Policies\Microsoft\Internet Explorer\Main | ->| **Value** | DoNotTrack | ->| **Type** | REG_DWORD | ->| **Setting** | "00000000" | - -#### MDM - -> [!div class="mx-tableFixed"] ->||| ->|:-|:-| ->| **MDM CSP** | N/A | - -## Additional resources - -### FAQs - -* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) -* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) -* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) -* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) - -### Blogs - -* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) - -### Privacy Statement - -* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) - -### Windows Privacy on docs.microsoft.com - -* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -* [Manage Windows 10 connection endpoints](manage-windows-endpoints.md) -* [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data) -* [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - -### Other resources - -* [Privacy at Microsoft](https://privacy.microsoft.com/) +--- +title: Windows 10 personal data services configuration +description: An overview of Windows 10 services configuration settings that are used for personal data privacy protection relevant for regulations, such as the General Data Protection Regulation (GDPR) +keywords: privacy, GDPR, windows, IT +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 05/11/2018 +ms.reviewer: +--- +# Windows 10 personal data services configuration + +Applies to: +- Windows 10, version 1803 + +Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization. + +IT Professionals that are interested in applying these settings via group policies can find the configuration for download [here](https://go.microsoft.com/fwlink/?linkid=874149). + +## Introduction + +Microsoft collects data from or generates it through interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, support, and improve Windows 10 services. + +Many Windows 10 services are controller services. A user can manage data collection settings, for example by opening *Start > Settings > Privacy* or by visiting the [Microsoft Privacy dashboard](https://account.microsoft.com/privacy). While this relationship between Microsoft and a user is evident in a consumer type scenario, an IT organization can influence that relationship. For example, the IT department has the ability to configure the Windows diagnostic data level across their organization by using Group Policy, registry, or Mobile Device Management (MDM) settings. + +Below is a collection of settings related to the Windows 10 personal data services configuration that IT Professionals can use as guidance for influencing Windows diagnostic data collection and personal data protection. + +## Windows diagnostic data + +Windows 10 collects Windows diagnostic data—such as usage data, performance data, inking, typing, and utterance data—and sends it back to Microsoft. That data is used for keeping the operating system secure and up-to-date, to troubleshoot problems, and to make product improvements. For users who have turned on "Tailored experiences", that data can also be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. + +The following options for configuring Windows diagnostic data are relevant in this context. + +### Diagnostic level + +This setting determines the amount of Windows diagnostic data sent to Microsoft. + +>[!NOTE] +>In Windows 10, version 1709, Microsoft introduced a new feature: “Limit Enhanced diagnostic data to the minimum required by Windows Analytics”. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics). For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | +>| **Policy Name** | Allow Telemetry | +>| **Default setting** | 2 - Enhanced | +>| **Recommended** | 2 - Enhanced | + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | +>| **Policy Name** | Allow Telemetry | +>| **Default setting** | 2 - Enhanced | +>| **Recommended** | 2 - Enhanced | + +>[!NOTE] +>When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used. + +#### Registry + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | +>| **Value** | AllowTelemetry | +>| **Type** | REG_DWORD | +>| **Setting** | "00000002" | + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKCU\Software\Policies\Microsoft\Windows\DataCollection | +>| **Value** | AllowTelemetry | +>| **Type** | REG_DWORD | +>| **Setting** | "00000002" | + +#### MDM + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | System | +>| **Policy** | AllowTelemetry (scope: device and user) | +>| **Default setting** | 2 – Enhanced | +>| **Recommended** | 2 – Allowed | + +### Diagnostic opt-in change notifications + +This setting determines whether a device shows notifications about Windows diagnostic data levels to people on first logon or when changes occur in the diagnostic configuration. + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | +>| **Policy Name** | Configure telemetry opt-in change notifications | +>| **Default setting** | Enabled | +>| **Recommended** | Enabled | + +#### Registry + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | +>| **Value** | DisableTelemetryOptInChangeNotification | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | + +#### MDM + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | System | +>| **Policy** | ConfigureTelemetryOptInChangeNotification | +>| **Default setting** | 0 – Enabled | +>| **Recommended** | 0 – Enabled | + +### Configure telemetry opt-in setting user interface + +This setting determines whether people can change their own Windows diagnostic data level in *Start > Settings > Privacy > Diagnostics & feedback*. + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | +>| **Policy Name** | Configure telemetry opt-in setting user interface | +>| **Default setting** | Enabled | +>| **Recommended** | Enabled | + +#### Registry + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | +>| **Value** | DisableTelemetryOptInSettingsUx | +>| **Type** | REG_DWORD | +>| **Setting** | "00000001" | + +#### MDM + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | System | +>| **Policy** | ConfigureTelemetryOptInSettingsUx | +>| **Default setting** | 0 – Enabled | +>| **Recommended** | 0 – Enabled | + +## Policies affecting personal data protection managed by the Enterprise IT + +There are additional settings usually managed by the Enterprise IT that also affect the protection of personal data. + +The following options for configuring these policies are relevant in this context. + +### BitLocker + +The following settings determine whether fixed and removable drives are protected by the BitLocker Drive Encryption. + +#### Fixed Data Drives + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Fixed Data Drives | +>| **Policy Name** | Deny write access to fixed drives not protected by BitLocker | +>| **Default setting** | Not configured | +>| **Recommended** | Enabled | + +#### Registry + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE | +>| **Value** | FDVDenyWriteAccess | +>| **Type** | REG_DWORD | +>| **Setting** | "00000001" | + +#### MDM + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | BitLocker | +>| **Policy** | FixedDrivesRequireEncryption | +>| **Default setting** | Disabled | +>| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#fixeddrivesrequireencryption)) | + +#### Removable Data Drives + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Removable Data Drives | +>| **Policy Name** | Deny write access to removable drives not protected by BitLocker | +>| **Default setting** | Not configured | +>| **Recommended** | Enabled | + +#### Registry + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE | +>| **Value** | RDVDenyWriteAccess | +>| **Type** | REG_DWORD | +>| **Setting** | "00000001" | + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\FVE | +>| **Value** | RDVDenyCrossOrg | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | + +#### MDM + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | BitLocker | +>| **Policy** | RemovableDrivesRequireEncryption | +>| **Default setting** | Disabled | +>| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#removabledrivesrequireencryption)) | + +### Privacy – AdvertisingID + +This setting determines if the advertising ID, which preventing apps from using the ID for experiences across apps, is turned off. + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\System\User Profiles | +>| **Policy Name** | Turn off the advertising ID | +>| **Default setting** | Not configured | +>| **Recommended** | Enabled | + +#### Registry + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo | +>| **Value** | DisabledByGroupPolicy | +>| **Type** | REG_DWORD | +>| **Setting** | "00000001" | + +#### MDM + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | Privacy | +>| **Policy** | DisableAdvertisingId | +>| **Default setting** | 65535 (default) - Not configured | +>| **Recommended** | 1 – Enabled | + +### Edge + +These settings whether employees send “Do Not Track” from the Microsoft Edge web browser to websites. + +>[!NOTE] +>Please see [this Microsoft blog post](https://blogs.microsoft.com/on-the-issues/2015/04/03/an-update-on-microsofts-approach-to-do-not-track/) for more details on why the “Do Not Track” is no longer the default setting. + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge | +>| **Policy Name** | Configure Do Not Track | +>| **Default setting** | Disabled | +>| **Recommended** | Disabled | + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Microsoft Edge | +>| **Policy Name** | Configure Do Not Track | +>| **Default setting** | Disabled | +>| **Recommended** | Disabled | + +#### Registry + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main | +>| **Value** | DoNotTrack | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main | +>| **Value** | DoNotTrack | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | + +#### MDM + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | Browser | +>| **Policy** | AllowDoNotTrack (scope: device + user) | +>| **Default setting** | 0 (default) – Not allowed | +>| **Recommended** | 0 – Not allowed | + +### Internet Explorer + +These settings whether employees send “Do Not Track” header from the Microsoft Explorer web browser to websites. + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | +>| **Policy Name** | Always send Do Not Track header | +>| **Default setting** | Disabled | +>| **Recommended** | Disabled | + +> [!div class="mx-tableFixed"] +>||| +>|:-|:-| +>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | +>| **Policy Name** | Always send Do Not Track header | +>| **Default setting** | Disabled | +>| **Recommended** | Disabled | + +#### Registry + +> [!div class="mx-tableFixed"] +>||| +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\Internet Explorer\Main | +>| **Value** | DoNotTrack | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | + +> [!div class="mx-tableFixed"] +>||| +>|:-|:-| +>| **Registry key** | HKCU\Software\Policies\Microsoft\Internet Explorer\Main | +>| **Value** | DoNotTrack | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | + +#### MDM + +> [!div class="mx-tableFixed"] +>||| +>|:-|:-| +>| **MDM CSP** | N/A | + +## Additional resources + +### FAQs + +* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) +* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) +* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) +* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) + +### Blogs + +* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) + +### Privacy Statement + +* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) + +### Windows Privacy on docs.microsoft.com + +* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +* [Manage Windows 10 connection endpoints](manage-windows-endpoints.md) +* [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data) +* [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) + +### Other resources + +* [Privacy at Microsoft](https://privacy.microsoft.com/) diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index 9619ecc9de..92d6817a3d 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -107,7 +107,7 @@ If you are still unable to connect to Windows Update services due to this proble
Driver quality in the Windows ecosystem
Ensuring Windows 10 works great with all the devices and accessories our customers use is a top priority. We work closely with this broad mix of partners to test new drivers, monitor health characteristics over time, and make Windows and our ecosystem more resilient architecturally. Our goal is to ensure that all the updates and drivers we deliver to non-Insider populations are validated and at production quality (including monthly optional releases) before pushing drivers broadly to all. Explore the driver distribution chain and learn how we measure driver quality and prevent conflicts.		December 19, 2018
10:04 AM PT
Introducing the Modern Desktop podcast series
In this new podcast series, we'll explore the good, the bad, and, yes, the ugly of servicing and delivery for Windows 10 and Office 365 ProPlus. We'll talk about modern desktop management through Enterprise Mobility, security, and cloud-attached and co-managed environments. Listen to the first episode, in which we discuss monthly quality updates fpr Windows 10, the Microsoft 365 Stay Current pilot program, and interview a real customer to see how they ingest monthly updates in their organization.		December 18, 2018
01:00 PM PT
Measuring Delivery Optimization and its impact to your network
If you've familiarized yourself with the configuration options for Delivery Optimization in Windows 10, and have started to configure the settings you feel will be the best fit for your organization’s network topology, now is the time to see how well those settings are working. This article provides tips on how evaluate performance at the device level or organization level.		December 13, 2018
03:48 PM PT
Windows monthly security and quality updates overview
Today’s global cybersecurity threats are both dynamic and sophisticated, and new vulnerabilities are discovered almost every day. We focus on protecting customers from these security threats by providing security updates on a timely basis and with high quality. Find out how how we deliver these critical updates on a massive scale as a key component of our ongoing Windows as a service effort.		December 10, 2018
10:00 AM PT
Windows monthly security and quality updates overview
Today’s global cybersecurity threats are both dynamic and sophisticated, and new vulnerabilities are discovered almost every day. We focus on protecting customers from these security threats by providing security updates on a timely basis and with high quality. Find out how we deliver these critical updates on a massive scale as a key component of our ongoing Windows as a service effort.		December 10, 2018
10:00 AM PT
LTSC: What is it, and when should it be used?
With the Semi-Annual Channel, devices receive two feature updates per year, and benefit from the best performance, user experience, security, and stability. This servicing option continues to be our recommendation for managing Windows 10 updates; however, we acknowledge that certain devices and use cases (e.g. medical systems and industrial process controllers) dictate that functionality and features don’t change over time. Find out how we designed the Long-Term Servicing Channel (LTSC) with these types of use cases in mind, and what is offered through the LTSC.		November 29, 2018
07:02 PM PT
Plan for change: Local Experience Packs: What are they and when should you use them?
When we released Windows 10, version 1803, we introduced Local Experience Packs (LXPs), which are modern language packs delivered through the Microsoft Store or Microsoft Store for Business. Learn about the biggest advantage to LXPs, and the retirement of legacy language packs (lp.cab) for all Language Interface Packs (LIP).		November 14, 2018
11:10 AM PT
Windows 10 Quality approach for a complex ecosystem
While our measurements of quality show improving trends on aggregate for each successive Windows 10 release, if a single customer experiences an issue with any of our updates, we take it seriously. In this blog post, Windows CVP Mike Fortin shares an overview of how we work to continuously improve the quality of Windows and our Windows as a service approach. This blog will be the first in a series of more in-depth explanations of the work we do to deliver quality in our Windows releases.		November 13, 2018
10:00 AM PT

Well-Known SID/RID

S-1-5-21-<domain>-553

S-1-5-32-<domain>-576

Type

------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.15063#3095

FIPS Approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459)
-
-Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.15063#3094

#3094

-

FIPS Approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459)
-
-Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert.#1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert.#2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert.#1281)

Boot Manager10.0.15063#3089

FIPS Approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790)

-

Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)

Windows OS Loader10.0.15063#3090

FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)

-

Other algorithms: NDRNG

Windows Resume[1]10.0.15063#3091FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)
BitLocker® Dump Filter[2]10.0.15063#3092FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790)
Code Integrity (ci.dll)10.0.15063#3093

FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

Secure Kernel Code Integrity (skci.dll)[3]10.0.15063#3096

FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

- - -\[1\] Applies only to Home, Pro, Enterprise, Education and S - -\[2\] Applies only to Pro, Enterprise, Education, S, Mobile and Surface Hub - -\[3\] Applies only to Pro, Enterprise Education and S - -##### Windows 10 Anniversary Update (Version 1607) - -Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.14393#2937

FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.14393#2936

FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887)

Boot Manager10.0.14393#2931

FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

-

Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

BitLocker® Windows OS Loader (winload)10.0.14393#2932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: NDRNG; MD5
BitLocker® Windows Resume (winresume)[1]10.0.14393#2933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[2]10.0.14393#2934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
Code Integrity (ci.dll)10.0.14393#2935

FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: AES (non-compliant); MD5

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

Secure Kernel Code Integrity (skci.dll)[3]10.0.14393#2938

FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
-
-Other algorithms: MD5

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

- - -\[1\] Applies only to Home, Pro, Enterprise and Enterprise LTSB - -\[2\] Applies only to Pro, Enterprise, Enterprise LTSB and Mobile - -\[3\] Applies only to Pro, Enterprise and Enterprise LTSB - -##### Windows 10 November 2015 Update (Version 1511) - -Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10586#2606

FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10586#2605

FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663)

Boot Manager[4]10.0.10586#2700FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)[5]10.0.10586#2701FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
-
-Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[6]10.0.10586#2702FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
-
-Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[7]10.0.10586#2703FIPS Approved algorithms: AES (Certs. #3653)
Code Integrity (ci.dll)10.0.10586#2604

FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
-
-Other algorithms: AES (non-compliant); MD5

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

Secure Kernel Code Integrity (skci.dll)[8]10.0.10586#2607

FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
-
-Other algorithms: MD5

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

- - -\[4\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub - -\[5\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub - -\[6\] Applies only to Home, Pro and Enterprise - -\[7\] Applies only to Pro, Enterprise, Mobile and Surface Hub - -\[8\] Applies only to Enterprise and Enterprise LTSB - -##### Windows 10 (Version 1507) - -Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10240#2606

FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10240#2605

FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576)

Boot Manager[9]10.0.10240#2600FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)[10]10.0.10240#2601FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
-
-Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[11]10.0.10240#2602FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
-
-Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[12]10.0.10240#2603FIPS Approved algorithms: AES (Certs. #3497 and #3498)
Code Integrity (ci.dll)10.0.10240#2604

FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
-
-Other algorithms: AES (non-compliant); MD5

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

Secure Kernel Code Integrity (skci.dll)[13]10.0.10240#2607

FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
-
-Other algorithms: MD5

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

- - -\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB - -\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB - -\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB - -\[12\] Applies only to Pro, Enterprise and Enterprise LTSB - -\[13\] Applies only to Enterprise and Enterprise LTSB - -##### Windows 8.1 - -Validated Editions: RT, Pro, Enterprise, Phone, Embedded - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.17031#2357

FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323)

Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.17042#2356

FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

Boot Manager6.3.9600 6.3.9600.17031#2351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.17031#2352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
-
-Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[14]6.3.9600 6.3.9600.17031#2353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)6.3.9600 6.3.9600.17031#2354FIPS Approved algorithms: AES (Cert. #2832)
-
-Other algorithms: N/A
Code Integrity (ci.dll)6.3.9600 6.3.9600.17031#2355#2355

FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
-
-Other algorithms: MD5

-

Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

- - -\[14\] Applies only to Pro, Enterprise, and Embedded 8. - -##### Windows 8 - -Validated Editions: RT, Home, Pro, Enterprise, Phone - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.9200#1892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert. ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
-
-
Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.9200#1891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RNG (Cert. ); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager6.2.9200#1895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5
BitLocker® Windows OS Loader (WINLOAD)6.2.9200#1896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
BitLocker® Windows Resume (WINRESUME)[15]6.2.9200#1898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5
BitLocker® Dump Filter (DUMPFVE.SYS)6.2.9200#1899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
-
-Other algorithms: N/A
Code Integrity (CI.DLL)6.2.9200#1897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.9200#1893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert. ); Triple-DES MAC (Triple-DES Cert. , vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. , key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced Cryptographic Provider (RSAENH.DLL)6.2.9200#1894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
-
-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
- - -\[15\] Applies only to Home and Pro - -**Windows 7** - -Validated Editions: Windows 7, Windows 7 SP1 - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)

6.1.7600.16385

-

6.1.7601.17514

1329FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
Kernel Mode Cryptographic Primitives Library (cng.sys)

6.1.7600.16385

-

6.1.7600.16915

-

6.1.7600.21092

-

6.1.7601.17514

-

6.1.7601.17725

-

6.1.7601.17919

-

6.1.7601.21861

-

6.1.7601.22076

1328FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
Boot Manager

6.1.7600.16385

-

6.1.7601.17514

1319FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
-
-Other algorithms: MD5#1168 and ); HMAC (Cert. ); RSA (Cert. ); SHS (Cert. )
-
-Other algorithms: MD5
Winload OS Loader (winload.exe)

6.1.7600.16385

-

6.1.7600.16757

-

6.1.7600.20897

-

6.1.7600.20916

-

6.1.7601.17514

-

6.1.7601.17556

-

6.1.7601.21655

-

6.1.7601.21675

1326FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
-
-Other algorithms: MD5
BitLocker™ Drive Encryption

6.1.7600.16385

-

6.1.7600.16429

-

6.1.7600.16757

-

6.1.7600.20536

-

6.1.7600.20873

-

6.1.7600.20897

-

6.1.7600.20916

-

6.1.7601.17514

-

6.1.7601.17556

-

6.1.7601.21634

-

6.1.7601.21655

-

6.1.7601.21675

1332FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
-
-Other algorithms: Elephant Diffuser
Code Integrity (CI.DLL)

6.1.7600.16385

-

6.1.7600.17122

-

6.1.7600.21320

-

6.1.7601.17514

-

6.1.7601.17950

-

6.1.7601.22108

1327FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
-
-Other algorithms: MD5
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.1.7600.16385
-(no change in SP1)		1331FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
Enhanced Cryptographic Provider (RSAENH.DLL)6.1.7600.16385
-(no change in SP1)		1330FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength)
- - -##### Windows Vista SP1 - -Validated Editions: Ultimate Edition - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Boot Manager (bootmgr)6.0.6001.18000 and 6.0.6002.18005978FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753)
Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596979FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
-
-Other algorithms: MD5
Code Integrity (ci.dll)6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005980FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
-
-Other algorithms: MD5
Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228691000

FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and ); ECDSA (Cert. ); HMAC (Cert. ); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )

-

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228721001

FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)

-

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)

Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051002

FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)

-

Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051003

FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)

-

Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4

- - -##### Windows Vista - -Validated Editions: Ultimate Edition - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced Cryptographic Provider (RSAENH)6.0.6000.16386893FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6000.16386894FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
BitLocker™ Drive Encryption6.0.6000.16386947FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
-
-Other algorithms: Elephant Diffuser
Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067891FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
-
-Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5
- - -##### Windows XP SP3 - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.1.2600.5512997

FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)

-

Other algorithms: DES; MD5; HMAC MD5

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.1.2600.5507990

FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)

-

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4

Enhanced Cryptographic Provider (RSAENH)5.1.2600.5507989

FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)

-

Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits)

- - -##### Windows XP SP2 - - ------ - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
DSS/Diffie-Hellman Enhanced Cryptographic Provider5.1.2600.2133240

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)

-

Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement)

Microsoft Enhanced Cryptographic Provider5.1.2600.2161238

FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

-

Other algorithms: DES (Cert. #156); RC2; RC4; MD5

- - -##### Windows XP SP1 - - ------ - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Microsoft Enhanced Cryptographic Provider5.1.2600.1029238

FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

-

Other algorithms: DES (Cert. #156); RC2; RC4; MD5

- - -##### Windows XP - - ------ - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module5.1.2600.0241

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)

-

Other algorithms: DES (Cert. #89)

- - -##### Windows 2000 SP3 - - ------ - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

-

Other algorithms: DES (Certs. #89)

Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

(Base DSS: 5.0.2195.3665 [SP3])

-

(Base: 5.0.2195.3839 [SP3])

-

(DSS/DH Enh: 5.0.2195.3665 [SP3])

-

(Enh: 5.0.2195.3839 [SP3]

103

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

-

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

- - -##### Windows 2000 SP2 - - ------ - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

-

Other algorithms: DES (Certs. #89)

Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

(Base DSS:

-

5.0.2195.2228 [SP2])

-

(Base:

-

5.0.2195.2228 [SP2])

-

(DSS/DH Enh:

-

5.0.2195.2228 [SP2])

-

(Enh:

-

5.0.2195.2228 [SP2])

103

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

-

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

- - -##### Windows 2000 SP1 - - ------ - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

(Base DSS: 5.0.2150.1391 [SP1])

-

(Base: 5.0.2150.1391 [SP1])

-

(DSS/DH Enh: 5.0.2150.1391 [SP1])

-

(Enh: 5.0.2150.1391 [SP1])

103

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

-

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

- - -##### Windows 2000 - - ------ - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.2150.176

FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)

-

Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

- - -##### Windows 95 and Windows 98 - - ------ - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.1877.6 and 5.0.1877.775

FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)

-

Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

- - -##### Windows NT 4.0 - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base Cryptographic Provider5.0.1877.6 and 5.0.1877.768FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
-
-Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)
- - -#### Windows Server - -##### Windows Server 2016 - -Validated Editions: Standard, Datacenter, Storage Server - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.143932937FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.143932936FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager10.0.143932931

FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

-

Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

BitLocker® Windows OS Loader (winload)10.0.143932932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: NDRNG; MD5
BitLocker® Windows Resume (winresume)10.0.143932933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)10.0.143932934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
Code Integrity (ci.dll)10.0.143932935FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: AES (non-compliant); MD5
Secure Kernel Code Integrity (skci.dll)10.0.143932938FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
-
-Other algorithms: MD5
- - -##### Windows Server 2012 R2 - -Validated Editions: Server, Storage Server, - -**StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.170312357FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.170422356FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager6.3.9600 6.3.9600.170312351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.170312352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
-
-Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[16]6.3.9600 6.3.9600.170312353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[17]6.3.9600 6.3.9600.170312354FIPS Approved algorithms: AES (Cert. #2832)
-
-Other algorithms: N/A
Code Integrity (ci.dll)6.3.9600 6.3.9600.170312355FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
-
-Other algorithms: MD5
- - -\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** - -\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** - -**Windows Server 2012** - -Validated Editions: Server, Storage Server - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.92001892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert. ); HMAC (Cert. #); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.92001891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager6.2.92001895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5
BitLocker® Windows OS Loader (WINLOAD)6.2.92001896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
BitLocker® Windows Resume (WINRESUME)6.2.92001898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5
BitLocker® Dump Filter (DUMPFVE.SYS)6.2.92001899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
-
-Other algorithms: N/A
Code Integrity (CI.DLL)6.2.92001897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.92001893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced Cryptographic Provider (RSAENH.DLL)6.2.92001894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
-
-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
- - -##### Windows Server 2008 R2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Boot Manager (bootmgr)6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.175141321FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
-
-Other algorithms: MD5
Winload OS Loader (winload.exe)6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216751333FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
-
-Other algorithms: MD5
Code Integrity (ci.dll)6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221081334FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
-
-Other algorithms: MD5
Kernel Mode Cryptographic Primitives Library (cng.sys)6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220761335FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
--Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
Cryptographic Primitives Library (bcryptprimitives.dll)66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.175141336FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4
Enhanced Cryptographic Provider (RSAENH)6.1.7600.163851337FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.1.7600.163851338FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
BitLocker™ Drive Encryption6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216751339FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
-
-Other algorithms: Elephant Diffuser
- - -##### Windows Server 2008 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Boot Manager (bootmgr)6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224971004FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
-
-Other algorithms: N/A
Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225961005FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
-
-Other algorithms: MD5
Code Integrity (ci.dll)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051006FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
-
-Other algorithms: MD5
Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228691007FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
-
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert. ); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228721008FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
-
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051009FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
-
--Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051010FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
- - -##### Windows Server 2003 SP2 - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.3959875

FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)

-

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4

Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.3959869

FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)

-

Other algorithms: DES; HMAC-MD5

Enhanced Cryptographic Provider (RSAENH)5.2.3790.3959868

FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)

-

Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

- - -##### Windows Server 2003 SP1 - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.1830 [SP1]405

FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

-

Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

-

[1] x86
-[2] SP1 x86, x64, IA64

Enhanced Cryptographic Provider (RSAENH)5.2.3790.1830 [Service Pack 1])382

FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

-

Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

-

[1] x86
-[2] SP1 x86, x64, IA64

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.1830 [Service Pack 1]381

FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

-

Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

-

[1] x86
-[2] SP1 x86, x64, IA64

- - -##### Windows Server 2003 - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.0405

FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

-

Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

-

[1] x86
-[2] SP1 x86, x64, IA64

Enhanced Cryptographic Provider (RSAENH)5.2.3790.0382

FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

-

Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

-

[1] x86
-[2] SP1 x86, x64, IA64

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.0381

FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

-

Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

-

[1] x86
-[2] SP1 x86, x64, IA64

- - -#### Other Products - -##### Windows Embedded Compact 7 and Windows Embedded Compact 8 - - ------ - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced Cryptographic Provider7.00.2872 [1] and 8.00.6246 [2]2957

FIPS Approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384)

-

Allowed algorithms: HMAC-MD5; MD5; NDRNG

Cryptographic Primitives Library (bcrypt.dll)7.00.2872 [1] and 8.00.6246 [2]2956

FIPS Approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382)

-

Allowed algorithms: MD5; NDRNG; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength

- - - -##### Windows CE 6.0 and Windows Embedded Compact 7 - - ------ - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced Cryptographic Provider6.00.1937 [1] and 7.00.1687 [2]825

FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])

-

Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES

- - -##### Outlook Cryptographic Provider - - ------ - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Outlook Cryptographic Provider (EXCHCSP)SR-1A (3821)SR-1A (3821)110

FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)

-

Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5

- - - -### Cryptographic Algorithms - -The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate. - -### Advanced Encryption Standard (AES) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • AES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CFB128:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CTR:
    • -
    • -
    • Counter Source: Internal
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-OFB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -

Microsoft Surface Hub Virtual TPM Implementations #4904

-

Version 10.0.15063.674

    -
  • AES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CFB128:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CTR:
    • -
    • -
    • Counter Source: Internal
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-OFB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903

-

Version 10.0.16299

    -
  • AES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CCM:
    • -
    • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
      • -
    • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
      • -
    • Plain Text Length: 0-32
      • -
    • AAD Length: 0-65536
      • -
    • -
  • AES-CFB128:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CFB8:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CMAC:
    • -
    • -
    • Generation:
      • -
      • -
      • AES-128:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-192:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-256:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • -
    • Verification:
      • -
      • -
      • AES-128:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-192:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-256:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • -
    • -
  • AES-CTR:
    • -
    • -
    • Counter Source: Internal
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-ECB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-GCM:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
      • -
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • 96 bit IV supported
      • -
    • -
  • AES-XTS:
    • -
    • -
    • Key Size: 128:
      • -
      • -
      • Modes: Decrypt, Encrypt
        • -
      • Block Sizes: Full
        • -
      • -
    • Key Size: 256:
      • -
      • -
      • Modes: Decrypt, Encrypt
        • -
      • Block Sizes: Full
        • -
      • -
    • -

Microsoft Surface Hub SymCrypt Cryptographic Implementations #4902

-

Version 10.0.15063.674

    -
  • AES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CCM:
    • -
    • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
      • -
    • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
      • -
    • Plain Text Length: 0-32
      • -
    • AAD Length: 0-65536
      • -
    • -
  • AES-CFB128:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CFB8:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CMAC:
    • -
    • -
    • Generation:
      • -
      • -
      • AES-128:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-192:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-256:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • -
    • Verification:
      • -
      • -
      • AES-128:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-192:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-256:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • -
    • -
  • AES-CTR:
    • -
    • -
    • Counter Source: Internal
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-ECB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-GCM:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
      • -
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • 96 bit IV supported
      • -
    • -
  • AES-XTS:
    • -
    • -
    • Key Size: 128:
      • -
      • -
      • Modes: Decrypt, Encrypt
        • -
      • Block Sizes: Full
        • -
      • -
    • Key Size: 256:
      • -
      • -
      • Modes: Decrypt, Encrypt
        • -
      • Block Sizes: Full
        • -
      • -
    • -

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4901

-

Version 10.0.15254

    -
  • AES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CCM:
    • -
    • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
      • -
    • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
      • -
    • Plain Text Length: 0-32
      • -
    • AAD Length: 0-65536
      • -
    • -
  • AES-CFB128:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CFB8:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CMAC:
    • -
    • -
    • Generation:
      • -
      • -
      • AES-128:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-192:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-256:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • -
    • Verification:
      • -
      • -
      • AES-128:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-192:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-256:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • -
    • -
  • AES-CTR:
    • -
    • -
    • Counter Source: Internal
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-ECB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-GCM:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • IV Generation: External
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
      • -
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • 96 bit IV supported
      • -
    • -
  • AES-XTS:
    • -
    • -
    • Key Size: 128:
      • -
      • -
      • Modes: Decrypt, Encrypt
        • -
      • Block Sizes: Full
        • -
      • -
    • Key Size: 256:
      • -
      • -
      • Modes: Decrypt, Encrypt
        • -
      • Block Sizes: Full
        • -
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897

-

Version 10.0.16299

AES-KW:

-
    -
  • Modes: Decrypt, Encrypt
    • -
  • CIPHK transformation direction: Forward
    • -
  • Key Lengths: 128, 192, 256 (bits)
    • -
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • -
-

AES Val#4902

Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900

-

Version 10.0.15063.674

AES-KW:

-
    -
  • Modes: Decrypt, Encrypt
    • -
  • CIPHK transformation direction: Forward
    • -
  • Key Lengths: 128, 192, 256 (bits)
    • -
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • -
-

AES Val#4901

Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899

-

Version 10.0.15254

AES-KW:

-
    -
  • Modes: Decrypt, Encrypt
    • -
  • CIPHK transformation direction: Forward
    • -
  • Key Lengths: 128, 192, 256 (bits)
    • -
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • -
-

AES Val#4897

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898

-

Version 10.0.16299

AES-CCM:

-
    -
  • Key Lengths: 256 (bits)
    • -
  • Tag Lengths: 128 (bits)
    • -
  • IV Lengths: 96 (bits)
    • -
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • -
-

AES Val#4902

Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896

-

Version 10.0.15063.674

AES-CCM:

-
    -
  • Key Lengths: 256 (bits)
    • -
  • Tag Lengths: 128 (bits)
    • -
  • IV Lengths: 96 (bits)
    • -
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • -
-

AES Val#4901

Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895

-

Version 10.0.15254

AES-CCM:

-
    -
  • Key Lengths: 256 (bits)
    • -
  • Tag Lengths: 128 (bits)
    • -
  • IV Lengths: 96 (bits)
    • -
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • -
-

AES Val#4897

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

-

Version 10.0.16299

CBC ( e/d; 128 , 192 , 256 );

-

CFB128 ( e/d; 128 , 192 , 256 );

-

OFB ( e/d; 128 , 192 , 256 );

-

CTR ( int only; 128 , 192 , 256 )

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627

-

Version 10.0.15063

KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

-

AES Val#4624

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626

-

Version 10.0.15063

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

-

AES Val#4624

-

 

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625

-

Version 10.0.15063

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

CFB128 ( e/d; 128 , 192 , 256 );

-

CTR ( int only; 128 , 192 , 256 )

-

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

-

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )

-

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

-

(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

-

IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported

-

GMAC_Supported

-

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624

-

Version 10.0.15063

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434

-

Version 7.00.2872

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433

-

Version 8.00.6246

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CTR ( int only; 128 , 192 , 256 )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431

-

Version 7.00.2872

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CTR ( int only; 128 , 192 , 256 )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430

-

Version 8.00.6246

CBC ( e/d; 128 , 192 , 256 );

-

CFB128 ( e/d; 128 , 192 , 256 );

-

OFB ( e/d; 128 , 192 , 256 );

-

CTR ( int only; 128 , 192 , 256 )

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

-

Version 10.0.14393

ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

-

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

-

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

-

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
-GMAC_Supported

-

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064

-

Version 10.0.14393

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

 

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
-Version 10.0.14393

KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )

-

AES Val#4064

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062

-

Version 10.0.14393

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

-

AES Val#4064

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061

-

Version 10.0.14393

KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

-

AES Val#3629

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652

-

Version 10.0.10586

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

-

AES Val#3629

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653

-

Version 10.0.10586

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

 

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
-Version 10.0.10586

ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

-

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

-

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

-

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
-GMAC_Supported

-

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
-
-

-

Version 10.0.10586

KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

-

AES Val#3497

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507

-

Version 10.0.10240

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

-

AES Val#3497

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498

-

Version 10.0.10240

ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

-

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

-

CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

-

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
-GMAC_Supported

-

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
-Version 10.0.10240

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

 

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
-Version 10.0.10240

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

 

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853

-

Version 6.3.9600

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

-

AES Val#2832

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848

-

Version 6.3.9600

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

-

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

-

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

-

(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

-

IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 8 , 1024 ) ; 96BitIV_Supported ;
-OtherIVLen_Supported
-GMAC_Supported

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

-

Version 6.3.9600

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-AES Val#2197

-

CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
-AES Val#2197

-

GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
-GMAC_Supported

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

-

AES Val#2196

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

CFB128 ( e/d; 128 , 192 , 256 );

-

CTR ( int only; 128 , 192 , 256 )

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

 

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-AES Val#1168

Windows Server 2008 R2 and SP1 CNG algorithms #1187

-

Windows 7 Ultimate and SP1 CNG algorithms #1178

CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
-AES Val#1168		Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

 

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168

GCM

-

GMAC

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed
CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

Windows Server 2008 CNG algorithms #757

-

Windows Vista Ultimate SP1 CNG algorithms #756

CBC ( e/d; 128 , 256 );

-

CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )

Windows Vista Ultimate BitLocker Drive Encryption #715

-

Windows Vista Ultimate BitLocker Drive Encryption #424

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739

-

Windows Vista Symmetric Algorithm Implementation #553

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CTR ( int only; 128 , 192 , 256 )

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024

-

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818

-

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781

-

Windows 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #548

-

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #516

-

Windows CE and Windows Mobile 6, 6.1, and 6.5 Enhanced Cryptographic Provider (RSAENH) #507

-

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #290

-

Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider (RSAENH) #224

-

Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #80

-

Windows XP, SP1, and SP2 Enhanced Cryptographic Provider (RSAENH) #33

- - -Deterministic Random Bit Generator (DRBG) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • Counter:
    • -
    • -
    • Modes: AES-256
      • -
    • Derivation Function States: Derivation Function not used
      • -
    • Prediction Resistance Modes: Not Enabled
      • -
    • -
-

Prerequisite: AES #4904

Microsoft Surface Hub Virtual TPM Implementations #1734

-

Version 10.0.15063.674

    -
  • Counter:
    • -
    • -
    • Modes: AES-256
      • -
    • Derivation Function States: Derivation Function not used
      • -
    • Prediction Resistance Modes: Not Enabled
      • -
    • -
-

Prerequisite: AES #4903

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733

-

Version 10.0.16299

    -
  • Counter:
    • -
    • -
    • Modes: AES-256
      • -
    • Derivation Function States: Derivation Function used
      • -
    • Prediction Resistance Modes: Not Enabled
      • -
    • -
-

Prerequisite: AES #4902

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1732

-

Version 10.0.15063.674

    -
  • Counter:
    • -
    • -
    • Modes: AES-256
      • -
    • Derivation Function States: Derivation Function used
      • -
    • Prediction Resistance Modes: Not Enabled
      • -
    • -
-

Prerequisite: AES #4901

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1731

-

Version 10.0.15254

    -
  • Counter:
    • -
    • -
    • Modes: AES-256
      • -
    • Derivation Function States: Derivation Function used
      • -
    • Prediction Resistance Modes: Not Enabled
      • -
    • -
-

Prerequisite: AES #4897

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730

-

Version 10.0.16299

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ]

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556

-

Version 10.0.15063

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ]

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555

-

Version 10.0.15063

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ]

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433

-

Version 7.00.2872

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ]

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432

-

Version 8.00.6246

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ]

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430

-

Version 7.00.2872

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ]

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429

-

Version 8.00.6246

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ]

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

-

Version 10.0.14393

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ]

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217

-

Version 10.0.14393

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ]

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955

-

Version 10.0.10586

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ]

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868

-

Version 10.0.10240

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ]

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

-

Version 6.3.9600

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ]Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ]Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ]Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23
DRBG (SP 800–90)Windows Vista Ultimate SP1, vendor-affirmed
- - -#### Digital Signature Algorithm (DSA) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • DSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • PQGGen:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • PQGVer:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • SigGen:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • SigVer:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • KeyPair:
        • -
        • -
        • L = 2048, N = 256
          • -
        • L = 3072, N = 256
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1303

-

Version 10.0.15063.674

    -
  • DSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • PQGGen:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • PQGVer:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • SigGen:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • SigVer:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • KeyPair:
        • -
        • -
        •  
          • -
        •  
          • -
        • L = 2048, N = 256
          • -
        • L = 3072, N = 256
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1302

-

Version 10.0.15254

    -
  • DSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • PQGGen:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • PQGVer:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • SigGen:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • SigVer:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • KeyPair:
        • -
        • -
        • L = 2048, N = 256
          • -
        • L = 3072, N = 256
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301

-

Version 10.0.16299

FIPS186-4:

-

PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]

-

PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

-

KeyPairGen:   [ (2048,256) ; (3072,256) ]

-

SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]

-

SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

-

SHS: Val#3790

-

DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223

-

Version 10.0.15063

FIPS186-4:
-PQG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
-SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
-SHS: Val# 3649

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188

-

Version 7.00.2872

FIPS186-4:
-PQG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
-SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
-SHS: Val#3648

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187

-

Version 8.00.6246

FIPS186-4:
-PQG(gen)PARMS TESTED: [
-(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen:    [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED:   [ (2048,256)
-SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

-

SHS: Val# 3347
-DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098

-

Version 10.0.14393

FIPS186-4:
-PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
-KeyPairGen:    [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

-

SHS: Val# 3047
-DRBG: Val# 955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024

-

Version 10.0.10586

FIPS186-4:
-PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen:    [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

-

SHS: Val# 2886
-DRBG: Val# 868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983

-

Version 10.0.10240

FIPS186-4:
-PQG(gen)PARMS TESTED:   [
-(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED:   [ (2048,256)
-SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen:    [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

-

SHS: Val# 2373
-DRBG: Val# 489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

-

Version 6.3.9600

FIPS186-2:
-PQG(ver) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: #1903
-DRBG: #258

-

FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SHS: #1903
-DRBG: #258
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687
FIPS186-2:
-PQG(ver) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: #1902
-DRBG: #258
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686.		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686
FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 1773
-DRBG: Val# 193
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645.		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645
FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 1081
-DRBG: Val# 23
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386.

Windows Server 2008 R2 and SP1 CNG algorithms #391

-

Windows 7 Ultimate and SP1 CNG algorithms #386

FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 1081
-RNG: Val# 649
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385.

Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390

-

Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385

FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 753
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283.

Windows Server 2008 CNG algorithms #284

-

Windows Vista Ultimate SP1 CNG algorithms #283

FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 753
-RNG: Val# 435
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281.

Windows Server 2008 Enhanced DSS (DSSENH) #282

-

Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281

FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 618
-RNG: Val# 321
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226.

Windows Vista CNG algorithms #227

-

Windows Vista Enhanced DSS (DSSENH) #226

FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 784
-RNG: Val# 448
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292.		Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292
FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 783
-RNG: Val# 447
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291.		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291
FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: Val# 611
-RNG: Val# 314		Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221
FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: Val# 385		Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146
FIPS186-2:
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: Val# 181
-
-		Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95
FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SHS: SHA-1 (BYTE)
-SIG(ver) MOD(1024);
-SHS: SHA-1 (BYTE)

Windows 2000 DSSENH.DLL #29

-

Windows 2000 DSSBASE.DLL #28

-

Windows NT 4 SP6 DSSENH.DLL #26

-

Windows NT 4 SP6 DSSBASE.DLL #25

FIPS186-2: PRIME;
-FIPS186-2:

-

KEYGEN(Y):
-SHS: SHA-1 (BYTE)

-

SIG(gen):
-SIG(ver) MOD(1024);
-SHS: SHA-1 (BYTE)

Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17
- - -#### Elliptic Curve Digital Signature Algorithm (ECDSA) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • Generation Methods: Extra Random Bits
          • -
        • -
      • Public Key Validation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • -
      • Signature Generation:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • Signature Verification:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #2373, DRBG #489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

-

Version 6.3.9600

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384
          • -
        • Generation Methods: Testing Candidates
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1734

Microsoft Surface Hub Virtual TPM Implementations #1253

-

Version 10.0.15063.674

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384
          • -
        • Generation Methods: Testing Candidates
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1733

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252

-

Version 10.0.16299

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • Generation Methods: Extra Random Bits
          • -
        • -
      • Public Key Validation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • -
      • Signature Generation:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • Signature Verification:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub MsBignum Cryptographic Implementations #1251

-

Version 10.0.15063.674

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • Generation Methods: Extra Random Bits
          • -
        • -
      • Public Key Validation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • -
      • Signature Generation:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • Signature Verification:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1250

-

Version 10.0.15063.674

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • Generation Methods: Extra Random Bits
          • -
        • -
      • Public Key Validation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • -
      • Signature Generation:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • Signature Verification:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1249

-

Version 10.0.15254

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • Generation Methods: Extra Random Bits
          • -
        • -
      • Public Key Validation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • -
      • Signature Generation:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • Signature Verification:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1248

-

Version 10.0.15254

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • Generation Methods: Extra Random Bits
          • -
        • -
      • Public Key Validation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • -
      • Signature Generation:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • Signature Verification:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247

-

Version 10.0.16299

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • Generation Methods: Extra Random Bits
          • -
        • -
      • Public Key Validation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • -
      • Signature Generation:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • Signature Verification:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246

-

Version 10.0.16299

FIPS186-4:
-PKG: CURVES( P-256 P-384 TestingCandidates )
-SHS: Val#3790
-DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136

-

Version 10.0.15063

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#3790
-DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135

-

Version 10.0.15063

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#3790
-DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133

-

Version 10.0.15063

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
-SHS:Val# 3649
-DRBG:Val# 1430

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073

-

Version 7.00.2872

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
-SHS:Val#3648
-DRBG:Val# 1429

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072

-

Version 8.00.6246

FIPS186-4:
-PKG: CURVES( P-256 P-384 TestingCandidates )
-PKV: CURVES( P-256 P-384 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )

-

SHS: Val# 3347
-DRBG: Val# 1222

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

-

Version 10.0.14393

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

-

SHS: Val# 3347
-DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911

-

Version 10.0.14393

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

-

SHS: Val# 3047
-DRBG: Val# 955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760

-

Version 10.0.10586

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

-

SHS: Val# 2886
-DRBG: Val# 868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706

-

Version 10.0.10240

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

-

SHS: Val#2373
-DRBG: Val# 489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

-

Version 6.3.9600

FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: #1903
-DRBG: #258
-SIG(ver):CURVES( P-256 P-384 P-521 )
-SHS: #1903
-DRBG: #258

-

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: #1903
-DRBG: #258
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341

FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#1773
-DRBG: Val# 193
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#1773
-DRBG: Val# 193

-

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#1773
-DRBG: Val# 193
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295
FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#1081
-DRBG: Val# 23
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#1081
-DRBG: Val# 23
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141.

Windows Server 2008 R2 and SP1 CNG algorithms #142

-

Windows 7 Ultimate and SP1 CNG algorithms #141

FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#753
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#753
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82.

Windows Server 2008 CNG algorithms #83

-

Windows Vista Ultimate SP1 CNG algorithms #82

FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#618
-RNG: Val# 321
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#618
-RNG: Val# 321
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60.		Windows Vista CNG algorithms #60
- - -#### Keyed-Hash Message Authentication Code (HMAC) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • HMAC-SHA-1:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-256:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-384:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
-

Prerequisite: SHS #4011

Microsoft Surface Hub Virtual TPM Implementations #3271

-

Version 10.0.15063.674

    -
  • HMAC-SHA-1:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-256:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-384:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
-

Prerequisite: SHS #4009

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270

-

Version 10.0.16299

    -
  • HMAC-SHA-1:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-256:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-384:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-512:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
-

Prerequisite: SHS #4011

Microsoft Surface Hub SymCrypt Cryptographic Implementations #3269

-

Version 10.0.15063.674

    -
  • HMAC-SHA-1:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-256:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-384:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-512:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
-

Prerequisite: SHS #4010

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #3268

-

Version 10.0.15254

    -
  • HMAC-SHA-1:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-256:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-384:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-512:
    • -
    • -
    • Key Sizes &lt; Block Size
      • -
    • Key Sizes &gt; Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
-

Prerequisite: SHS #4009

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267

-

Version 10.0.16299

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062

-

Version 10.0.15063

HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061

-

Version 10.0.15063

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946

-

Version 7.00.2872

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945

-

Version 8.00.6246

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943

-

Version 7.00.2872

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942

-

Version 8.00.6246

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
-SHS Val# 3347

-

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
-SHS Val# 3347

-

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
-SHS Val# 3347

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

-

Version 10.0.14393

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651

-

Version 10.0.14393

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
-SHS Val# 3047

-

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
-SHS Val# 3047

-

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
-SHS Val# 3047

-

HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
-SHS Val# 3047

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381

-

Version 10.0.10586

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
-SHSVal# 2886

-

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
-SHSVal# 2886

-

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
- SHSVal# 2886

-

HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
-SHSVal# 2886

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233

-

Version 10.0.10240

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
-SHS Val#2373

-

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
-SHS Val#2373

-

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
-SHS Val#2373

-

HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
-SHS Val#2373

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

-

Version 6.3.9600

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122

-

Version 5.2.29344

HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

-

HMAC-SHA256 ( Key Size Ranges Tested: KS#1902

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )

-

SHS#1903

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS )

-

SHS#1903

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS )

-

SHS#1903

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS )

-

SHS#1903

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

-

Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

Windows Server 2008 R2 and SP1 CNG algorithms #686

-

Windows 7 and SP1 CNG algorithms #677

-

Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687

-

Windows 7 Enhanced Cryptographic Provider (RSAENH) #673

HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

-

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452

HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

-

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753

Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408

-

Windows Vista Enhanced Cryptographic Provider (RSAENH) #407

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

Windows Vista Enhanced Cryptographic Provider (RSAENH) #297
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429

-

Windows XP, vendor-affirmed

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753

Windows Server 2008 CNG algorithms #413

-

Windows Vista Ultimate SP1 CNG algorithms #412

HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

-

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

Windows Vista Ultimate BitLocker Drive Encryption #386

HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

Windows Vista CNG algorithms #298

HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267

HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578

Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260

HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

-

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

Windows Vista BitLocker Drive Encryption #199
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99

-

Windows XP, vendor-affirmed

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305

Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31
- - -#### Key Agreement Scheme (KAS) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • KAS ECC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
      • -
    • Schemes:
      • -
      • -
      • Full Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • KDFs: Concatenation
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, ECDSA #1253, DRBG #1734

Microsoft Surface Hub Virtual TPM Implementations #150

-

Version 10.0.15063.674

    -
  • KAS ECC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
      • -
    • Schemes:
      • -
      • -
      • Full Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • KDFs: Concatenation
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, ECDSA #1252, DRBG #1733

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149

-

Version 10.0.16299

    -
  • KAS ECC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
      • -
    • Schemes:
      • -
      • -
      • Ephemeral Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • KDFs: Concatenation
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • One Pass DH:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • Static Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, ECDSA #1250, DRBG #1732

-
    -
  • KAS FFC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
      • -
    • Schemes:
      • -
      • -
      • dhEphem:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • dhOneFlow:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • dhStatic:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DSA #1303, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #148

-

Version 10.0.15063.674

    -
  • KAS ECC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
      • -
    • Schemes:
      • -
      • -
      • Ephemeral Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • KDFs: Concatenation
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • One Pass DH:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • Static Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, ECDSA #1249, DRBG #1731

-
    -
  • KAS FFC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
      • -
    • Schemes:
      • -
      • -
      • dhEphem:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • dhOneFlow:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • dhStatic:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, DSA #1302, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #147

-

Version 10.0.15254

    -
  • KAS ECC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
      • -
    • Schemes:
      • -
      • -
      • Ephemeral Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • KDFs: Concatenation
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • One Pass DH:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • Static Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, ECDSA #1246, DRBG #1730

-
    -
  • KAS FFC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
      • -
    • Schemes:
      • -
      • -
      • dhEphem:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • dhOneFlow:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • dhStatic:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DSA #1301, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146

-

Version 10.0.16299

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ]

-

SHS Val#3790
-DSA Val#1135
-DRBG Val#1556

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128

-

Version 10.0.15063

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
-SHS Val#3790
-DSA Val#1223
-DRBG Val#1555

-

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-
-SHS Val#3790
-ECDSA Val#1133
-DRBG Val#1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127

-

Version 10.0.15063

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
-SHS Val# 3649
-DSA Val#1188
-DRBG Val#1430

-

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115

-

Version 7.00.2872

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhHybridOneFlow ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
-[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
-SHS Val#3648
-DSA Val#1187
-DRBG Val#1429

-

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-
-SHS Val#3648
-ECDSA Val#1072
-DRBG Val#1429

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114

-

Version 8.00.6246

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration )
-SCHEMES  [ FullUnified  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ]

-

SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

-

Version 10.0.14393

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation )
-SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

-

SHS Val# 3347 DSA Val#1098 DRBG Val#1217

-

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

-

SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92

-

Version 10.0.14393

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

-

SHS Val# 3047 DSA Val#1024 DRBG Val#955

-

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

-

SHS Val# 3047 ECDSA Val#760 DRBG Val#955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72

-

Version 10.0.10586

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

-

SHS Val# 2886 DSA Val#983 DRBG Val#868

-

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

-

SHS Val# 2886 ECDSA Val#706 DRBG Val#868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64

-

Version 10.0.10240

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

-

SHS Val#2373 DSA Val#855 DRBG Val#489

-

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

-

SHS Val#2373 ECDSA Val#505 DRBG Val#489

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

-

Version 6.3.9600

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS #1903 DSA Val#687 DRBG #258

-

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
-[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-
-SHS #1903 ECDSA Val#341 DRBG #258

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36

KAS (SP 800–56A)

-

key agreement

-

key establishment methodology provides 80 to 256 bits of encryption strength

Windows 7 and SP1, vendor-affirmed

-

Windows Server 2008 R2 and SP1, vendor-affirmed

- - -SP 800-108 Key-Based Key Derivation Functions (KBKDF) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • Counter:
    • -
    • -
    • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
      • -
    • -
-

MAC prerequisite: HMAC #3271

-
-
    -
  • Counter Location: Before Fixed Data
    • -
  • R Length: 32 (bits)
    • -
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • -
-
-

K prerequisite: DRBG #1734, KAS #150

Microsoft Surface Hub Virtual TPM Implementations #161

-

Version 10.0.15063.674

    -
  • Counter:
    • -
    • -
    • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
      • -
    • -
-

MAC prerequisite: HMAC #3270

-
-
    -
  • Counter Location: Before Fixed Data
    • -
  • R Length: 32 (bits)
    • -
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • -
-
-

K prerequisite: DRBG #1733, KAS #149

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160

-

Version 10.0.16299

    -
  • Counter:
    • -
    • -
    • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
      • -
    • -
-

MAC prerequisite: AES #4902, HMAC #3269

-
-
    -
  • Counter Location: Before Fixed Data
    • -
  • R Length: 32 (bits)
    • -
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • -
  • K prerequisite: KAS #148
    • -
-

Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #159

-

Version 10.0.15063.674

    -
  • Counter:
    • -
    • -
    • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
      • -
    • -
-

MAC prerequisite: AES #4901, HMAC #3268

-
-
    -
  • Counter Location: Before Fixed Data
    • -
  • R Length: 32 (bits)
    • -
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • -
-
-

K prerequisite: KAS #147

Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #158

-

Version 10.0.15254

    -
  • Counter:
    • -
    • -
    • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
      • -
    • -
-

MAC prerequisite: AES #4897, HMAC #3267

-
-
    -
  • Counter Location: Before Fixed Data
    • -
  • R Length: 32 (bits)
    • -
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • -
-
-

K prerequisite: KAS #146

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157

-

Version 10.0.16299

CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-
-KAS Val#128
-DRBG Val#1556
-MAC Val#3062

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141

-

Version 10.0.15063

CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-
-KAS Val#127
-AES Val#4624
-DRBG Val#1555
-MAC Val#3061

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140

-

Version 10.0.15063

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

-

KAS Val#93 DRBG Val#1222 MAC Val#2661

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

-

Version 10.0.14393

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

-

KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101

-

Version 10.0.14393

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

-

KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72

-

Version 10.0.10586

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

-

KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66

-

Version 10.0.10240

CTR_Mode:  ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

-

DRBG Val#489 MAC Val#1773

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

-

Version 6.3.9600

CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

-

DRBG #258 HMAC Val#1345

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3
- - -Random Number Generator (RNG) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #

FIPS 186-2 General Purpose

-

[ (x-Original); (SHA-1) ]

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110
FIPS 186-2
-[ (x-Original); (SHA-1) ]

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060

-

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292

-

Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286

-

Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66

FIPS 186-2
-[ (x-Change Notice); (SHA-1) ]

-

FIPS 186-2 General Purpose
-[ (x-Change Notice); (SHA-1) ]

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649

-

Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435

-

Windows Vista RNG implementation #321

FIPS 186-2 General Purpose
-[ (x-Change Notice); (SHA-1) ]

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470

-

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449

-

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447

-

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #316

-

Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313

FIPS 186-2
-[ (x-Change Notice); (SHA-1) ]

Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448

-

Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314

- - -#### RSA - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1734

Microsoft Surface Hub Virtual TPM Implementations #2677

-

Version 10.0.15063.674

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 240 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 1024:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1733

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676

-

Version 10.0.16299

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Key Generation:
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub RSA32 Algorithm Implementations #2675

-

Version 10.0.15063.674

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674

-

Version 10.0.16299

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • -
-

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) RSA32 Algorithm Implementations #2673

-

Version 10.0.15254

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Key Generation:
      • -
      • -
      • Public Key Exponent: Fixed (10001)
        • -
      • Provable Primes with Conditions:
        • -
        • -
        • Mod lengths: 2048, 3072 (bits)
          • -
        • Primality Tests: C.3
          • -
        • -
      • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 1024:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 496 (bits)
          • -
        • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub MsBignum Cryptographic Implementations #2672

-

Version 10.0.15063.674

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Key Generation:
      • -
      • -
      • Probable Random Primes:
        • -
        • -
        • Mod lengths: 2048, 3072 (bits)
          • -
        • Primality Tests: C.2
          • -
        • -
      • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 1024:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 496 (bits)
          • -
        • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #2671

-

Version 10.0.15063.674

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Key Generation:
      • -
      • -
      • Probable Random Primes:
        • -
        • -
        • Mod lengths: 2048, 3072 (bits)
          • -
        • Primality Tests: C.2
          • -
        • -
      • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 1024:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 496 (bits)
          • -
        • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2670

-

Version 10.0.15254

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Key Generation:
      • -
      • -
      • Public Key Exponent: Fixed (10001)
        • -
      • Provable Primes with Conditions:
        • -
        • -
        • Mod lengths: 2048, 3072 (bits)
          • -
        • Primality Tests: C.3
          • -
        • -
      • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 1024:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 496 (bits)
          • -
        • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #2669

-

Version 10.0.15254

    -
  • 186-4:
    • -
    • -
    • Key Generation:
      • -
      • -
      • Public Key Exponent: Fixed (10001)
        • -
      • Provable Primes with Conditions:
        • -
        • -
        • Mod lengths: 2048, 3072 (bits)
          • -
        • Primality Tests: C.3
          • -
        • -
      • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 1024:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 496 (bits)
          • -
        • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668

-

Version 10.0.16299

    -
  • 186-4:
    • -
    • -
    • Key Generation:
      • -
      • -
      • Probable Random Primes:
        • -
        • -
        • Mod lengths: 2048, 3072 (bits)
          • -
        • Primality Tests: C.2
          • -
        • -
      • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 1024:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 496 (bits)
          • -
        • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667

-

Version 10.0.16299

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
-SHA Val#3790

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524

-

Version 10.0.15063

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3790

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523

-

Version 10.0.15063

FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val#3790
-DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522

-

Version 10.0.15063

FIPS186-4:
-186-4KEY(gen):
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val#3790

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521

-

Version 10.0.15063

FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

-

FIPS186-4:
-ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
-SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3652

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415

-

Version 7.00.2872

FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

-

FIPS186-4:
-ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
-SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3651

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414

-

Version 8.00.6246

FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649

-

FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val# 3649
-DRBG: Val# 1430

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412

-

Version 7.00.2872

FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

-

FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3648
-DRBG: Val# 1429

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411

-

Version 8.00.6246

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))

-

SHA Val# 3347

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

-

Version 10.0.14393

FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

-

SHA Val# 3347 DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195

-

Version 10.0.14393

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val#3346

soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194

-

Version 10.0.14393

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val# 3347 DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193

-

Version 10.0.14393

FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

-

Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

-

SHA Val# 3347 DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192

-

Version 10.0.14393

FIPS186-4:
-186-4KEY(gen):  FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

-

SHA Val# 3047 DRBG: Val# 955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889

-

Version 10.0.10586

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val#3048

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871

-

Version 10.0.10586

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val# 3047

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888

-

Version 10.0.10586

FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

-

SHA Val# 3047

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887

-

Version 10.0.10586

FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

-

SHA Val# 2886 DRBG: Val# 868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798

-

Version 10.0.10240

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val#2871

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784

-

Version 10.0.10240

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val#2871

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783

-

Version 10.0.10240

FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

-

SHA Val# 2886

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802

-

Version 10.0.10240

FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

-

SHA Val#2373 DRBG: Val# 489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

-

Version 6.3.9600

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val#2373

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494

-

Version 6.3.9600

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val#2373

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

-

Version 6.3.9600

FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

-

SHA Val#2373

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

-

Version 6.3.9600

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
-SHA #1903

-

Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134
FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-SHA #1903 DRBG: #258		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133
FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132.		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132
FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052.		Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052
FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051.		Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568.		Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560.

Windows Server 2008 R2 and SP1 CNG algorithms #567

-

Windows 7 and SP1 CNG algorithms #560

FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559.		Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557.		Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557
FIPS186-2:
-ALG[ANSIX9.31]:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395.		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395
FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371.		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357.

Windows Server 2008 CNG algorithms #358

-

Windows Vista SP1 CNG algorithms #357

FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354.

Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355

-

Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354

FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353.		Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353
FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258.		Windows Vista RSA key generation implementation #258
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257.		Windows Vista CNG algorithms #257
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255.		Windows Vista Enhanced Cryptographic Provider (RSAENH) #255
FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245.		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245
FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230.		Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230
FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222.		Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]:
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81.		Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81
FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52.		Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52

FIPS186-2:

-

– PKCS#1 v1.5, signature generation and verification

-

– Mod sizes: 1024, 1536, 2048, 3072, 4096

-

– SHS: SHA–1/256/384/512

Windows XP, vendor-affirmed

-

Windows 2000, vendor-affirmed

- - -#### Secure Hash Standard (SHS) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • SHA-1:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-256:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-384:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-512:
    • -
    • -
    • Supports Empty Message
      • -
    • -

Microsoft Surface Hub SymCrypt Cryptographic Implementations #4011

-

Version 10.0.15063.674

    -
  • SHA-1:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-256:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-384:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-512:
    • -
    • -
    • Supports Empty Message
      • -
    • -

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4010

-

Version 10.0.15254

    -
  • SHA-1:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-256:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-384:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-512:
    • -
    • -
    • Supports Empty Message
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009

-

Version 10.0.16299

SHA-1      (BYTE-only)
-SHA-256  (BYTE-only)
-SHA-384  (BYTE-only)
-SHA-512  (BYTE-only)

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790

-

Version 10.0.15063

SHA-1      (BYTE-only)
-SHA-256  (BYTE-only)
-SHA-384  (BYTE-only)
-SHA-512  (BYTE-only)

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652

-

Version 7.00.2872

SHA-1      (BYTE-only)
-SHA-256  (BYTE-only)
-SHA-384  (BYTE-only)
-SHA-512  (BYTE-only)

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651

-

Version 8.00.6246

SHA-1      (BYTE-only)
-SHA-256  (BYTE-only)
-SHA-384  (BYTE-only)
-SHA-512  (BYTE-only)

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649

-

Version 7.00.2872

SHA-1      (BYTE-only)
-SHA-256  (BYTE-only)
-SHA-384  (BYTE-only)
-SHA-512  (BYTE-only)

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648

-

Version 8.00.6246

SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
-Version 10.0.14393
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
-Version 10.0.14393
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
-Version 10.0.10586
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
-Version 10.0.10586
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
-Version 10.0.10240
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
-Version 10.0.10240
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
-Version 6.3.9600
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
-Version 6.3.9600

SHA-1 (BYTE-only)

-

SHA-256 (BYTE-only)

-

SHA-384 (BYTE-only)

-

SHA-512 (BYTE-only)

-

Implementation does not support zero-length (null) messages.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903

-

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902

SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774

-

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773

SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)

Windows 7and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081

-

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816

SHA-1 (BYTE-only)

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785

-

Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784

SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)

Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753

-

Windows Vista Symmetric Algorithm Implementation #618

SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)

Windows Vista BitLocker Drive Encryption #737

-

Windows Vista Beta 2 BitLocker Drive Encryption #495

SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613

-

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364

SHA-1 (BYTE-only)

Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611

-

Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610

-

Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385

-

Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #371

-

Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #181

-

Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #177

-

Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176

SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589

-

Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578

-

Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305

SHA-1 (BYTE-only)

Windows XP Microsoft Enhanced Cryptographic Provider #83

-

Crypto Driver for Windows 2000 (fips.sys) #35

-

Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32

-

Windows 2000 RSAENH.DLL #24

-

Windows 2000 RSABASE.DLL #23

-

Windows NT 4 SP6 RSAENH.DLL #21

-

Windows NT 4 SP6 RSABASE.DLL #20

- - -#### Triple DES - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • TDES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-CFB64:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-CFB8:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-ECB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -

Microsoft Surface Hub SymCrypt Cryptographic Implementations #2558

-

Version 10.0.15063.674

    -
  • TDES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-CFB64:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-CFB8:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-ECB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2557

-

Version 10.0.15254

    -
  • TDES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-CFB64:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-CFB8:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-ECB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556

-

Version 10.0.16299

TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459

-

Version 10.0.15063

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, )

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384

-

Version 8.00.6246

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, )

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383

-

Version 8.00.6246

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, ) ;

-

CTR ( int only )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382

-

Version 7.00.2872

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381

-

Version 8.00.6246

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, ) ;

-

TCFB8( KO 1 e/d, ) ;

-

TCFB64( KO 1 e/d, )

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
-
-

-

Version 10.0.14393

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, ) ;

-

TCFB8( KO 1 e/d, ) ;

-

TCFB64( KO 1 e/d, )

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
-
-

-

Version 10.0.10586

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, ) ;

-

TCFB8( KO 1 e/d, ) ;

-

TCFB64( KO 1 e/d, )

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
-
-

-

Version 10.0.10240

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, ) ;

-

TCFB8( KO 1 e/d, ) ;

-

TCFB64( KO 1 e/d, )

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

-

Version 6.3.9600

TECB( e/d; KO 1,2 ) ;

-

TCBC( e/d; KO 1,2 ) ;

-

TCFB8( e/d; KO 1,2 ) ;

-

TCFB64( e/d; KO 1,2 )

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387

TECB( e/d; KO 1,2 ) ;

-

TCBC( e/d; KO 1,2 ) ;

-

TCFB8( e/d; KO 1,2 )

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386

TECB( e/d; KO 1,2 ) ;

-

TCBC( e/d; KO 1,2 ) ;

-

TCFB8( e/d; KO 1,2 )

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846

TECB( e/d; KO 1,2 ) ;

-

TCBC( e/d; KO 1,2 ) ;

-

TCFB8( e/d; KO 1,2 )

Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656

TECB( e/d; KO 1,2 ) ;

-

TCBC( e/d; KO 1,2 ) ;

-

TCFB8( e/d; KO 1,2 )

Windows Vista Symmetric Algorithm Implementation #549
Triple DES MAC

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed

-

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed

TECB( e/d; KO 1,2 ) ;

-

TCBC( e/d; KO 1,2 )

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308

-

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307

-

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691

-

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #677

-

Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #676

-

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #675

-

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #544

-

Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #543

-

Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #542

-

Windows CE 6.0 and Window CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #526

-

Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #517

-

Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #381

-

Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #370

-

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #365

-

Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #315

-

Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #201

-

Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #199

-

Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #192

-

Windows XP Microsoft Enhanced Cryptographic Provider #81

-

Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #18

-

Crypto Driver for Windows 2000 (fips.sys) #16

- - -#### SP 800-132 Password Based Key Derivation Function (PBKDF) - - - - - - - - - - - - - - -
- Modes / States / Key Sizes - - Algorithm Implementation and Certificate # -
- PBKDF (vendor affirmed) -

 Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
(Software Version: 10.0.14393)

-

Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)

-

Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2935
(Software Version: 10.0.14393)

-

Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2931
(Software Version: 10.0.14393)

-
- PBKDF (vendor affirmed) -

Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)

-

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed

-
- - -#### Component Validation List - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Publication / Component Validated / DescriptionImplementation and Certificate #
    -
  • ECDSA SigGen:
    • -
    • -
    • P-256 SHA: SHA-256
      • -
    • P-384 SHA: SHA-384
      • -
    • P-521 SHA: SHA-512
      • -
    • -
-

Prerequisite: DRBG #489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

-

Version 6.3.9600

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Microsoft Surface Hub Virtual TPM Implementations #1519

-

Version 10.0.15063.674

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518

-

Version 10.0.16299

    -
  • RSADP:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • -

Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

-

Version 10.0.15063.674

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Microsoft Surface Hub MsBignum Cryptographic Implementations #1516

-

Version 10.0.15063.674

    -
  • ECDSA SigGen:
    • -
    • -
    • P-256 SHA: SHA-256
      • -
    • P-384 SHA: SHA-384
      • -
    • P-521 SHA: SHA-512
      • -
    • -
-

 Prerequisite: DRBG #1732

Microsoft Surface Hub MsBignum Cryptographic Implementations #1515

-

Version 10.0.15063.674

    -
  • ECDSA SigGen:
    • -
    • -
    • P-256 SHA: SHA-256
      • -
    • P-384 SHA: SHA-384
      • -
    • P-521 SHA: SHA-512
      • -
    • -
-

Prerequisite: DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1514

-

Version 10.0.15063.674

    -
  • RSADP:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • -

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1513

-

Version 10.0.15063.674

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1512

-

Version 10.0.15063.674

    -
  • IKEv1:
    • -
    • -
    • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
      • -
    • Pre-shared Key Length: 64-2048
      • -
    • Diffie-Hellman shared secrets:
      • -
      • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 2048 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 256 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 384 (bits)
          • -
        • SHA Functions: SHA-384
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, HMAC #3269

-
    -
  • IKEv2:
    • -
    • -
    • Derived Keying Material length: 192-1792
      • -
    • Diffie-Hellman shared secrets:
      • -
      • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 2048 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 256 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 384 (bits)
          • -
        • SHA Functions: SHA-384
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, HMAC #3269

-
    -
  • TLS:
    • -
    • -
    • Supports TLS 1.0/1.1
      • -
    • Supports TLS 1.2:
      • -
      • -
      • SHA Functions: SHA-256, SHA-384
        • -
      • -
    • -
-

Prerequisite: SHS #4011, HMAC #3269

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1511

-

Version 10.0.15063.674

    -
  • ECDSA SigGen:
    • -
    • -
    • P-256 SHA: SHA-256
      • -
    • P-384 SHA: SHA-384
      • -
    • P-521 SHA: SHA-512
      • -
    • -
-

Prerequisite: DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1510

-

Version 10.0.15254

    -
  • RSADP:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • -

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1509

-

Version 10.0.15254

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1508

-

Version 10.0.15254

    -
  • IKEv1:
    • -
    • -
    • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
      • -
    • Pre-shared Key Length: 64-2048
      • -
    • Diffie-Hellman shared secrets:
      • -
      • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 2048 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 256 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 384 (bits)
          • -
        • SHA Functions: SHA-384
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, HMAC #3268

-
    -
  • IKEv2:
    • -
    • -
    • Derived Keying Material length: 192-1792
      • -
    • Diffie-Hellman shared secrets:
      • -
      • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 2048 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 256 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 384 (bits)
          • -
        • SHA Functions: SHA-384
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, HMAC #3268

-
    -
  • TLS:
    • -
    • -
    • Supports TLS 1.0/1.1
      • -
    • Supports TLS 1.2:
      • -
      • -
      • SHA Functions: SHA-256, SHA-384
        • -
      • -
    • -
-

Prerequisite: SHS #4010, HMAC #3268

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1507

-

Version 10.0.15254

    -
  • ECDSA SigGen:
    • -
    • -
    • P-256 SHA: SHA-256
      • -
    • P-384 SHA: SHA-384
      • -
    • P-521 SHA: SHA-512
      • -
    • -
-

Prerequisite: DRBG #1731

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1506

-

Version 10.0.15254

    -
  • RSADP:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • -

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1505

-

Version 10.0.15254

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1504

-

Version 10.0.15254

    -
  • ECDSA SigGen:
    • -
    • -
    • P-256 SHA: SHA-256
      • -
    • P-384 SHA: SHA-384
      • -
    • P-521 SHA: SHA-512
      • -
    • -
-

Prerequisite: DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503

-

Version 10.0.16299

    -
  • RSADP:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502

-

Version 10.0.16299

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501

-

Version 10.0.16299

    -
  • ECDSA SigGen:
    • -
    • -
    • P-256 SHA: SHA-256
      • -
    • P-384 SHA: SHA-384
      • -
    • P-521 SHA: SHA-512
      • -
    • -
-

Prerequisite: DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499

-

Version 10.0.16299

    -
  • RSADP:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498

-

Version 10.0.16299

-

 

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1497

-

Version 10.0.16299

    -
  • IKEv1:
    • -
    • -
    • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
      • -
    • Pre-shared Key Length: 64-2048
      • -
    • Diffie-Hellman shared secrets:
      • -
      • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 2048 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 256 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 384 (bits)
          • -
        • SHA Functions: SHA-384
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, HMAC #3267

-
    -
  • IKEv2:
    • -
    • -
    • Derived Keying Material length: 192-1792
      • -
    • Diffie-Hellman shared secrets:
      • -
      • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 2048 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 256 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 384 (bits)
          • -
        • SHA Functions: SHA-384
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, HMAC #3267

-
    -
  • TLS:
    • -
    • -
    • Supports TLS 1.0/1.1
      • -
    • Supports TLS 1.2:
      • -
      • -
      • SHA Functions: SHA-256, SHA-384
        • -
      • -
    • -
-

Prerequisite: SHS #4009, HMAC #3267

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

-

Version 10.0.16299

FIPS186-4 ECDSA

-

Signature Generation of hash sized messages

-

ECDSA SigGen Component: CURVES( P-256 P-384 P-521 )

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
-Version 10.0. 15063

-

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
-Version 10.0. 15063

-

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
-Version 10.0.14393

-

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
-Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
-Version 10.0.10586

-

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
-Version 6.3.9600

FIPS186-4 RSA; PKCS#1 v2.1

-

RSASP1 Signature Primitive

-

RSASP1: (Mod2048: PKCS1.5 PKCSPSS)

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1285
-Version 10.0.15063

-

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1282
-Version 10.0.15063

-

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
-Version 10.0.15063

-

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
-Version 10.0.14393

-

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
-Version 10.0.14393

-

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
-Version 10.0.10586

-

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
-Version  10.0.10240

-

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations #289
-Version 6.3.9600

FIPS186-4 RSA; RSADP

-

RSADP Primitive

-

RSADP: (Mod2048)

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1283
-Version 10.0.15063

-

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
-Version 10.0.15063

-

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
-Version 10.0.14393

-

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
-Version 10.0.14393

-

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #663
-Version 10.0.10586

-

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #576
-Version  10.0.10240

SP800-135

-

Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

-

Version 10.0.16299

-

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
-Version 10.0.15063

-

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1140
-Version 7.00.2872

-

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1139
-Version 8.00.6246

-

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp #886
-Version 10.0.14393

-

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BCryptPrimitives and NCryptSSLp #664
-Version 10.0.10586

-

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
-Version  10.0.10240

-

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
-Version 6.3.9600

- - -## References - -\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules - -\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ - -\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised) - -\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths - -## Additional Microsoft References - -Enabling FIPS mode - - -Cipher Suites in Schannel - [http://msdn.microsoft.com/library/aa374757(VS.85).aspx](https://msdn.microsoft.com/library/aa374757\(vs.85\).aspx) - + +Please be aware that selection of FIPS mode can limit product functionality (See ). + +## Information for Software Developers + +This section is targeted at developers who wish to build their own applications using the FIPS 140 validated cryptographic modules. + +Each of the validated cryptographic modules defines a series of rules that must be followed. The security rules for each validated cryptographic module are specified in the Security Policy document. Links to each of the Security Policy documents is provided in the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section below. Generally, the restriction in Microsoft validated cryptographic modules is limiting the use of cryptography to only FIPS Approved cryptographic algorithms, modes, and key sizes. + +### Using Microsoft Cryptographic Modules in a FIPS mode of operation + +No matter whether developing with native languages or using .NET, it is important to first check whether the CNG modules for the target system are FIPS validated. The list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section. + +When developing using CNG directly, it is the responsibility of the developer to follow the security rules outlined in the FIPS 140 Security Policy for each module. The security policy for each module is provided on the CMVP website. Links to each of the Security Policy documents is provided in the tables below. It is important to remember that setting the FIPS local/group security policy Flag (discussed above) does not affect the behavior of the modules when used for developing custom applications. + +If you are developing your application using .NET instead of using the native libraries, then setting the FIPS local policy flag will generate an exception when an improper .NET class is used for cryptography (i.e. the cryptographic classes whose names end in "Managed"). The names of these allowed classes end with "Cng", which use the CNG binaries or "CryptoServiceProvider", which use the legacy CAPI binaries. + +### Key Strengths and Validity Periods + +NIST Special Publication 800-131A Revision 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, dated November 2015, \[[SP 800-131A](http://dx.doi.org/10.6028/nist.sp.800-131ar1)\], offers guidance for moving to stronger cryptographic keys and algorithms. This does not replace NIST SP 800-57, Recommendation for Key Management Part 1: General, \[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\], but gives more specific guidance. One of the most important topics discussed in these publications deals with the key strengths of FIPS Approved algorithms and their validity periods. When developing applications that use FIPS Approved algorithms, it is also extremely important to select appropriate key sizes based on the security lifetimes recommended by NIST. + +## FIPS 140 FAQ + +The following are answers to commonly asked questions for the FIPS 140-2 validation of Microsoft products. + +1. How does FIPS 140 relate to the Common Criteria? + **Answer:** These are two separate security standards with different, but complementary, purposes. FIPS 140 is a standard designed specifically for validating product modules that implement cryptography. On the other hand, Common Criteria is designed to help evaluate security functions in IT products. + In many cases, Common Criteria evaluations will rely on FIPS 140 validations to provide assurance that cryptographic functionality is implemented properly. +2. How does FIPS 140 relate to Suite B? + **Answer:** Suite B is simply a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. + The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140 standard. +3. There are so many modules listed on the NIST website for each release, how are they related and how do I tell which one applies to me? + **Answer:** Microsoft strives to validate all releases of its cryptographic modules. Each module provides a different set of cryptographic algorithms. If you are required to use only FIPS validated cryptographic modules, you simply need to verify that the version being used appears on the validation list. + Please see the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140)section for a complete list of Microsoft validated modules. +4. My application links against crypt32.dll, cryptsp.dll, advapi32.dll, bcrypt.dll, bcryptprimitives.dll, or ncrypt.dll. What do I need to do to assure I’m using FIPS 140 validated cryptographic modules? + **Answer:** crypt32.dll, cryptsp.dll, advapi32.dll, and ncrypt.dll are intermediary libraries that will offload all cryptographic operations to the FIPS validated cryptographic modules. Bcrypt.dll itself is a validated cryptographic module for Windows Vista and Windows Server 2008. For Windows 7 and Windows Server 2008 R2 and later, bcryptprimitives.dll is the validated module, but bcrypt.dll remains as one of the libraries to link against. + You must first verify that the underlying CNG cryptographic module is validated. Once verified, you'll need to confirm that you're using the module correctly in FIPS mode (See [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) section for details). +5. What does "When operated in FIPS mode" mean on certificates? + **Answer:** This caveat identifies that a required configuration and security rules must be followed in order to use the cryptographic module in a manner consistent with its FIPS 140 Security Policy. The security rules are defined in the Security Policy for the module and usually revolve around using only FIPS Approved cryptographic algorithms and key sizes. Please see the Security Policy for the specific security rules for each cryptographic module (See [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section for links to each policy). +6. Which FIPS validated module is called when Windows 7 or Windows 8 is configured to use the FIPS setting in the wireless configuration? + **Answer:** CNG is used. This setting tells the wireless driver to call FIPS 140-2 validated cryptographic modules instead of using the driver’s own cryptography, if any. +7. Is BitLocker to Go FIPS 140-2 validated? + **Answer:** There are two separate parts for BitLocker to Go. One part is simply a native feature of BitLocker and as such, it uses FIPS 140-2 validated cryptographic modules. The other part is the BitLocker to Go Reader application for down-level support of older operating systems such as Windows XP and Windows Vista. The Reader application does not use FIPS 140-2 validated cryptographic modules. +8. Are applications FIPS 140-2 validated? + **Answer:** Microsoft only has low-level cryptographic modules in Windows FIPS 140-2 validated, not high-level applications. A better question is whether a certain application calls a FIPS 140-2 validated cryptographic module in the underlying Windows OS. That question needs to be directed to the company/product group that created the application of interest. +9. How can Systems Center Operations Manager 2012 be configured to use FIPS 140-2 validated cryptographic modules? + **Answer:** See [https://technet.microsoft.com/library/hh914094.aspx](https://technet.microsoft.com/library/hh914094.aspx) + +## Microsoft FIPS 140 Validated Cryptographic Modules + +### Modules By Operating System + +The following tables identify the Cryptographic Modules for an operating system. + +#### Windows + +##### Windows 10 Creators Update (Version 1703) + +Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.15063#3095

FIPS Approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459)
+
+Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.15063#3094

#3094

+

FIPS Approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459)
+
+Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert.#1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert.#2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert.#1281)

Boot Manager10.0.15063#3089

FIPS Approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790)

+

Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)

Windows OS Loader10.0.15063#3090

FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)

+

Other algorithms: NDRNG

Windows Resume[1]10.0.15063#3091FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)
BitLocker® Dump Filter[2]10.0.15063#3092FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790)
Code Integrity (ci.dll)10.0.15063#3093

FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

Secure Kernel Code Integrity (skci.dll)[3]10.0.15063#3096

FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

+ + +\[1\] Applies only to Home, Pro, Enterprise, Education and S + +\[2\] Applies only to Pro, Enterprise, Education, S, Mobile and Surface Hub + +\[3\] Applies only to Pro, Enterprise Education and S + +##### Windows 10 Anniversary Update (Version 1607) + +Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.14393#2937

FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.14393#2936

FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887)

Boot Manager10.0.14393#2931

FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

+

Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

BitLocker® Windows OS Loader (winload)10.0.14393#2932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: NDRNG; MD5
BitLocker® Windows Resume (winresume)[1]10.0.14393#2933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[2]10.0.14393#2934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
Code Integrity (ci.dll)10.0.14393#2935

FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: AES (non-compliant); MD5

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

Secure Kernel Code Integrity (skci.dll)[3]10.0.14393#2938

FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
+
+Other algorithms: MD5

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

+ + +\[1\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[2\] Applies only to Pro, Enterprise, Enterprise LTSB and Mobile + +\[3\] Applies only to Pro, Enterprise and Enterprise LTSB + +##### Windows 10 November 2015 Update (Version 1511) + +Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10586#2606

FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10586#2605

FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663)

Boot Manager[4]10.0.10586#2700FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)[5]10.0.10586#2701FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
+
+Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[6]10.0.10586#2702FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
+
+Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[7]10.0.10586#2703FIPS Approved algorithms: AES (Certs. #3653)
Code Integrity (ci.dll)10.0.10586#2604

FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
+
+Other algorithms: AES (non-compliant); MD5

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

Secure Kernel Code Integrity (skci.dll)[8]10.0.10586#2607

FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
+
+Other algorithms: MD5

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

+ + +\[4\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub + +\[5\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub + +\[6\] Applies only to Home, Pro and Enterprise + +\[7\] Applies only to Pro, Enterprise, Mobile and Surface Hub + +\[8\] Applies only to Enterprise and Enterprise LTSB + +##### Windows 10 (Version 1507) + +Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10240#2606

FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10240#2605

FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576)

Boot Manager[9]10.0.10240#2600FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)[10]10.0.10240#2601FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
+
+Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[11]10.0.10240#2602FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
+
+Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[12]10.0.10240#2603FIPS Approved algorithms: AES (Certs. #3497 and #3498)
Code Integrity (ci.dll)10.0.10240#2604

FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
+
+Other algorithms: AES (non-compliant); MD5

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

Secure Kernel Code Integrity (skci.dll)[13]10.0.10240#2607

FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
+
+Other algorithms: MD5

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

+ + +\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[12\] Applies only to Pro, Enterprise and Enterprise LTSB + +\[13\] Applies only to Enterprise and Enterprise LTSB + +##### Windows 8.1 + +Validated Editions: RT, Pro, Enterprise, Phone, Embedded + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.17031#2357

FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323)

Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.17042#2356

FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

Boot Manager6.3.9600 6.3.9600.17031#2351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.17031#2352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
+
+Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[14]6.3.9600 6.3.9600.17031#2353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)6.3.9600 6.3.9600.17031#2354FIPS Approved algorithms: AES (Cert. #2832)
+
+Other algorithms: N/A
Code Integrity (ci.dll)6.3.9600 6.3.9600.17031#2355#2355

FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
+
+Other algorithms: MD5

+

Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

+ + +\[14\] Applies only to Pro, Enterprise, and Embedded 8. + +##### Windows 8 + +Validated Editions: RT, Home, Pro, Enterprise, Phone + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.9200#1892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert. ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
+
+
Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.9200#1891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RNG (Cert. ); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager6.2.9200#1895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5
BitLocker® Windows OS Loader (WINLOAD)6.2.9200#1896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
BitLocker® Windows Resume (WINRESUME)[15]6.2.9200#1898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5
BitLocker® Dump Filter (DUMPFVE.SYS)6.2.9200#1899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
+
+Other algorithms: N/A
Code Integrity (CI.DLL)6.2.9200#1897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.9200#1893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert. ); Triple-DES MAC (Triple-DES Cert. , vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. , key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced Cryptographic Provider (RSAENH.DLL)6.2.9200#1894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+
+Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+ + +\[15\] Applies only to Home and Pro + +**Windows 7** + +Validated Editions: Windows 7, Windows 7 SP1 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)

6.1.7600.16385

+

6.1.7601.17514

1329FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
Kernel Mode Cryptographic Primitives Library (cng.sys)

6.1.7600.16385

+

6.1.7600.16915

+

6.1.7600.21092

+

6.1.7601.17514

+

6.1.7601.17725

+

6.1.7601.17919

+

6.1.7601.21861

+

6.1.7601.22076

1328FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
Boot Manager

6.1.7600.16385

+

6.1.7601.17514

1319FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
+
+Other algorithms: MD5#1168 and ); HMAC (Cert. ); RSA (Cert. ); SHS (Cert. )
+
+Other algorithms: MD5
Winload OS Loader (winload.exe)

6.1.7600.16385

+

6.1.7600.16757

+

6.1.7600.20897

+

6.1.7600.20916

+

6.1.7601.17514

+

6.1.7601.17556

+

6.1.7601.21655

+

6.1.7601.21675

1326FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
+
+Other algorithms: MD5
BitLocker™ Drive Encryption

6.1.7600.16385

+

6.1.7600.16429

+

6.1.7600.16757

+

6.1.7600.20536

+

6.1.7600.20873

+

6.1.7600.20897

+

6.1.7600.20916

+

6.1.7601.17514

+

6.1.7601.17556

+

6.1.7601.21634

+

6.1.7601.21655

+

6.1.7601.21675

1332FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
+
+Other algorithms: Elephant Diffuser
Code Integrity (CI.DLL)

6.1.7600.16385

+

6.1.7600.17122

+

6.1.7600.21320

+

6.1.7601.17514

+

6.1.7601.17950

+

6.1.7601.22108

1327FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
+
+Other algorithms: MD5
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.1.7600.16385
+(no change in SP1)		1331FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
Enhanced Cryptographic Provider (RSAENH.DLL)6.1.7600.16385
+(no change in SP1)		1330FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+ + +##### Windows Vista SP1 + +Validated Editions: Ultimate Edition + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Boot Manager (bootmgr)6.0.6001.18000 and 6.0.6002.18005978FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753)
Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596979FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
+
+Other algorithms: MD5
Code Integrity (ci.dll)6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005980FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
+
+Other algorithms: MD5
Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228691000

FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and ); ECDSA (Cert. ); HMAC (Cert. ); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )

+

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228721001

FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)

+

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)

Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051002

FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)

+

Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051003

FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)

+

Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4

+ + +##### Windows Vista + +Validated Editions: Ultimate Edition + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced Cryptographic Provider (RSAENH)6.0.6000.16386893FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6000.16386894FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
BitLocker™ Drive Encryption6.0.6000.16386947FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
+
+Other algorithms: Elephant Diffuser
Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067891FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+
+Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5
+ + +##### Windows XP SP3 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.1.2600.5512997

FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)

+

Other algorithms: DES; MD5; HMAC MD5

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.1.2600.5507990

FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)

+

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4

Enhanced Cryptographic Provider (RSAENH)5.1.2600.5507989

FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)

+

Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits)

+ + +##### Windows XP SP2 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
DSS/Diffie-Hellman Enhanced Cryptographic Provider5.1.2600.2133240

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)

+

Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement)

Microsoft Enhanced Cryptographic Provider5.1.2600.2161238

FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

+

Other algorithms: DES (Cert. #156); RC2; RC4; MD5

+ + +##### Windows XP SP1 + + ++++++ + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Microsoft Enhanced Cryptographic Provider5.1.2600.1029238

FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

+

Other algorithms: DES (Cert. #156); RC2; RC4; MD5

+ + +##### Windows XP + + ++++++ + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module5.1.2600.0241

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)

+

Other algorithms: DES (Cert. #89)

+ + +##### Windows 2000 SP3 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

+

Other algorithms: DES (Certs. #89)

Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

(Base DSS: 5.0.2195.3665 [SP3])

+

(Base: 5.0.2195.3839 [SP3])

+

(DSS/DH Enh: 5.0.2195.3665 [SP3])

+

(Enh: 5.0.2195.3839 [SP3]

103

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

+

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

+ + +##### Windows 2000 SP2 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

+

Other algorithms: DES (Certs. #89)

Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

(Base DSS:

+

5.0.2195.2228 [SP2])

+

(Base:

+

5.0.2195.2228 [SP2])

+

(DSS/DH Enh:

+

5.0.2195.2228 [SP2])

+

(Enh:

+

5.0.2195.2228 [SP2])

103

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

+

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

+ + +##### Windows 2000 SP1 + + ++++++ + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

(Base DSS: 5.0.2150.1391 [SP1])

+

(Base: 5.0.2150.1391 [SP1])

+

(DSS/DH Enh: 5.0.2150.1391 [SP1])

+

(Enh: 5.0.2150.1391 [SP1])

103

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

+

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

+ + +##### Windows 2000 + + ++++++ + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.2150.176

FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)

+

Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

+ + +##### Windows 95 and Windows 98 + + ++++++ + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.1877.6 and 5.0.1877.775

FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)

+

Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

+ + +##### Windows NT 4.0 + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base Cryptographic Provider5.0.1877.6 and 5.0.1877.768FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
+
+Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)
+ + +#### Windows Server + +##### Windows Server 2016 + +Validated Editions: Standard, Datacenter, Storage Server + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.143932937FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.143932936FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager10.0.143932931

FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

+

Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

BitLocker® Windows OS Loader (winload)10.0.143932932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: NDRNG; MD5
BitLocker® Windows Resume (winresume)10.0.143932933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)10.0.143932934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
Code Integrity (ci.dll)10.0.143932935FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: AES (non-compliant); MD5
Secure Kernel Code Integrity (skci.dll)10.0.143932938FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
+
+Other algorithms: MD5
+ + +##### Windows Server 2012 R2 + +Validated Editions: Server, Storage Server, + +**StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.170312357FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.170422356FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager6.3.9600 6.3.9600.170312351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.170312352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
+
+Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[16]6.3.9600 6.3.9600.170312353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[17]6.3.9600 6.3.9600.170312354FIPS Approved algorithms: AES (Cert. #2832)
+
+Other algorithms: N/A
Code Integrity (ci.dll)6.3.9600 6.3.9600.170312355FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
+
+Other algorithms: MD5
+ + +\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** + +\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** + +**Windows Server 2012** + +Validated Editions: Server, Storage Server + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.92001892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert. ); HMAC (Cert. #); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.92001891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager6.2.92001895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5
BitLocker® Windows OS Loader (WINLOAD)6.2.92001896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
BitLocker® Windows Resume (WINRESUME)6.2.92001898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5
BitLocker® Dump Filter (DUMPFVE.SYS)6.2.92001899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
+
+Other algorithms: N/A
Code Integrity (CI.DLL)6.2.92001897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.92001893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced Cryptographic Provider (RSAENH.DLL)6.2.92001894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+
+Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+ + +##### Windows Server 2008 R2 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Boot Manager (bootmgr)6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.175141321FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
+
+Other algorithms: MD5
Winload OS Loader (winload.exe)6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216751333FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
+
+Other algorithms: MD5
Code Integrity (ci.dll)6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221081334FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
+
+Other algorithms: MD5
Kernel Mode Cryptographic Primitives Library (cng.sys)6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220761335FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
Cryptographic Primitives Library (bcryptprimitives.dll)66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.175141336FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4
Enhanced Cryptographic Provider (RSAENH)6.1.7600.163851337FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.1.7600.163851338FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
BitLocker™ Drive Encryption6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216751339FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
+
+Other algorithms: Elephant Diffuser
+ + +##### Windows Server 2008 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Boot Manager (bootmgr)6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224971004FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
+
+Other algorithms: N/A
Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225961005FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
+
+Other algorithms: MD5
Code Integrity (ci.dll)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051006FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
+
+Other algorithms: MD5
Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228691007FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert. ); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228721008FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051009FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
+
+-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051010FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+ + +##### Windows Server 2003 SP2 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.3959875

FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)

+

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4

Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.3959869

FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)

+

Other algorithms: DES; HMAC-MD5

Enhanced Cryptographic Provider (RSAENH)5.2.3790.3959868

FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)

+

Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

+ + +##### Windows Server 2003 SP1 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.1830 [SP1]405

FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

+

Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

+

[1] x86
+[2] SP1 x86, x64, IA64

Enhanced Cryptographic Provider (RSAENH)5.2.3790.1830 [Service Pack 1])382

FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

+

Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

+

[1] x86
+[2] SP1 x86, x64, IA64

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.1830 [Service Pack 1]381

FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

+

Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

+

[1] x86
+[2] SP1 x86, x64, IA64

+ + +##### Windows Server 2003 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.0405

FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

+

Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

+

[1] x86
+[2] SP1 x86, x64, IA64

Enhanced Cryptographic Provider (RSAENH)5.2.3790.0382

FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

+

Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

+

[1] x86
+[2] SP1 x86, x64, IA64

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.0381

FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

+

Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

+

[1] x86
+[2] SP1 x86, x64, IA64

+ + +#### Other Products + +##### Windows Embedded Compact 7 and Windows Embedded Compact 8 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced Cryptographic Provider7.00.2872 [1] and 8.00.6246 [2]2957

FIPS Approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384)

+

Allowed algorithms: HMAC-MD5; MD5; NDRNG

Cryptographic Primitives Library (bcrypt.dll)7.00.2872 [1] and 8.00.6246 [2]2956

FIPS Approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382)

+

Allowed algorithms: MD5; NDRNG; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength

+ + + +##### Windows CE 6.0 and Windows Embedded Compact 7 + + ++++++ + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced Cryptographic Provider6.00.1937 [1] and 7.00.1687 [2]825

FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])

+

Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES

+ + +##### Outlook Cryptographic Provider + + ++++++ + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Outlook Cryptographic Provider (EXCHCSP)SR-1A (3821)SR-1A (3821)110

FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)

+

Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5

+ + + +### Cryptographic Algorithms + +The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate. + +### Advanced Encryption Standard (AES) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • AES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CFB128:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CTR:
    • +
    • +
    • Counter Source: Internal
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-OFB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +

Microsoft Surface Hub Virtual TPM Implementations #4904

+

Version 10.0.15063.674

    +
  • AES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CFB128:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CTR:
    • +
    • +
    • Counter Source: Internal
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-OFB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903

+

Version 10.0.16299

    +
  • AES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CCM:
    • +
    • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
      • +
    • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
      • +
    • Plain Text Length: 0-32
      • +
    • AAD Length: 0-65536
      • +
    • +
  • AES-CFB128:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CFB8:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CMAC:
    • +
    • +
    • Generation:
      • +
      • +
      • AES-128:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-192:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-256:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • +
    • Verification:
      • +
      • +
      • AES-128:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-192:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-256:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • +
    • +
  • AES-CTR:
    • +
    • +
    • Counter Source: Internal
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-ECB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-GCM:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
      • +
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • 96 bit IV supported
      • +
    • +
  • AES-XTS:
    • +
    • +
    • Key Size: 128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Block Sizes: Full
        • +
      • +
    • Key Size: 256:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Block Sizes: Full
        • +
      • +
    • +

Microsoft Surface Hub SymCrypt Cryptographic Implementations #4902

+

Version 10.0.15063.674

    +
  • AES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CCM:
    • +
    • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
      • +
    • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
      • +
    • Plain Text Length: 0-32
      • +
    • AAD Length: 0-65536
      • +
    • +
  • AES-CFB128:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CFB8:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CMAC:
    • +
    • +
    • Generation:
      • +
      • +
      • AES-128:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-192:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-256:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • +
    • Verification:
      • +
      • +
      • AES-128:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-192:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-256:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • +
    • +
  • AES-CTR:
    • +
    • +
    • Counter Source: Internal
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-ECB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-GCM:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
      • +
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • 96 bit IV supported
      • +
    • +
  • AES-XTS:
    • +
    • +
    • Key Size: 128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Block Sizes: Full
        • +
      • +
    • Key Size: 256:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Block Sizes: Full
        • +
      • +
    • +

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4901

+

Version 10.0.15254

    +
  • AES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CCM:
    • +
    • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
      • +
    • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
      • +
    • Plain Text Length: 0-32
      • +
    • AAD Length: 0-65536
      • +
    • +
  • AES-CFB128:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CFB8:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CMAC:
    • +
    • +
    • Generation:
      • +
      • +
      • AES-128:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-192:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-256:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • +
    • Verification:
      • +
      • +
      • AES-128:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-192:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-256:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • +
    • +
  • AES-CTR:
    • +
    • +
    • Counter Source: Internal
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-ECB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-GCM:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • IV Generation: External
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
      • +
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • 96 bit IV supported
      • +
    • +
  • AES-XTS:
    • +
    • +
    • Key Size: 128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Block Sizes: Full
        • +
      • +
    • Key Size: 256:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Block Sizes: Full
        • +
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897

+

Version 10.0.16299

AES-KW:

+
    +
  • Modes: Decrypt, Encrypt
    • +
  • CIPHK transformation direction: Forward
    • +
  • Key Lengths: 128, 192, 256 (bits)
    • +
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • +
+

AES Val#4902

Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900

+

Version 10.0.15063.674

AES-KW:

+
    +
  • Modes: Decrypt, Encrypt
    • +
  • CIPHK transformation direction: Forward
    • +
  • Key Lengths: 128, 192, 256 (bits)
    • +
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • +
+

AES Val#4901

Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899

+

Version 10.0.15254

AES-KW:

+
    +
  • Modes: Decrypt, Encrypt
    • +
  • CIPHK transformation direction: Forward
    • +
  • Key Lengths: 128, 192, 256 (bits)
    • +
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • +
+

AES Val#4897

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898

+

Version 10.0.16299

AES-CCM:

+
    +
  • Key Lengths: 256 (bits)
    • +
  • Tag Lengths: 128 (bits)
    • +
  • IV Lengths: 96 (bits)
    • +
  • Plain Text Length: 0-32
    • +
  • AAD Length: 0-65536
    • +
+

AES Val#4902

Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896

+

Version 10.0.15063.674

AES-CCM:

+
    +
  • Key Lengths: 256 (bits)
    • +
  • Tag Lengths: 128 (bits)
    • +
  • IV Lengths: 96 (bits)
    • +
  • Plain Text Length: 0-32
    • +
  • AAD Length: 0-65536
    • +
+

AES Val#4901

Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895

+

Version 10.0.15254

AES-CCM:

+
    +
  • Key Lengths: 256 (bits)
    • +
  • Tag Lengths: 128 (bits)
    • +
  • IV Lengths: 96 (bits)
    • +
  • Plain Text Length: 0-32
    • +
  • AAD Length: 0-65536
    • +
+

AES Val#4897

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

+

Version 10.0.16299

CBC ( e/d; 128 , 192 , 256 );

+

CFB128 ( e/d; 128 , 192 , 256 );

+

OFB ( e/d; 128 , 192 , 256 );

+

CTR ( int only; 128 , 192 , 256 )

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627

+

Version 10.0.15063

KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

+

AES Val#4624

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626

+

Version 10.0.15063

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

+

AES Val#4624

+

 

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625

+

Version 10.0.15063

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

CFB128 ( e/d; 128 , 192 , 256 );

+

CTR ( int only; 128 , 192 , 256 )

+

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

+

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )

+

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

+

(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

+

IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported

+

GMAC_Supported

+

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624

+

Version 10.0.15063

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434

+

Version 7.00.2872

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433

+

Version 8.00.6246

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CTR ( int only; 128 , 192 , 256 )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431

+

Version 7.00.2872

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CTR ( int only; 128 , 192 , 256 )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430

+

Version 8.00.6246

CBC ( e/d; 128 , 192 , 256 );

+

CFB128 ( e/d; 128 , 192 , 256 );

+

OFB ( e/d; 128 , 192 , 256 );

+

CTR ( int only; 128 , 192 , 256 )

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

+

Version 10.0.14393

ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

+

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

+

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

+

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
+GMAC_Supported

+

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064

+

Version 10.0.14393

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

 

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
+Version 10.0.14393

KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )

+

AES Val#4064

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062

+

Version 10.0.14393

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

+

AES Val#4064

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061

+

Version 10.0.14393

KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

+

AES Val#3629

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652

+

Version 10.0.10586

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

+

AES Val#3629

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653

+

Version 10.0.10586

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

 

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
+Version 10.0.10586

ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

+

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

+

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

+

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
+GMAC_Supported

+

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
+
+

+

Version 10.0.10586

KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

+

AES Val#3497

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507

+

Version 10.0.10240

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

+

AES Val#3497

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498

+

Version 10.0.10240

ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

+

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

+

CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

+

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
+GMAC_Supported

+

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
+Version 10.0.10240

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

 

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
+Version 10.0.10240

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

 

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853

+

Version 6.3.9600

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

+

AES Val#2832

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848

+

Version 6.3.9600

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

+

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

+

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

+

(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

+

IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 8 , 1024 ) ; 96BitIV_Supported ;
+OtherIVLen_Supported
+GMAC_Supported

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

+

Version 6.3.9600

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+AES Val#2197

+

CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
+AES Val#2197

+

GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
+GMAC_Supported

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

+

AES Val#2196

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

CFB128 ( e/d; 128 , 192 , 256 );

+

CTR ( int only; 128 , 192 , 256 )

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

 

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+AES Val#1168

Windows Server 2008 R2 and SP1 CNG algorithms #1187

+

Windows 7 Ultimate and SP1 CNG algorithms #1178

CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
+AES Val#1168		Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

 

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168

GCM

+

GMAC

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed
CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

Windows Server 2008 CNG algorithms #757

+

Windows Vista Ultimate SP1 CNG algorithms #756

CBC ( e/d; 128 , 256 );

+

CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )

Windows Vista Ultimate BitLocker Drive Encryption #715

+

Windows Vista Ultimate BitLocker Drive Encryption #424

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739

+

Windows Vista Symmetric Algorithm Implementation #553

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CTR ( int only; 128 , 192 , 256 )

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024

+

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818

+

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781

+

Windows 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #548

+

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #516

+

Windows CE and Windows Mobile 6, 6.1, and 6.5 Enhanced Cryptographic Provider (RSAENH) #507

+

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #290

+

Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider (RSAENH) #224

+

Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #80

+

Windows XP, SP1, and SP2 Enhanced Cryptographic Provider (RSAENH) #33

+ + +Deterministic Random Bit Generator (DRBG) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • Counter:
    • +
    • +
    • Modes: AES-256
      • +
    • Derivation Function States: Derivation Function not used
      • +
    • Prediction Resistance Modes: Not Enabled
      • +
    • +
+

Prerequisite: AES #4904

Microsoft Surface Hub Virtual TPM Implementations #1734

+

Version 10.0.15063.674

    +
  • Counter:
    • +
    • +
    • Modes: AES-256
      • +
    • Derivation Function States: Derivation Function not used
      • +
    • Prediction Resistance Modes: Not Enabled
      • +
    • +
+

Prerequisite: AES #4903

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733

+

Version 10.0.16299

    +
  • Counter:
    • +
    • +
    • Modes: AES-256
      • +
    • Derivation Function States: Derivation Function used
      • +
    • Prediction Resistance Modes: Not Enabled
      • +
    • +
+

Prerequisite: AES #4902

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1732

+

Version 10.0.15063.674

    +
  • Counter:
    • +
    • +
    • Modes: AES-256
      • +
    • Derivation Function States: Derivation Function used
      • +
    • Prediction Resistance Modes: Not Enabled
      • +
    • +
+

Prerequisite: AES #4901

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1731

+

Version 10.0.15254

    +
  • Counter:
    • +
    • +
    • Modes: AES-256
      • +
    • Derivation Function States: Derivation Function used
      • +
    • Prediction Resistance Modes: Not Enabled
      • +
    • +
+

Prerequisite: AES #4897

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730

+

Version 10.0.16299

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ]

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556

+

Version 10.0.15063

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ]

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555

+

Version 10.0.15063

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ]

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433

+

Version 7.00.2872

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ]

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432

+

Version 8.00.6246

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ]

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430

+

Version 7.00.2872

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ]

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429

+

Version 8.00.6246

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ]

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

+

Version 10.0.14393

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ]

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217

+

Version 10.0.14393

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ]

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955

+

Version 10.0.10586

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ]

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868

+

Version 10.0.10240

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ]

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

+

Version 6.3.9600

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ]Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ]Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ]Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23
DRBG (SP 800–90)Windows Vista Ultimate SP1, vendor-affirmed
+ + +#### Digital Signature Algorithm (DSA) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • DSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • PQGGen:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • PQGVer:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • SigGen:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • SigVer:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • KeyPair:
        • +
        • +
        • L = 2048, N = 256
          • +
        • L = 3072, N = 256
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1303

+

Version 10.0.15063.674

    +
  • DSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • PQGGen:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • PQGVer:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • SigGen:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • SigVer:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • KeyPair:
        • +
        • +
        •  
          • +
        •  
          • +
        • L = 2048, N = 256
          • +
        • L = 3072, N = 256
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1302

+

Version 10.0.15254

    +
  • DSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • PQGGen:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • PQGVer:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • SigGen:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • SigVer:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • KeyPair:
        • +
        • +
        • L = 2048, N = 256
          • +
        • L = 3072, N = 256
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301

+

Version 10.0.16299

FIPS186-4:

+

PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]

+

PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

+

KeyPairGen:   [ (2048,256) ; (3072,256) ]

+

SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]

+

SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

+

SHS: Val#3790

+

DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223

+

Version 10.0.15063

FIPS186-4:
+PQG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
+SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
+SHS: Val# 3649

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188

+

Version 7.00.2872

FIPS186-4:
+PQG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
+SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
+SHS: Val#3648

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187

+

Version 8.00.6246

FIPS186-4:
+PQG(gen)PARMS TESTED: [
+(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen:    [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED:   [ (2048,256)
+SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

+

SHS: Val# 3347
+DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098

+

Version 10.0.14393

FIPS186-4:
+PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
+KeyPairGen:    [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

+

SHS: Val# 3047
+DRBG: Val# 955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024

+

Version 10.0.10586

FIPS186-4:
+PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen:    [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

+

SHS: Val# 2886
+DRBG: Val# 868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983

+

Version 10.0.10240

FIPS186-4:
+PQG(gen)PARMS TESTED:   [
+(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED:   [ (2048,256)
+SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen:    [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

+

SHS: Val# 2373
+DRBG: Val# 489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

+

Version 6.3.9600

FIPS186-2:
+PQG(ver) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: #1903
+DRBG: #258

+

FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SHS: #1903
+DRBG: #258
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687
FIPS186-2:
+PQG(ver) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: #1902
+DRBG: #258
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686.		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686
FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 1773
+DRBG: Val# 193
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645.		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645
FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 1081
+DRBG: Val# 23
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386.

Windows Server 2008 R2 and SP1 CNG algorithms #391

+

Windows 7 Ultimate and SP1 CNG algorithms #386

FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 1081
+RNG: Val# 649
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385.

Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390

+

Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385

FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 753
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283.

Windows Server 2008 CNG algorithms #284

+

Windows Vista Ultimate SP1 CNG algorithms #283

FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 753
+RNG: Val# 435
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281.

Windows Server 2008 Enhanced DSS (DSSENH) #282

+

Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281

FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 618
+RNG: Val# 321
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226.

Windows Vista CNG algorithms #227

+

Windows Vista Enhanced DSS (DSSENH) #226

FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 784
+RNG: Val# 448
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292.		Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292
FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 783
+RNG: Val# 447
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291.		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291
FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: Val# 611
+RNG: Val# 314		Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221
FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: Val# 385		Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146
FIPS186-2:
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: Val# 181
+
+		Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95
FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SHS: SHA-1 (BYTE)
+SIG(ver) MOD(1024);
+SHS: SHA-1 (BYTE)

Windows 2000 DSSENH.DLL #29

+

Windows 2000 DSSBASE.DLL #28

+

Windows NT 4 SP6 DSSENH.DLL #26

+

Windows NT 4 SP6 DSSBASE.DLL #25

FIPS186-2: PRIME;
+FIPS186-2:

+

KEYGEN(Y):
+SHS: SHA-1 (BYTE)

+

SIG(gen):
+SIG(ver) MOD(1024);
+SHS: SHA-1 (BYTE)

Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17
+ + +#### Elliptic Curve Digital Signature Algorithm (ECDSA) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • Generation Methods: Extra Random Bits
          • +
        • +
      • Public Key Validation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • +
      • Signature Generation:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • Signature Verification:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #2373, DRBG #489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

+

Version 6.3.9600

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384
          • +
        • Generation Methods: Testing Candidates
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1734

Microsoft Surface Hub Virtual TPM Implementations #1253

+

Version 10.0.15063.674

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384
          • +
        • Generation Methods: Testing Candidates
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1733

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252

+

Version 10.0.16299

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • Generation Methods: Extra Random Bits
          • +
        • +
      • Public Key Validation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • +
      • Signature Generation:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • Signature Verification:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub MsBignum Cryptographic Implementations #1251

+

Version 10.0.15063.674

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • Generation Methods: Extra Random Bits
          • +
        • +
      • Public Key Validation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • +
      • Signature Generation:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • Signature Verification:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1250

+

Version 10.0.15063.674

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • Generation Methods: Extra Random Bits
          • +
        • +
      • Public Key Validation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • +
      • Signature Generation:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • Signature Verification:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1249

+

Version 10.0.15254

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • Generation Methods: Extra Random Bits
          • +
        • +
      • Public Key Validation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • +
      • Signature Generation:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • Signature Verification:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1248

+

Version 10.0.15254

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • Generation Methods: Extra Random Bits
          • +
        • +
      • Public Key Validation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • +
      • Signature Generation:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • Signature Verification:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247

+

Version 10.0.16299

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • Generation Methods: Extra Random Bits
          • +
        • +
      • Public Key Validation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • +
      • Signature Generation:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • Signature Verification:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246

+

Version 10.0.16299

FIPS186-4:
+PKG: CURVES( P-256 P-384 TestingCandidates )
+SHS: Val#3790
+DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136

+

Version 10.0.15063

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#3790
+DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135

+

Version 10.0.15063

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#3790
+DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133

+

Version 10.0.15063

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
+SHS:Val# 3649
+DRBG:Val# 1430

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073

+

Version 7.00.2872

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
+SHS:Val#3648
+DRBG:Val# 1429

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072

+

Version 8.00.6246

FIPS186-4:
+PKG: CURVES( P-256 P-384 TestingCandidates )
+PKV: CURVES( P-256 P-384 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )

+

SHS: Val# 3347
+DRBG: Val# 1222

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

+

Version 10.0.14393

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

+

SHS: Val# 3347
+DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911

+

Version 10.0.14393

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

+

SHS: Val# 3047
+DRBG: Val# 955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760

+

Version 10.0.10586

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

+

SHS: Val# 2886
+DRBG: Val# 868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706

+

Version 10.0.10240

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

+

SHS: Val#2373
+DRBG: Val# 489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

+

Version 6.3.9600

FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: #1903
+DRBG: #258
+SIG(ver):CURVES( P-256 P-384 P-521 )
+SHS: #1903
+DRBG: #258

+

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: #1903
+DRBG: #258
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341

FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#1773
+DRBG: Val# 193
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#1773
+DRBG: Val# 193

+

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#1773
+DRBG: Val# 193
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295
FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#1081
+DRBG: Val# 23
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#1081
+DRBG: Val# 23
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141.

Windows Server 2008 R2 and SP1 CNG algorithms #142

+

Windows 7 Ultimate and SP1 CNG algorithms #141

FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#753
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#753
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82.

Windows Server 2008 CNG algorithms #83

+

Windows Vista Ultimate SP1 CNG algorithms #82

FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#618
+RNG: Val# 321
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#618
+RNG: Val# 321
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60.		Windows Vista CNG algorithms #60
+ + +#### Keyed-Hash Message Authentication Code (HMAC) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • HMAC-SHA-1:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-256:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-384:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
+

Prerequisite: SHS #4011

Microsoft Surface Hub Virtual TPM Implementations #3271

+

Version 10.0.15063.674

    +
  • HMAC-SHA-1:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-256:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-384:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
+

Prerequisite: SHS #4009

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270

+

Version 10.0.16299

    +
  • HMAC-SHA-1:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-256:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-384:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-512:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
+

Prerequisite: SHS #4011

Microsoft Surface Hub SymCrypt Cryptographic Implementations #3269

+

Version 10.0.15063.674

    +
  • HMAC-SHA-1:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-256:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-384:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-512:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
+

Prerequisite: SHS #4010

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #3268

+

Version 10.0.15254

    +
  • HMAC-SHA-1:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-256:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-384:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-512:
    • +
    • +
    • Key Sizes &lt; Block Size
      • +
    • Key Sizes &gt; Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
+

Prerequisite: SHS #4009

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267

+

Version 10.0.16299

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062

+

Version 10.0.15063

HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061

+

Version 10.0.15063

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946

+

Version 7.00.2872

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945

+

Version 8.00.6246

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943

+

Version 7.00.2872

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942

+

Version 8.00.6246

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
+SHS Val# 3347

+

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
+SHS Val# 3347

+

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
+SHS Val# 3347

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

+

Version 10.0.14393

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651

+

Version 10.0.14393

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
+SHS Val# 3047

+

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
+SHS Val# 3047

+

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
+SHS Val# 3047

+

HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
+SHS Val# 3047

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381

+

Version 10.0.10586

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
+SHSVal# 2886

+

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
+SHSVal# 2886

+

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
+ SHSVal# 2886

+

HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
+SHSVal# 2886

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233

+

Version 10.0.10240

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
+SHS Val#2373

+

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
+SHS Val#2373

+

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
+SHS Val#2373

+

HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
+SHS Val#2373

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

+

Version 6.3.9600

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122

+

Version 5.2.29344

HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

+

HMAC-SHA256 ( Key Size Ranges Tested: KS#1902

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )

+

SHS#1903

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS )

+

SHS#1903

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS )

+

SHS#1903

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS )

+

SHS#1903

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

+

Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

Windows Server 2008 R2 and SP1 CNG algorithms #686

+

Windows 7 and SP1 CNG algorithms #677

+

Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687

+

Windows 7 Enhanced Cryptographic Provider (RSAENH) #673

HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

+

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452

HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

+

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753

Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408

+

Windows Vista Enhanced Cryptographic Provider (RSAENH) #407

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

Windows Vista Enhanced Cryptographic Provider (RSAENH) #297
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429

+

Windows XP, vendor-affirmed

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753

Windows Server 2008 CNG algorithms #413

+

Windows Vista Ultimate SP1 CNG algorithms #412

HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

+

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

Windows Vista Ultimate BitLocker Drive Encryption #386

HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

Windows Vista CNG algorithms #298

HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267

HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578

Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260

HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

+

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

Windows Vista BitLocker Drive Encryption #199
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99

+

Windows XP, vendor-affirmed

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305

Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31
+ + +#### Key Agreement Scheme (KAS) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • KAS ECC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
      • +
    • Schemes:
      • +
      • +
      • Full Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • KDFs: Concatenation
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, ECDSA #1253, DRBG #1734

Microsoft Surface Hub Virtual TPM Implementations #150

+

Version 10.0.15063.674

    +
  • KAS ECC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
      • +
    • Schemes:
      • +
      • +
      • Full Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • KDFs: Concatenation
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, ECDSA #1252, DRBG #1733

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149

+

Version 10.0.16299

    +
  • KAS ECC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
      • +
    • Schemes:
      • +
      • +
      • Ephemeral Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • KDFs: Concatenation
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • One Pass DH:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • Static Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, ECDSA #1250, DRBG #1732

+
    +
  • KAS FFC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
      • +
    • Schemes:
      • +
      • +
      • dhEphem:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • dhOneFlow:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • dhStatic:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DSA #1303, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #148

+

Version 10.0.15063.674

    +
  • KAS ECC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
      • +
    • Schemes:
      • +
      • +
      • Ephemeral Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • KDFs: Concatenation
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • One Pass DH:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • Static Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, ECDSA #1249, DRBG #1731

+
    +
  • KAS FFC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
      • +
    • Schemes:
      • +
      • +
      • dhEphem:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • dhOneFlow:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • dhStatic:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, DSA #1302, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #147

+

Version 10.0.15254

    +
  • KAS ECC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
      • +
    • Schemes:
      • +
      • +
      • Ephemeral Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • KDFs: Concatenation
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • One Pass DH:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • Static Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, ECDSA #1246, DRBG #1730

+
    +
  • KAS FFC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
      • +
    • Schemes:
      • +
      • +
      • dhEphem:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • dhOneFlow:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • dhStatic:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DSA #1301, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146

+

Version 10.0.16299

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ]

+

SHS Val#3790
+DSA Val#1135
+DRBG Val#1556

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128

+

Version 10.0.15063

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
+SHS Val#3790
+DSA Val#1223
+DRBG Val#1555

+

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+
+SHS Val#3790
+ECDSA Val#1133
+DRBG Val#1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127

+

Version 10.0.15063

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
+SHS Val# 3649
+DSA Val#1188
+DRBG Val#1430

+

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115

+

Version 7.00.2872

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhHybridOneFlow ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
+[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
+SHS Val#3648
+DSA Val#1187
+DRBG Val#1429

+

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+
+SHS Val#3648
+ECDSA Val#1072
+DRBG Val#1429

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114

+

Version 8.00.6246

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration )
+SCHEMES  [ FullUnified  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ]

+

SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

+

Version 10.0.14393

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation )
+SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

+

SHS Val# 3347 DSA Val#1098 DRBG Val#1217

+

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

+

SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92

+

Version 10.0.14393

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

+

SHS Val# 3047 DSA Val#1024 DRBG Val#955

+

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

+

SHS Val# 3047 ECDSA Val#760 DRBG Val#955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72

+

Version 10.0.10586

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

+

SHS Val# 2886 DSA Val#983 DRBG Val#868

+

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

+

SHS Val# 2886 ECDSA Val#706 DRBG Val#868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64

+

Version 10.0.10240

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

+

SHS Val#2373 DSA Val#855 DRBG Val#489

+

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

+

SHS Val#2373 ECDSA Val#505 DRBG Val#489

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

+

Version 6.3.9600

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS #1903 DSA Val#687 DRBG #258

+

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
+[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+
+SHS #1903 ECDSA Val#341 DRBG #258

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36

KAS (SP 800–56A)

+

key agreement

+

key establishment methodology provides 80 to 256 bits of encryption strength

Windows 7 and SP1, vendor-affirmed

+

Windows Server 2008 R2 and SP1, vendor-affirmed

+ + +SP 800-108 Key-Based Key Derivation Functions (KBKDF) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • Counter:
    • +
    • +
    • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
      • +
    • +
+

MAC prerequisite: HMAC #3271

+
+
    +
  • Counter Location: Before Fixed Data
    • +
  • R Length: 32 (bits)
    • +
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • +
+
+

K prerequisite: DRBG #1734, KAS #150

Microsoft Surface Hub Virtual TPM Implementations #161

+

Version 10.0.15063.674

    +
  • Counter:
    • +
    • +
    • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
      • +
    • +
+

MAC prerequisite: HMAC #3270

+
+
    +
  • Counter Location: Before Fixed Data
    • +
  • R Length: 32 (bits)
    • +
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • +
+
+

K prerequisite: DRBG #1733, KAS #149

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160

+

Version 10.0.16299

    +
  • Counter:
    • +
    • +
    • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
      • +
    • +
+

MAC prerequisite: AES #4902, HMAC #3269

+
+
    +
  • Counter Location: Before Fixed Data
    • +
  • R Length: 32 (bits)
    • +
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • +
  • K prerequisite: KAS #148
    • +
+

Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #159

+

Version 10.0.15063.674

    +
  • Counter:
    • +
    • +
    • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
      • +
    • +
+

MAC prerequisite: AES #4901, HMAC #3268

+
+
    +
  • Counter Location: Before Fixed Data
    • +
  • R Length: 32 (bits)
    • +
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • +
+
+

K prerequisite: KAS #147

Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #158

+

Version 10.0.15254

    +
  • Counter:
    • +
    • +
    • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
      • +
    • +
+

MAC prerequisite: AES #4897, HMAC #3267

+
+
    +
  • Counter Location: Before Fixed Data
    • +
  • R Length: 32 (bits)
    • +
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • +
+
+

K prerequisite: KAS #146

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157

+

Version 10.0.16299

CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+
+KAS Val#128
+DRBG Val#1556
+MAC Val#3062

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141

+

Version 10.0.15063

CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+
+KAS Val#127
+AES Val#4624
+DRBG Val#1555
+MAC Val#3061

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140

+

Version 10.0.15063

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

+

KAS Val#93 DRBG Val#1222 MAC Val#2661

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

+

Version 10.0.14393

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

+

KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101

+

Version 10.0.14393

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

+

KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72

+

Version 10.0.10586

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

+

KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66

+

Version 10.0.10240

CTR_Mode:  ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

+

DRBG Val#489 MAC Val#1773

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

+

Version 6.3.9600

CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

+

DRBG #258 HMAC Val#1345

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3
+ + +Random Number Generator (RNG) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #

FIPS 186-2 General Purpose

+

[ (x-Original); (SHA-1) ]

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110
FIPS 186-2
+[ (x-Original); (SHA-1) ]

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060

+

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292

+

Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286

+

Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66

FIPS 186-2
+[ (x-Change Notice); (SHA-1) ]

+

FIPS 186-2 General Purpose
+[ (x-Change Notice); (SHA-1) ]

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649

+

Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435

+

Windows Vista RNG implementation #321

FIPS 186-2 General Purpose
+[ (x-Change Notice); (SHA-1) ]

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470

+

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449

+

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447

+

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #316

+

Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313

FIPS 186-2
+[ (x-Change Notice); (SHA-1) ]

Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448

+

Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314

+ + +#### RSA + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1734

Microsoft Surface Hub Virtual TPM Implementations #2677

+

Version 10.0.15063.674

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 240 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 1024:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1733

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676

+

Version 10.0.16299

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Key Generation:
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub RSA32 Algorithm Implementations #2675

+

Version 10.0.15063.674

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674

+

Version 10.0.16299

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • +
+

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) RSA32 Algorithm Implementations #2673

+

Version 10.0.15254

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Key Generation:
      • +
      • +
      • Public Key Exponent: Fixed (10001)
        • +
      • Provable Primes with Conditions:
        • +
        • +
        • Mod lengths: 2048, 3072 (bits)
          • +
        • Primality Tests: C.3
          • +
        • +
      • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 1024:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 496 (bits)
          • +
        • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub MsBignum Cryptographic Implementations #2672

+

Version 10.0.15063.674

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Key Generation:
      • +
      • +
      • Probable Random Primes:
        • +
        • +
        • Mod lengths: 2048, 3072 (bits)
          • +
        • Primality Tests: C.2
          • +
        • +
      • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 1024:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 496 (bits)
          • +
        • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #2671

+

Version 10.0.15063.674

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Key Generation:
      • +
      • +
      • Probable Random Primes:
        • +
        • +
        • Mod lengths: 2048, 3072 (bits)
          • +
        • Primality Tests: C.2
          • +
        • +
      • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 1024:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 496 (bits)
          • +
        • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2670

+

Version 10.0.15254

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Key Generation:
      • +
      • +
      • Public Key Exponent: Fixed (10001)
        • +
      • Provable Primes with Conditions:
        • +
        • +
        • Mod lengths: 2048, 3072 (bits)
          • +
        • Primality Tests: C.3
          • +
        • +
      • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 1024:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 496 (bits)
          • +
        • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #2669

+

Version 10.0.15254

    +
  • 186-4:
    • +
    • +
    • Key Generation:
      • +
      • +
      • Public Key Exponent: Fixed (10001)
        • +
      • Provable Primes with Conditions:
        • +
        • +
        • Mod lengths: 2048, 3072 (bits)
          • +
        • Primality Tests: C.3
          • +
        • +
      • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 1024:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 496 (bits)
          • +
        • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668

+

Version 10.0.16299

    +
  • 186-4:
    • +
    • +
    • Key Generation:
      • +
      • +
      • Probable Random Primes:
        • +
        • +
        • Mod lengths: 2048, 3072 (bits)
          • +
        • Primality Tests: C.2
          • +
        • +
      • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 1024:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 496 (bits)
          • +
        • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667

+

Version 10.0.16299

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
+SHA Val#3790

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524

+

Version 10.0.15063

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3790

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523

+

Version 10.0.15063

FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val#3790
+DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522

+

Version 10.0.15063

FIPS186-4:
+186-4KEY(gen):
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val#3790

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521

+

Version 10.0.15063

FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

+

FIPS186-4:
+ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
+SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3652

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415

+

Version 7.00.2872

FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

+

FIPS186-4:
+ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
+SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3651

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414

+

Version 8.00.6246

FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649

+

FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val# 3649
+DRBG: Val# 1430

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412

+

Version 7.00.2872

FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

+

FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3648
+DRBG: Val# 1429

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411

+

Version 8.00.6246

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))

+

SHA Val# 3347

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

+

Version 10.0.14393

FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

+

SHA Val# 3347 DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195

+

Version 10.0.14393

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val#3346

soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194

+

Version 10.0.14393

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val# 3347 DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193

+

Version 10.0.14393

FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

+

Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

+

SHA Val# 3347 DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192

+

Version 10.0.14393

FIPS186-4:
+186-4KEY(gen):  FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

+

SHA Val# 3047 DRBG: Val# 955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889

+

Version 10.0.10586

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val#3048

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871

+

Version 10.0.10586

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val# 3047

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888

+

Version 10.0.10586

FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

+

SHA Val# 3047

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887

+

Version 10.0.10586

FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

+

SHA Val# 2886 DRBG: Val# 868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798

+

Version 10.0.10240

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val#2871

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784

+

Version 10.0.10240

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val#2871

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783

+

Version 10.0.10240

FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

+

SHA Val# 2886

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802

+

Version 10.0.10240

FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

+

SHA Val#2373 DRBG: Val# 489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

+

Version 6.3.9600

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val#2373

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494

+

Version 6.3.9600

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val#2373

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

+

Version 6.3.9600

FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

+

SHA Val#2373

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

+

Version 6.3.9600

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
+SHA #1903

+

Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134
FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+SHA #1903 DRBG: #258		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132.		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132
FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052.		Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051.		Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568.		Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560.

Windows Server 2008 R2 and SP1 CNG algorithms #567

+

Windows 7 and SP1 CNG algorithms #560

FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559.		Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557.		Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557
FIPS186-2:
+ALG[ANSIX9.31]:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395.		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395
FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371.		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357.

Windows Server 2008 CNG algorithms #358

+

Windows Vista SP1 CNG algorithms #357

FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354.

Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355

+

Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354

FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353.		Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258.		Windows Vista RSA key generation implementation #258
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257.		Windows Vista CNG algorithms #257
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255.		Windows Vista Enhanced Cryptographic Provider (RSAENH) #255
FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245.		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245
FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230.		Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230
FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222.		Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]:
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81.		Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81
FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52.		Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52

FIPS186-2:

+

– PKCS#1 v1.5, signature generation and verification

+

– Mod sizes: 1024, 1536, 2048, 3072, 4096

+

– SHS: SHA–1/256/384/512

Windows XP, vendor-affirmed

+

Windows 2000, vendor-affirmed

+ + +#### Secure Hash Standard (SHS) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • SHA-1:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-256:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-384:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-512:
    • +
    • +
    • Supports Empty Message
      • +
    • +

Microsoft Surface Hub SymCrypt Cryptographic Implementations #4011

+

Version 10.0.15063.674

    +
  • SHA-1:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-256:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-384:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-512:
    • +
    • +
    • Supports Empty Message
      • +
    • +

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4010

+

Version 10.0.15254

    +
  • SHA-1:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-256:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-384:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-512:
    • +
    • +
    • Supports Empty Message
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009

+

Version 10.0.16299

SHA-1      (BYTE-only)
+SHA-256  (BYTE-only)
+SHA-384  (BYTE-only)
+SHA-512  (BYTE-only)

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790

+

Version 10.0.15063

SHA-1      (BYTE-only)
+SHA-256  (BYTE-only)
+SHA-384  (BYTE-only)
+SHA-512  (BYTE-only)

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652

+

Version 7.00.2872

SHA-1      (BYTE-only)
+SHA-256  (BYTE-only)
+SHA-384  (BYTE-only)
+SHA-512  (BYTE-only)

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651

+

Version 8.00.6246

SHA-1      (BYTE-only)
+SHA-256  (BYTE-only)
+SHA-384  (BYTE-only)
+SHA-512  (BYTE-only)

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649

+

Version 7.00.2872

SHA-1      (BYTE-only)
+SHA-256  (BYTE-only)
+SHA-384  (BYTE-only)
+SHA-512  (BYTE-only)

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648

+

Version 8.00.6246

SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
+Version 10.0.14393
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
+Version 10.0.14393
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
+Version 10.0.10586
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
+Version 10.0.10586
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
+Version 10.0.10240
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
+Version 10.0.10240
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
+Version 6.3.9600
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
+Version 6.3.9600

SHA-1 (BYTE-only)

+

SHA-256 (BYTE-only)

+

SHA-384 (BYTE-only)

+

SHA-512 (BYTE-only)

+

Implementation does not support zero-length (null) messages.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903

+

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902

SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774

+

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773

SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)

Windows 7and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081

+

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816

SHA-1 (BYTE-only)

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785

+

Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784

SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)

Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753

+

Windows Vista Symmetric Algorithm Implementation #618

SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)

Windows Vista BitLocker Drive Encryption #737

+

Windows Vista Beta 2 BitLocker Drive Encryption #495

SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613

+

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364

SHA-1 (BYTE-only)

Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611

+

Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610

+

Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385

+

Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #371

+

Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #181

+

Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #177

+

Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176

SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589

+

Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578

+

Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305

SHA-1 (BYTE-only)

Windows XP Microsoft Enhanced Cryptographic Provider #83

+

Crypto Driver for Windows 2000 (fips.sys) #35

+

Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32

+

Windows 2000 RSAENH.DLL #24

+

Windows 2000 RSABASE.DLL #23

+

Windows NT 4 SP6 RSAENH.DLL #21

+

Windows NT 4 SP6 RSABASE.DLL #20

+ + +#### Triple DES + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • TDES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-CFB64:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-CFB8:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-ECB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +

Microsoft Surface Hub SymCrypt Cryptographic Implementations #2558

+

Version 10.0.15063.674

    +
  • TDES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-CFB64:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-CFB8:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-ECB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2557

+

Version 10.0.15254

    +
  • TDES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-CFB64:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-CFB8:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-ECB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556

+

Version 10.0.16299

TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459

+

Version 10.0.15063

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, )

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384

+

Version 8.00.6246

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, )

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383

+

Version 8.00.6246

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, ) ;

+

CTR ( int only )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382

+

Version 7.00.2872

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381

+

Version 8.00.6246

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, ) ;

+

TCFB8( KO 1 e/d, ) ;

+

TCFB64( KO 1 e/d, )

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
+
+

+

Version 10.0.14393

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, ) ;

+

TCFB8( KO 1 e/d, ) ;

+

TCFB64( KO 1 e/d, )

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
+
+

+

Version 10.0.10586

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, ) ;

+

TCFB8( KO 1 e/d, ) ;

+

TCFB64( KO 1 e/d, )

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
+
+

+

Version 10.0.10240

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, ) ;

+

TCFB8( KO 1 e/d, ) ;

+

TCFB64( KO 1 e/d, )

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

+

Version 6.3.9600

TECB( e/d; KO 1,2 ) ;

+

TCBC( e/d; KO 1,2 ) ;

+

TCFB8( e/d; KO 1,2 ) ;

+

TCFB64( e/d; KO 1,2 )

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387

TECB( e/d; KO 1,2 ) ;

+

TCBC( e/d; KO 1,2 ) ;

+

TCFB8( e/d; KO 1,2 )

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386

TECB( e/d; KO 1,2 ) ;

+

TCBC( e/d; KO 1,2 ) ;

+

TCFB8( e/d; KO 1,2 )

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846

TECB( e/d; KO 1,2 ) ;

+

TCBC( e/d; KO 1,2 ) ;

+

TCFB8( e/d; KO 1,2 )

Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656

TECB( e/d; KO 1,2 ) ;

+

TCBC( e/d; KO 1,2 ) ;

+

TCFB8( e/d; KO 1,2 )

Windows Vista Symmetric Algorithm Implementation #549
Triple DES MAC

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed

+

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed

TECB( e/d; KO 1,2 ) ;

+

TCBC( e/d; KO 1,2 )

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308

+

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307

+

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691

+

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #677

+

Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #676

+

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #675

+

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #544

+

Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #543

+

Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #542

+

Windows CE 6.0 and Window CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #526

+

Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #517

+

Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #381

+

Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #370

+

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #365

+

Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #315

+

Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #201

+

Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #199

+

Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #192

+

Windows XP Microsoft Enhanced Cryptographic Provider #81

+

Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #18

+

Crypto Driver for Windows 2000 (fips.sys) #16

+ + +#### SP 800-132 Password Based Key Derivation Function (PBKDF) + + + + + + + + + + + + + + +
+ Modes / States / Key Sizes + + Algorithm Implementation and Certificate # +
+ PBKDF (vendor affirmed) +

 Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
(Software Version: 10.0.14393)

+

Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)

+

Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2935
(Software Version: 10.0.14393)

+

Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2931
(Software Version: 10.0.14393)

+
+ PBKDF (vendor affirmed) +

Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)

+

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed

+
+ + +#### Component Validation List + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Publication / Component Validated / DescriptionImplementation and Certificate #
    +
  • ECDSA SigGen:
    • +
    • +
    • P-256 SHA: SHA-256
      • +
    • P-384 SHA: SHA-384
      • +
    • P-521 SHA: SHA-512
      • +
    • +
+

Prerequisite: DRBG #489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

+

Version 6.3.9600

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Microsoft Surface Hub Virtual TPM Implementations #1519

+

Version 10.0.15063.674

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518

+

Version 10.0.16299

    +
  • RSADP:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • +

Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

+

Version 10.0.15063.674

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Microsoft Surface Hub MsBignum Cryptographic Implementations #1516

+

Version 10.0.15063.674

    +
  • ECDSA SigGen:
    • +
    • +
    • P-256 SHA: SHA-256
      • +
    • P-384 SHA: SHA-384
      • +
    • P-521 SHA: SHA-512
      • +
    • +
+

 Prerequisite: DRBG #1732

Microsoft Surface Hub MsBignum Cryptographic Implementations #1515

+

Version 10.0.15063.674

    +
  • ECDSA SigGen:
    • +
    • +
    • P-256 SHA: SHA-256
      • +
    • P-384 SHA: SHA-384
      • +
    • P-521 SHA: SHA-512
      • +
    • +
+

Prerequisite: DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1514

+

Version 10.0.15063.674

    +
  • RSADP:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • +

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1513

+

Version 10.0.15063.674

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1512

+

Version 10.0.15063.674

    +
  • IKEv1:
    • +
    • +
    • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
      • +
    • Pre-shared Key Length: 64-2048
      • +
    • Diffie-Hellman shared secrets:
      • +
      • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 2048 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 256 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 384 (bits)
          • +
        • SHA Functions: SHA-384
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, HMAC #3269

+
    +
  • IKEv2:
    • +
    • +
    • Derived Keying Material length: 192-1792
      • +
    • Diffie-Hellman shared secrets:
      • +
      • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 2048 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 256 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 384 (bits)
          • +
        • SHA Functions: SHA-384
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, HMAC #3269

+
    +
  • TLS:
    • +
    • +
    • Supports TLS 1.0/1.1
      • +
    • Supports TLS 1.2:
      • +
      • +
      • SHA Functions: SHA-256, SHA-384
        • +
      • +
    • +
+

Prerequisite: SHS #4011, HMAC #3269

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1511

+

Version 10.0.15063.674

    +
  • ECDSA SigGen:
    • +
    • +
    • P-256 SHA: SHA-256
      • +
    • P-384 SHA: SHA-384
      • +
    • P-521 SHA: SHA-512
      • +
    • +
+

Prerequisite: DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1510

+

Version 10.0.15254

    +
  • RSADP:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • +

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1509

+

Version 10.0.15254

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1508

+

Version 10.0.15254

    +
  • IKEv1:
    • +
    • +
    • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
      • +
    • Pre-shared Key Length: 64-2048
      • +
    • Diffie-Hellman shared secrets:
      • +
      • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 2048 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 256 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 384 (bits)
          • +
        • SHA Functions: SHA-384
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, HMAC #3268

+
    +
  • IKEv2:
    • +
    • +
    • Derived Keying Material length: 192-1792
      • +
    • Diffie-Hellman shared secrets:
      • +
      • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 2048 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 256 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 384 (bits)
          • +
        • SHA Functions: SHA-384
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, HMAC #3268

+
    +
  • TLS:
    • +
    • +
    • Supports TLS 1.0/1.1
      • +
    • Supports TLS 1.2:
      • +
      • +
      • SHA Functions: SHA-256, SHA-384
        • +
      • +
    • +
+

Prerequisite: SHS #4010, HMAC #3268

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1507

+

Version 10.0.15254

    +
  • ECDSA SigGen:
    • +
    • +
    • P-256 SHA: SHA-256
      • +
    • P-384 SHA: SHA-384
      • +
    • P-521 SHA: SHA-512
      • +
    • +
+

Prerequisite: DRBG #1731

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1506

+

Version 10.0.15254

    +
  • RSADP:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • +

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1505

+

Version 10.0.15254

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1504

+

Version 10.0.15254

    +
  • ECDSA SigGen:
    • +
    • +
    • P-256 SHA: SHA-256
      • +
    • P-384 SHA: SHA-384
      • +
    • P-521 SHA: SHA-512
      • +
    • +
+

Prerequisite: DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503

+

Version 10.0.16299

    +
  • RSADP:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502

+

Version 10.0.16299

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501

+

Version 10.0.16299

    +
  • ECDSA SigGen:
    • +
    • +
    • P-256 SHA: SHA-256
      • +
    • P-384 SHA: SHA-384
      • +
    • P-521 SHA: SHA-512
      • +
    • +
+

Prerequisite: DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499

+

Version 10.0.16299

    +
  • RSADP:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498

+

Version 10.0.16299

+

 

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1497

+

Version 10.0.16299

    +
  • IKEv1:
    • +
    • +
    • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
      • +
    • Pre-shared Key Length: 64-2048
      • +
    • Diffie-Hellman shared secrets:
      • +
      • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 2048 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 256 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 384 (bits)
          • +
        • SHA Functions: SHA-384
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, HMAC #3267

+
    +
  • IKEv2:
    • +
    • +
    • Derived Keying Material length: 192-1792
      • +
    • Diffie-Hellman shared secrets:
      • +
      • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 2048 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 256 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 384 (bits)
          • +
        • SHA Functions: SHA-384
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, HMAC #3267

+
    +
  • TLS:
    • +
    • +
    • Supports TLS 1.0/1.1
      • +
    • Supports TLS 1.2:
      • +
      • +
      • SHA Functions: SHA-256, SHA-384
        • +
      • +
    • +
+

Prerequisite: SHS #4009, HMAC #3267

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

+

Version 10.0.16299

FIPS186-4 ECDSA

+

Signature Generation of hash sized messages

+

ECDSA SigGen Component: CURVES( P-256 P-384 P-521 )

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
+Version 10.0. 15063

+

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
+Version 10.0. 15063

+

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
+Version 10.0.14393

+

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
+Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
+Version 10.0.10586

+

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
+Version 6.3.9600

FIPS186-4 RSA; PKCS#1 v2.1

+

RSASP1 Signature Primitive

+

RSASP1: (Mod2048: PKCS1.5 PKCSPSS)

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1285
+Version 10.0.15063

+

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1282
+Version 10.0.15063

+

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
+Version 10.0.15063

+

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
+Version 10.0.14393

+

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
+Version 10.0.14393

+

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
+Version 10.0.10586

+

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
+Version  10.0.10240

+

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations #289
+Version 6.3.9600

FIPS186-4 RSA; RSADP

+

RSADP Primitive

+

RSADP: (Mod2048)

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1283
+Version 10.0.15063

+

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
+Version 10.0.15063

+

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
+Version 10.0.14393

+

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
+Version 10.0.14393

+

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #663
+Version 10.0.10586

+

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #576
+Version  10.0.10240

SP800-135

+

Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

+

Version 10.0.16299

+

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
+Version 10.0.15063

+

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1140
+Version 7.00.2872

+

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1139
+Version 8.00.6246

+

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp #886
+Version 10.0.14393

+

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BCryptPrimitives and NCryptSSLp #664
+Version 10.0.10586

+

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
+Version  10.0.10240

+

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
+Version 6.3.9600

+ + +## References + +\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules + +\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ + +\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised) + +\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths + +## Additional Microsoft References + +Enabling FIPS mode - + +Cipher Suites in Schannel - [https://msdn.microsoft.com/library/aa374757(VS.85).aspx](https://msdn.microsoft.com/library/aa374757\(vs.85\).aspx) + diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 7cd0315cc8..b2d4621b58 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -37,5 +37,5 @@ The wsusscn2.cab file contains the metadata of only security updates, update rol For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit. - [Windows security baselines](windows-security-baselines.md) -- [Download Microsoft Security Compliance Toolkit 1.0 ](https://www.microsoft.com/download/details.aspx?id=55319) +- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319) - [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md index ff64c95cca..0f9409ab26 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md @@ -100,7 +100,7 @@ #### [Protect users, data, and devices with Conditional Access](conditional-access.md) #### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md) #### [Information protection in Windows overview](information-protection-in-windows-overview.md) -##### [Use sensitivity labels to prioritize incident response ](information-protection-investigation.md) +##### [Use sensitivity labels to prioritize incident response](information-protection-investigation.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md index 9a0cea7281..122b141332 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md @@ -20,7 +20,7 @@ ms.topic: article ## APIs -Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/en-us/legal/microsoft-apis/terms-of-use). +Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use). ## Legal Notices diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md index a550e32f0c..e97f64fda4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md +++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md @@ -24,7 +24,7 @@ ms.topic: conceptual > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: - Create an AAD application diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index c3b917aac9..edc1463dfc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -1,57 +1,57 @@ ---- -title: Overview of Configuration score in Microsoft Defender Security Center -ms.reviewer: -description: Expand your visibility into the overall security configuration posture of your organization -keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: mjcaparas -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 04/11/2019 ---- -# Configuration score -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](prerelease.md)] - ->[!NOTE] -> Secure score is now part of Threat & Vulnerability Management as Configuration score. We’ll keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection) page. - -The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over your organization's security posture based on security best practices. - -Your configuration score widget shows the collective security configuration state of your machines across the following categories: -- Application -- Operating system -- Network -- Accounts -- Security controls - -## How it works - -What you'll see in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously: -- Compare collected configurations to the collected benchmarks to discover misconfigured assets -- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration -- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams) -- Collect and monitor changes of security control configuration state from all assets - -From the widget, you'd be able to see which security aspect require attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can take action based on security benchmarks. - -## Improve your configuration score -The goal is to improve your configuration score by remediating the issues in the security recommendations list. You can filter the view based on: -- **Related component** - **Accounts**, **Application**, **Network**, **OS**, or **Security controls** -- **Remediation type** - **Configuration change** or **Software update** - -## Related topics -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) +--- +title: Overview of Configuration score in Microsoft Defender Security Center +ms.reviewer: +description: Expand your visibility into the overall security configuration posture of your organization +keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: mjcaparas +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/11/2019 +--- +# Configuration score +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +>[!NOTE] +> Secure score is now part of Threat & Vulnerability Management as Configuration score. We’ll keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection) page. + +The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over your organization's security posture based on security best practices. + +Your configuration score widget shows the collective security configuration state of your machines across the following categories: +- Application +- Operating system +- Network +- Accounts +- Security controls + +## How it works + +What you'll see in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously: +- Compare collected configurations to the collected benchmarks to discover misconfigured assets +- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration +- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams) +- Collect and monitor changes of security control configuration state from all assets + +From the widget, you'd be able to see which security aspect require attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can take action based on security benchmarks. + +## Improve your configuration score +The goal is to improve your configuration score by remediating the issues in the security recommendations list. You can filter the view based on: +- **Related component** - **Accounts**, **Application**, **Network**, **OS**, or **Security controls** +- **Remediation type** - **Configuration change** or **Software update** + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md index d1a14f1f7d..0911a2d722 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md @@ -1,45 +1,45 @@ ---- -title: Configure Threat & Vulnerability Management in Microsoft Defender ATP -ms.reviewer: -description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft System Center Configuration Manager (SCCM) integrations. -keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM -search.product: Windows 10 -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: mjcaparas -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- -# Configure Threat & Vulnerability Management -**Applies to:** -- [Microsoft Defender Advanced Threat Protection Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](prerelease.md)] - -This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation. - -### Before you begin -> [!IMPORTANT] -> Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.
- -Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM). - ->[!WARNING] ->Only Intune and SCCM enrolled devices are supported in this scenario.
->Use any of the following options to enroll devices in Intune: ->- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) ->- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school) ->- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup). - -## Related topics -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) -- [Configuration score](configuration-score.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) +--- +title: Configure Threat & Vulnerability Management in Microsoft Defender ATP +ms.reviewer: +description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft System Center Configuration Manager (SCCM) integrations. +keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM +search.product: Windows 10 +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: mjcaparas +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- +# Configure Threat & Vulnerability Management +**Applies to:** +- [Microsoft Defender Advanced Threat Protection Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation. + +### Before you begin +> [!IMPORTANT] +> Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.
+ +Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM). + +>[!WARNING] +>Only Intune and SCCM enrolled devices are supported in this scenario.
+>Use any of the following options to enroll devices in Intune: +>- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) +>- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school) +>- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup). + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Configuration score](configuration-score.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index b13eb91164..b1b6bdea64 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -61,7 +61,7 @@ You can use existing System Center Configuration Manager functionality to create 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. -3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs) topic. +3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic. a. Choose a predefined device collection to deploy the package to. @@ -115,7 +115,7 @@ For security reasons, the package used to Offboard machines will expire 30 days 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. -3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs) topic. +3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic. a. Choose a predefined device collection to deploy the package to. diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md index 0958ac0a89..ab927de17d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md @@ -30,7 +30,7 @@ If you need programmatic access Microsoft Defender ATP without a user, refer to If you are not sure which access you need, read the [Introduction page](apis-intro.md). -Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: - Create an AAD application @@ -106,7 +106,7 @@ This page explains how to create an AAD application, get an access token to Micr ## Get an access token -For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) +For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) ### Using C# diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md index ae8e9f68c9..4b2377c9a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md @@ -31,7 +31,7 @@ If you need programmatic access Microsoft Defender ATP on behalf of a user, see If you are not sure which access you need, see [Get started](apis-intro.md). -Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: - Create an AAD application @@ -130,7 +130,7 @@ This page explains how to create an AAD application, get an access token to Micr ## Get an access token examples: -For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) +For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) ### Using PowerShell diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md index b17168bee0..58362fcab8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md @@ -40,7 +40,7 @@ In this section we share PowerShell samples to Set-ExecutionPolicy -ExecutionPolicy Bypass ``` ->For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy) +>For more details, refer to [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy) ## Get token diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md index feddd27cd5..72a68df56d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md @@ -50,7 +50,7 @@ Sensitive information types in the Office 365 data loss prevention (DLP) impleme Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for). -Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/en-us/office365/securitycompliance/create-a-custom-sensitive-information-type). +Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type). When a file is created or edited on a Windows device, Windows Defender ATP scans the content to evaluate if it contains sensitive information. diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md index 275fc11cea..a70b53af9f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md @@ -93,7 +93,7 @@ The **Artifact timeline** feature provides an addition view of the evidence that Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization. ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) - [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) - [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md index 283772ed84..0df367e9d4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md @@ -60,7 +60,7 @@ The **Most recent observed machinew with URL** section provides a chronological 5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events. ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) - [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md index fc752990fc..cf7f97c744 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md @@ -65,7 +65,7 @@ The **Most recent observed machines with the file** section allows you to specif This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching. ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) - [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md index fda84c5cce..eaabada51a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md @@ -67,7 +67,7 @@ Use the search filters to define the search criteria. You can also use the timel Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events. ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) - [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md index 7d7bd87571..5cdc7994a1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md @@ -159,7 +159,7 @@ The **Discovered vulnerabilities** section shows the name, severity, and threat ![Image of discovered vulnerabilities tab](images/discovered-vulnerabilities-machine.png) ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) - [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md index 69493fe5ec..f4570512ea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md @@ -85,7 +85,7 @@ You can filter the results by the following time periods: - 6 months ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) - [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md index 149999abec..c431ecb195 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md @@ -1,212 +1,212 @@ ---- -title: Live response command examples -description: Learn about common commands and see examples on how it's used -keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Live response command examples - -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - - -Learn about common commands used in live response and see examples on how they are typically used. - -Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on machines using live response](live-response.md). - - -## analyze - -``` -# Analyze the file malware.txt -analyze file c:\Users\user\Desktop\malware.txt -``` - -``` -# Analyze the process by PID -analyze process 1234 -``` - -## connections - -``` -# List active connections in json format using parameter name -connections -output json -``` - -``` -# List active connections in json format without parameter name -connections json -``` - -## dir - -``` -# List files and sub-folders in the current folder -dir -``` - -``` -# List files and sub-folders in a specific folder -dir C:\Users\user\Desktop\ -``` - -``` -# List files and subfolders in the current folder in json format -dir -output json -``` - -## fileinfo - -``` -# Display information about a file -fileinfo C:\Windows\notepad.exe -``` - -## findfile - -``` -# Find file by name -findfile test.txt -``` - -## getfile - -``` -# Download a file from a machine -getfile c:\Users\user\Desktop\work.txt -``` - -``` -# Download a file from a machine, automatically run prerequisite commands -getfile c:\Users\user\Desktop\work.txt -auto -``` - -## processes -``` -# Show all processes -processes -``` - -``` -# Get process by pid -processes 123 -``` - -``` -# Get process by pid with argument name -processes -pid 123 -``` - -``` -# Get process by name -processes -name notepad.exe -``` - -## putfile - -``` -# Upload file from library -putfile get-process-by-name.ps1 -``` - -``` -# Upload file from library, overwrite file if it exists -putfile get-process-by-name.ps1 -overwrite -``` - -``` -# Upload file from library, keep it on the machine after a restart -putfile get-process-by-name.ps1 -keep -``` - -## registry - -``` -# Show information about the values in a registry key -registry HKEY_CURRENT_USER\Console -``` - -``` -# Show information about a specific registry value -registry HKEY_CURRENT_USER\Console\\ScreenBufferSize -``` - - -## remediate - -``` -# Remediate file in specific path -remediate file c:\Users\user\Desktop\malware.exe -``` - -``` -# Remediate process with specific PID -remediate process 7960 -``` - -``` -# See list of all remediated entities -remediate list -``` - -## run - -``` -# Run PowerShell script from the library without arguments -run script.ps1 -``` - -``` -# Run PowerShell script from the library with arguments -run get-process-by-name.ps1 -parameters "-processName Registry" -``` - -## scheduledtask - -``` -# Get all scheduled tasks -scheduledtasks -``` - -``` -# Get specific scheduled task by location and name -scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition -``` - -``` -# Get specific scheduled task by location and name with spacing -scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation" -``` - - -## undo - -``` -# Restore remediated registry -undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize -``` - -``` -# Restore remediated scheduledtask -undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition -``` - -``` -# Restore remediated file -undo file c:\Users\user\Desktop\malware.exe -``` - +--- +title: Live response command examples +description: Learn about common commands and see examples on how it's used +keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Live response command examples + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + + +Learn about common commands used in live response and see examples on how they are typically used. + +Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on machines using live response](live-response.md). + + +## analyze + +``` +# Analyze the file malware.txt +analyze file c:\Users\user\Desktop\malware.txt +``` + +``` +# Analyze the process by PID +analyze process 1234 +``` + +## connections + +``` +# List active connections in json format using parameter name +connections -output json +``` + +``` +# List active connections in json format without parameter name +connections json +``` + +## dir + +``` +# List files and sub-folders in the current folder +dir +``` + +``` +# List files and sub-folders in a specific folder +dir C:\Users\user\Desktop\ +``` + +``` +# List files and subfolders in the current folder in json format +dir -output json +``` + +## fileinfo + +``` +# Display information about a file +fileinfo C:\Windows\notepad.exe +``` + +## findfile + +``` +# Find file by name +findfile test.txt +``` + +## getfile + +``` +# Download a file from a machine +getfile c:\Users\user\Desktop\work.txt +``` + +``` +# Download a file from a machine, automatically run prerequisite commands +getfile c:\Users\user\Desktop\work.txt -auto +``` + +## processes +``` +# Show all processes +processes +``` + +``` +# Get process by pid +processes 123 +``` + +``` +# Get process by pid with argument name +processes -pid 123 +``` + +``` +# Get process by name +processes -name notepad.exe +``` + +## putfile + +``` +# Upload file from library +putfile get-process-by-name.ps1 +``` + +``` +# Upload file from library, overwrite file if it exists +putfile get-process-by-name.ps1 -overwrite +``` + +``` +# Upload file from library, keep it on the machine after a restart +putfile get-process-by-name.ps1 -keep +``` + +## registry + +``` +# Show information about the values in a registry key +registry HKEY_CURRENT_USER\Console +``` + +``` +# Show information about a specific registry value +registry HKEY_CURRENT_USER\Console\\ScreenBufferSize +``` + + +## remediate + +``` +# Remediate file in specific path +remediate file c:\Users\user\Desktop\malware.exe +``` + +``` +# Remediate process with specific PID +remediate process 7960 +``` + +``` +# See list of all remediated entities +remediate list +``` + +## run + +``` +# Run PowerShell script from the library without arguments +run script.ps1 +``` + +``` +# Run PowerShell script from the library with arguments +run get-process-by-name.ps1 -parameters "-processName Registry" +``` + +## scheduledtask + +``` +# Get all scheduled tasks +scheduledtasks +``` + +``` +# Get specific scheduled task by location and name +scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition +``` + +``` +# Get specific scheduled task by location and name with spacing +scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation" +``` + + +## undo + +``` +# Restore remediated registry +undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize +``` + +``` +# Restore remediated scheduledtask +undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition +``` + +``` +# Restore remediated file +undo file c:\Users\user\Desktop\malware.exe +``` + diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 358e414a2d..d3ed3224e5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -1,255 +1,255 @@ ---- -title: Investigate entities on machines using live response in Microsoft Defender ATP -description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time. -keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file, -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Investigate entities on machines using live response - -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](prerelease.md)] - - -Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time. - -Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. - -With live response, analysts will have the ability to: -- Run basic and advanced commands to do investigative work -- Download files such as malware samples and outcomes of PowerShell scripts -- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level -- Take or undo remediation actions - - -## Before you begin -Before you can initiate a session on a machine, make sure you fulfill the following requirements: - -- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later. - -- **Enable live response from the settings page**
-You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page. - - >[!NOTE] - >Only users with manage security or global admin roles can edit these settings. - -- **Enable live response unsigned script execution** (optional)
- - >[!WARNING] - >Allowing the use of unsigned scripts may increase your exposure to threats. - - Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. - -- **Ensure that you have the appropriate permissions**
- Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md). - - Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role. - -## Live response dashboard overview -When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as: - -- Who created the session -- When the session started -- The duration of the session - -The dashboard also gives you access to: -- Disconnect session -- Upload files to the library -- Command console -- Command log - - -## Initiate a live response session on a machine - -1. Log in to Microsoft Defender Security Center. -2. Navigate to the machines list page and select a machine to investigate. The machine page opens. - - >[!NOTE] - >Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later. - -2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine. -3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands). -4. After completing your investigation, select **Disconnect session**, then select **Confirm**. - - - -## Live response commands -Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md). - -### Basic commands -The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). - -Command | Description -:---|:---|:--- -cd | Changes the current directory. -cls | Clears the console screen. -connect | Initiates a live response session to the machine. -connections | Shows all the active connections. -dir | Shows a list of files and subdirectories in a directory -drivers | Shows all drivers installed on the machine. -fileinfo | Get information about a file. -findfile | Locates files by a given name on the machine. -help | Provides help information for live response commands. -persistence | Shows all known persistence methods on the machine. -processes | Shows all processes running on the machine. -registry | Shows registry values. -scheduledtasks| Shows all scheduled tasks on the machine. -services | Shows all services on the machine. -trace | Sets the terminal's logging mode to debug. - - -### Advanced commands -The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). - -Command | Description -:---|:--- -analyze | Analyses the entity with various incrimination engines to reach a verdict. -getfile | Gets a file from the machine.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `getfile` to automatically run the prerequisite command. -run | Runs a PowerShell script from the library on the machine. -library | Lists files that were uploaded to the live response library. -putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default. -remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `remediate` to automatically run the prerequisite command. -undo | Restores an entity that was remediated. - - -## Use live response commands -The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/windows-commands#BKMK_c). - -The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity. - -### Get a file from the machine -For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation. - ->[!NOTE] ->There is a file size limit of 750mb. - -### Put a file in the library -Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level. - -Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them. - -You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with. - -**To upload a file in the library:** -1. Click **Upload file to library**. -2. Click **Browse** and select the file. -3. Provide a brief description. -4. Specify if you'd like to overwrite a file with the same name. -5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description. -6. Click **Confirm**. -7. (Optional) To verify that the file was uploaded to the library, run the `library` command. - - -### Cancel a command -Anytime during a session, you can cancel a command by pressing CTRL + C. - ->[!WARNING] ->Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled. - - - -### Automatically run prerequisite commands -Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error. - -You can use the auto flag to automatically run prerequisite commands, for example: - -``` -getfile c:\Users\user\Desktop\work.txt -auto -``` - - -## Run a PowerShell script -Before you can run a PowerShell script, you must first upload it to the library. - -After uploading the script to the library, use the `run` command to run the script. - -If you plan to use an unsigned script in the session, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. - ->[!WARNING] ->Allowing the use of unsigned scripts may increase your exposure to threats. - - - -## Apply command parameters -- View the console help to learn about command parameters. To learn about an individual command, run: - - `help ` - -- When applying parameters to commands, note that parameters are handled based on a fixed order: - - ` param1 param2` - -- When specifying parameters outside of the fixed order, specify the name of the parameter with a hyphen before providing the value: - - ` -param2_name param2` - -- When using commands that have prerequisite commands, you can use flags: - - ` -type file -id - auto` or `remediate file - auto`. - - - -## Supported output types -Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands: - -- `-output json` -- `-output table` - ->[!NOTE] ->Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown. - - -## Supported output pipes -Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt. - -Example: - -``` -processes > output.txt -``` - - - -## View the command log -Select the **Command log** tab to see the commands used on the machine during a session. -Each command is tracked with full details such as: -- ID -- Command line -- Duration -- Status and input or output side bar - - - - -## Limitations -- Live response sessions are limited to 10 live response sessions at a time -- Large scale command execution is not supported -- A user can only initiate one session at a time -- A machine can only be in one session at a time -- There is a file size limit of 750mb when downloading files from a machine - -## Related topic -- [Live response command examples](live-response-command-examples.md) - - - - - - - - - +--- +title: Investigate entities on machines using live response in Microsoft Defender ATP +description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time. +keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file, +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Investigate entities on machines using live response + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + + +Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time. + +Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. + +With live response, analysts will have the ability to: +- Run basic and advanced commands to do investigative work +- Download files such as malware samples and outcomes of PowerShell scripts +- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level +- Take or undo remediation actions + + +## Before you begin +Before you can initiate a session on a machine, make sure you fulfill the following requirements: + +- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later. + +- **Enable live response from the settings page**
+You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page. + + >[!NOTE] + >Only users with manage security or global admin roles can edit these settings. + +- **Enable live response unsigned script execution** (optional)
+ + >[!WARNING] + >Allowing the use of unsigned scripts may increase your exposure to threats. + + Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. + +- **Ensure that you have the appropriate permissions**
+ Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md). + + Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role. + +## Live response dashboard overview +When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as: + +- Who created the session +- When the session started +- The duration of the session + +The dashboard also gives you access to: +- Disconnect session +- Upload files to the library +- Command console +- Command log + + +## Initiate a live response session on a machine + +1. Log in to Microsoft Defender Security Center. +2. Navigate to the machines list page and select a machine to investigate. The machine page opens. + + >[!NOTE] + >Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later. + +2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine. +3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands). +4. After completing your investigation, select **Disconnect session**, then select **Confirm**. + + + +## Live response commands +Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md). + +### Basic commands +The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). + +Command | Description +:---|:---|:--- +cd | Changes the current directory. +cls | Clears the console screen. +connect | Initiates a live response session to the machine. +connections | Shows all the active connections. +dir | Shows a list of files and subdirectories in a directory +drivers | Shows all drivers installed on the machine. +fileinfo | Get information about a file. +findfile | Locates files by a given name on the machine. +help | Provides help information for live response commands. +persistence | Shows all known persistence methods on the machine. +processes | Shows all processes running on the machine. +registry | Shows registry values. +scheduledtasks| Shows all scheduled tasks on the machine. +services | Shows all services on the machine. +trace | Sets the terminal's logging mode to debug. + + +### Advanced commands +The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). + +Command | Description +:---|:--- +analyze | Analyses the entity with various incrimination engines to reach a verdict. +getfile | Gets a file from the machine.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `getfile` to automatically run the prerequisite command. +run | Runs a PowerShell script from the library on the machine. +library | Lists files that were uploaded to the live response library. +putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default. +remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `remediate` to automatically run the prerequisite command. +undo | Restores an entity that was remediated. + + +## Use live response commands +The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands#BKMK_c). + +The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity. + +### Get a file from the machine +For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation. + +>[!NOTE] +>There is a file size limit of 750mb. + +### Put a file in the library +Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level. + +Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them. + +You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with. + +**To upload a file in the library:** +1. Click **Upload file to library**. +2. Click **Browse** and select the file. +3. Provide a brief description. +4. Specify if you'd like to overwrite a file with the same name. +5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description. +6. Click **Confirm**. +7. (Optional) To verify that the file was uploaded to the library, run the `library` command. + + +### Cancel a command +Anytime during a session, you can cancel a command by pressing CTRL + C. + +>[!WARNING] +>Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled. + + + +### Automatically run prerequisite commands +Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error. + +You can use the auto flag to automatically run prerequisite commands, for example: + +``` +getfile c:\Users\user\Desktop\work.txt -auto +``` + + +## Run a PowerShell script +Before you can run a PowerShell script, you must first upload it to the library. + +After uploading the script to the library, use the `run` command to run the script. + +If you plan to use an unsigned script in the session, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. + +>[!WARNING] +>Allowing the use of unsigned scripts may increase your exposure to threats. + + + +## Apply command parameters +- View the console help to learn about command parameters. To learn about an individual command, run: + + `help ` + +- When applying parameters to commands, note that parameters are handled based on a fixed order: + + ` param1 param2` + +- When specifying parameters outside of the fixed order, specify the name of the parameter with a hyphen before providing the value: + + ` -param2_name param2` + +- When using commands that have prerequisite commands, you can use flags: + + ` -type file -id - auto` or `remediate file - auto`. + + + +## Supported output types +Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands: + +- `-output json` +- `-output table` + +>[!NOTE] +>Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown. + + +## Supported output pipes +Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt. + +Example: + +``` +processes > output.txt +``` + + + +## View the command log +Select the **Command log** tab to see the commands used on the machine during a session. +Each command is tracked with full details such as: +- ID +- Command line +- Duration +- Status and input or output side bar + + + + +## Limitations +- Live response sessions are limited to 10 live response sessions at a time +- Large scale command execution is not supported +- A user can only initiate one session at a time +- A machine can only be in one session at a time +- There is a file size limit of 750mb when downloading files from a machine + +## Related topic +- [Live response command examples](live-response-command-examples.md) + + + + + + + + + diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md index 2dc83b0d07..c5abbcade3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md @@ -80,4 +80,4 @@ For example, to show data about Windows 10 machines with Active sensor health st ## Related topic -- [Threat protection report ](threat-protection-reports.md) \ No newline at end of file +- [Threat protection report](threat-protection-reports.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md index c02a9598e4..046e0f4f05 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md @@ -116,7 +116,7 @@ Added comments instantly appear on the pane. ## Related topics - [Manage suppression rules](manage-suppression-rules.md) -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) - [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) - [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index aac7917bca..c72919ffb8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -82,7 +82,7 @@ The attack surface reduction set of capabilities provide the first line of defen -**[Next generation protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)**
+**[Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)**
To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index 666ab6abfe..070ec84568 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -1,68 +1,68 @@ ---- -title: Next-generation Threat & Vulnerability Management -ms.reviewer: -description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. -keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: mjcaparas -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Threat & Vulnerability Management -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](prerelease.md)] - -Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrustructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. - -It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context. - -## Next-generation capabilities -Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase. - -It is the first solution in the industry to automate the remediation process through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) for patching, configuration changes, or upgrades. ->[!Note] -> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks. - -It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication. -- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities -- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery -- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager - -### Real-time discovery - -To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides: -- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard. -- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, as well as software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. -- Application runtime context. Constant visibility into application usage patterns for better prioritization and decision-making. Critical dependencies, such as vulnerable runtime libraries being loaded by other applications, are made visible. -- Configuration posture. Visibility into organizational security configuration, surfacing issues like disabled antivirus, enabled SMBv1, or misconfigurations that could allow escalation of privileges. Issues are reported in the dashboard with actionable security recommendations. - -### Intelligence-driven prioritization - -Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context: -- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk. -- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization. -- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to call attention to exposed machines with business-critical applications, confidential data, or high-value users. - -### Seamless remediation - -Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. -- One-click remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click. We plan to expand this capability to other IT security management platforms. -- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. -- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization. - -## Related topics -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) -- [Configuration score](configuration-score.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) +--- +title: Next-generation Threat & Vulnerability Management +ms.reviewer: +description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. +keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: mjcaparas +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Threat & Vulnerability Management +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrustructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. + +It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context. + +## Next-generation capabilities +Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase. + +It is the first solution in the industry to automate the remediation process through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) for patching, configuration changes, or upgrades. +>[!Note] +> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks. + +It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication. +- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities +- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery +- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager + +### Real-time discovery + +To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides: +- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard. +- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, as well as software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. +- Application runtime context. Constant visibility into application usage patterns for better prioritization and decision-making. Critical dependencies, such as vulnerable runtime libraries being loaded by other applications, are made visible. +- Configuration posture. Visibility into organizational security configuration, surfacing issues like disabled antivirus, enabled SMBv1, or misconfigurations that could allow escalation of privileges. Issues are reported in the dashboard with actionable security recommendations. + +### Intelligence-driven prioritization + +Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context: +- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk. +- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization. +- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to call attention to exposed machines with business-critical applications, confidential data, or high-value users. + +### Seamless remediation + +Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. +- One-click remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click. We plan to expand this capability to other IT security management platforms. +- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. +- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization. + +## Related topics +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Configuration score](configuration-score.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md index 9e5d1c75b1..bec39c02a1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md @@ -70,7 +70,7 @@ Review the following details to verify minimum system requirements: >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. >Don't install .NET framework 4.0.x, since it will negate the above installation. -- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites) +- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-concept-hybrid#prerequisites) @@ -92,7 +92,7 @@ Once completed, you should see onboarded endpoints in the portal within an hour. ### Configure proxy and Internet connectivity settings -- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway). +- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway). - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Microsoft Defender ATP service: Agent Resource | Ports diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index 10722baf97..d9d1de552d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -1,7 +1,7 @@ --- title: Custom detections overview ms.reviewer: -description: Understand how how you can leverage the power of advanced hunting to create custom detections +description: Understand how you can leverage the power of advanced hunting to create custom detections keywords: custom detections, detections, advanced hunting, hunt, detect, query search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md index f65850cce0..c70bb4f029 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md @@ -45,7 +45,7 @@ You can access these options from Microsoft Defender Security Center. Both the P ## Create a Microsoft Defender ATP dashboard on Power BI service Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. -1. In the navigation pane, select **Settings** > **Power BI reports**. +1. In the navigation pane, select **Settings** > **General** > **Power BI reports**. 2. Click **Create dashboard**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md index 389a39fd4a..409f485d23 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md @@ -31,7 +31,7 @@ You first need to [create an app](apis-intro.md). ## Use case A common scenario is scheduling an advanced query and using the results for follow up actions and processing. -In this section we share sample for this purpose using [Microsoft Flow](https://flow.microsoft.com/) (or [Logic Apps](https://azure.microsoft.com/en-us/services/logic-apps/)). +In this section we share sample for this purpose using [Microsoft Flow](https://flow.microsoft.com/) (or [Logic Apps](https://azure.microsoft.com/services/logic-apps/)). ## Define a flow to run query and parse results diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md index 1c62e63285..bd86e1319d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md @@ -37,7 +37,7 @@ You first need to [create an app](apis-intro.md). Set-ExecutionPolicy -ExecutionPolicy Bypass ``` ->For more details, see [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy) +>For more details, see [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy) ## Get token diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 20faa27ae0..504baecd76 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -1,108 +1,108 @@ ---- -title: Threat & Vulnerability Management scenarios -ms.reviewer: -description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when collaborating with IT Administrators and SecOps while protecting their organization from cybersecurity threats. -keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: mjcaparas -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Threat & Vulnerability Management scenarios -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](prerelease.md)] - -## Before you begin -Ensure that your machines: -- Are onboarded to Microsoft Defender Advanced Threat Protection -- Running with Windows 10 1709 (Fall Creators Update) or later -- Have the following mandatory updates installed: -- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441) -- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464) -- Have at least one security recommendation that can be viewed in the machine page -- Are tagged or marked as co-managed - - -## Reduce your threat and vulnerability exposure -Threat & Vulnerability Management introduces a new exposure score metric which visually represents how exposed your machines are to imminent threats. - -The exposure score is continuously calculated on each device in the organization and influenced by the following factors: -- Weaknesses, such as vulnerabilities and misconfigurations discovered on the device -- External and internal threats such as public exploit code and security alerts -- Likelihood of the device getting breached given its current security posture -- Value of the device to the organization given its role and content - -The exposure score is broken down into the following levels: -- 0 to 29: low exposure score -- 30 to 69: medium exposure score -- 70 to 100: high exposure score - -You can reduce the exposure score by remediating issues based on prioritized security recommendations. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization. - -To lower down your threat and vulnerability exposure: - -1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. This opens the **Security recommendation** page. - - >>![top security recommendations](images/tvm_security_recommendations.png) - - >[!NOTE] - > There are two types of recommendations: - > - Security update which refers to recommendations that require a package installation - > - Configuration change which refers to recommendations that require a registry or GPO modification - > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon. - -2. In the **Security recommendations** page, you will see the description of what needs to be done and why. It shows the vulnerability details, such as the associated exploits affecting what machines and its business impact. Click **Open software page** option from the flyout menu. ![details in security recommendations page](images/tvm_security_recommendations_page.png) - -3. Click **Installed machines** and select the affected machine from the list to open the flyout page with the relevant machine details, exposure and risk levels, alert and incident activities. ![details in software page ](images/tvm_software_page_details.png) - -4. Click **Open machine page** to connect to the machine and apply the selected recommendation. ![details in machine page](images/tvm_machine_page_details.png) - -5. Allow a few hours for the changes to propagate in the system. - -6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate won't be listed there anymore, and the exposure score should decrease. - -## Improve your security configuration ->[!NOTE] -> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). We’ll keep the secure score page available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page. - -Remediating issues in the security recommendations list will improve your configuration. As you do so, your configuration score improves, which means building your organization's resilience against cybersecurity threats and vulnerabilities stronger. - -1. From the Configuration score widget, select **Security controls**. This opens the **Security recommendations** page showing the list of issues related to security controls. - - >>![configuration score widget](images/tvm_config_score.png) - -2. Select the first item on the list. This opens the flyout menu with the description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**. - ![security controls related security recommendations](images/tvm_security_controls.png) - -3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up. - +--- +title: Threat & Vulnerability Management scenarios +ms.reviewer: +description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when collaborating with IT Administrators and SecOps while protecting their organization from cybersecurity threats. +keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: mjcaparas +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Threat & Vulnerability Management scenarios +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +## Before you begin +Ensure that your machines: +- Are onboarded to Microsoft Defender Advanced Threat Protection +- Running with Windows 10 1709 (Fall Creators Update) or later +- Have the following mandatory updates installed: +- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441) +- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464) +- Have at least one security recommendation that can be viewed in the machine page +- Are tagged or marked as co-managed + + +## Reduce your threat and vulnerability exposure +Threat & Vulnerability Management introduces a new exposure score metric which visually represents how exposed your machines are to imminent threats. + +The exposure score is continuously calculated on each device in the organization and influenced by the following factors: +- Weaknesses, such as vulnerabilities and misconfigurations discovered on the device +- External and internal threats such as public exploit code and security alerts +- Likelihood of the device getting breached given its current security posture +- Value of the device to the organization given its role and content + +The exposure score is broken down into the following levels: +- 0 to 29: low exposure score +- 30 to 69: medium exposure score +- 70 to 100: high exposure score + +You can reduce the exposure score by remediating issues based on prioritized security recommendations. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization. + +To lower down your threat and vulnerability exposure: + +1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. This opens the **Security recommendation** page. + + >>![top security recommendations](images/tvm_security_recommendations.png) + + >[!NOTE] + > There are two types of recommendations: + > - Security update which refers to recommendations that require a package installation + > - Configuration change which refers to recommendations that require a registry or GPO modification + > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon. + +2. In the **Security recommendations** page, you will see the description of what needs to be done and why. It shows the vulnerability details, such as the associated exploits affecting what machines and its business impact. Click **Open software page** option from the flyout menu. ![details in security recommendations page](images/tvm_security_recommendations_page.png) + +3. Click **Installed machines** and select the affected machine from the list to open the flyout page with the relevant machine details, exposure and risk levels, alert and incident activities. ![details in software page](images/tvm_software_page_details.png) + +4. Click **Open machine page** to connect to the machine and apply the selected recommendation. ![details in machine page](images/tvm_machine_page_details.png) + +5. Allow a few hours for the changes to propagate in the system. + +6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate won't be listed there anymore, and the exposure score should decrease. + +## Improve your security configuration +>[!NOTE] +> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). We’ll keep the secure score page available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page. + +Remediating issues in the security recommendations list will improve your configuration. As you do so, your configuration score improves, which means building your organization's resilience against cybersecurity threats and vulnerabilities stronger. + +1. From the Configuration score widget, select **Security controls**. This opens the **Security recommendations** page showing the list of issues related to security controls. + + >>![configuration score widget](images/tvm_config_score.png) + +2. Select the first item on the list. This opens the flyout menu with the description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**. + ![security controls related security recommendations](images/tvm_security_controls.png) + +3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up. + > >![request remediation](images/tvm_request_remediation.png). > > You will see a confirmation message that the remediation task has been created. > ![remediation task creation confirmation](images/tvm_remediation_task_created.png) - -4. Save your CSV file. - ![save csv file](images/tvm_save_csv_file.png) - -5. Send a follow up email to your IT Administrator and allow the time that you have alloted for the remediation to propagate in the system. - -6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be be listed there anymore, and your configuration score should increase. - - -## Related topics -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) -- [Configuration score](configuration-score.md) - + +4. Save your CSV file. + ![save csv file](images/tvm_save_csv_file.png) + +5. Send a follow up email to your IT Administrator and allow the time that you have alloted for the remediation to propagate in the system. + +6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase. + + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Configuration score](configuration-score.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md index 5402aa8cf9..e620a05684 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md @@ -39,7 +39,7 @@ Each layer in the threat protection stack plays a critical role in protecting cu Microsoft Defender ATP provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers. ## Azure Information Protection -Keep sensitive data secure while enabling productivity in the workplace through data data discovery and data protection. +Keep sensitive data secure while enabling productivity in the workplace through data discovery and data protection. ## Conditional Access Microsoft Defender ATP's dynamic machine risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 93c50f478c..2f3d53c781 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -1,77 +1,77 @@ ---- -title: What's in the dashboard and what it means for my organization's security posture -ms.reviewer: -description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions in addressing cybersecurity threat vulnerabilities and building their organization's security resilience. -keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: eADQiWindows 10XVcnh -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: ellevin -author: levinec -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- -# Threat & Vulnerability Management dashboard overview - -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](prerelease.md)] - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) - -Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: -- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities -- Invaluable machine vulnerability context during incident investigations -- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) - - >[!NOTE] - > Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks. - -You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: -- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines -- Correlate EDR insights with endpoint vulnerabilities and process them -- Select remediation options, triage and track the remediation tasks - -## Threat & Vulnerability Management in Microsoft Defender Security Center -When you open the portal, you’ll see the main areas of the capability: - - ![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png) - - ![Threat & Vulnerability Management menu](images/tvm_menu.png) - -- (1) Menu in the navigation pane -- (2) Threat & Vulnerability Management icon -- (3) Threat & Vulnerability Management dashboard - -You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. - -Area | Description -:---|:--- -(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities. -(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, and **Software inventory**. -**Dashboards** | Get a high-level view of the organization exposure score, MDATP configuration score, top remediation activities, top security recommendations, top vulnerable software, and top exposed machines data. -**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, and have the option to open the software page, and see the remediation options. -**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV. -**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the vulnerabilities and misconfigurations associated and its machine and version distribution details. -(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, **Top exposed machines**, and **Threat campaigns**. -**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down your organization’s exposure score to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. -**MDATP Configuration score** | See the security posture of your organization’s operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security recommendation** page for details. -**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it will take you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, OS platform, its health state, when it was last seen, and its tags. -**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![possible active alert](images/tvm_alert_icon.png), associated public exploits ![threat insight](images/tvm_bug_icon.png), and recommendation insights ![recommendation insight](images/tvm_insight_icon.png). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list. -**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page. -**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities. -**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list. - -See [Microsoft Defender ATP icons](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal. - -## Related topics -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Configuration score](configuration-score.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) +--- +title: What's in the dashboard and what it means for my organization's security posture +ms.reviewer: +description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions in addressing cybersecurity threat vulnerabilities and building their organization's security resilience. +keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: eADQiWindows 10XVcnh +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- +# Threat & Vulnerability Management dashboard overview + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: +- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities +- Invaluable machine vulnerability context during incident investigations +- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) + + >[!NOTE] + > Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks. + +You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: +- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines +- Correlate EDR insights with endpoint vulnerabilities and process them +- Select remediation options, triage and track the remediation tasks + +## Threat & Vulnerability Management in Microsoft Defender Security Center +When you open the portal, you’ll see the main areas of the capability: + + ![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png) + + ![Threat & Vulnerability Management menu](images/tvm_menu.png) + +- (1) Menu in the navigation pane +- (2) Threat & Vulnerability Management icon +- (3) Threat & Vulnerability Management dashboard + +You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. + +Area | Description +:---|:--- +(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities. +(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, and **Software inventory**. +**Dashboards** | Get a high-level view of the organization exposure score, MDATP configuration score, top remediation activities, top security recommendations, top vulnerable software, and top exposed machines data. +**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, and have the option to open the software page, and see the remediation options. +**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV. +**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the vulnerabilities and misconfigurations associated and its machine and version distribution details. +(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, **Top exposed machines**, and **Threat campaigns**. +**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down your organization’s exposure score to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. +**MDATP Configuration score** | See the security posture of your organization’s operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security recommendation** page for details. +**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it will take you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, OS platform, its health state, when it was last seen, and its tags. +**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![possible active alert](images/tvm_alert_icon.png), associated public exploits ![threat insight](images/tvm_bug_icon.png), and recommendation insights ![recommendation insight](images/tvm_insight_icon.png). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list. +**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page. +**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities. +**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list. + +See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal. + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Configuration score](configuration-score.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 2549af8feb..3168a333af 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -106,7 +106,7 @@ Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improv For more information, see [Windows Defender in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server). -For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation). +For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation). ### Data Execution Prevention diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index 3c8c01c7e8..4c13b517db 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -65,6 +65,9 @@ Block at first sight requires a number of settings to be configured correctly or ![Intune config](images/defender/intune-block-at-first-sight.png) +> [!Warning] +> Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus). + For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus). diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index bbad08d05e..f18faca295 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > [!IMPORTANT] -> [Windows Defender Advanced Threat Protection ](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection) does not adhere to Windows Defender Antivirus exclusion settings. This means that any Windows Defender exclusions, no matter how you created them, are not applied by Windows Defender ATP. +> [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection) does not adhere to Windows Defender Antivirus exclusion settings. This means that any Windows Defender exclusions, no matter how you created them, are not applied by Windows Defender ATP. You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. @@ -150,7 +150,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use **Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:** -Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI ExclusionExtension @@ -286,7 +286,7 @@ If you use PowerShell, you can retrieve the list in two ways: **Validate the exclusion list by using MpCmdRun:** -To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: ```DOS MpCmdRun.exe -CheckExclusion -path diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index ef3d91de6b..d2191e0488 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -111,7 +111,7 @@ See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-de **Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:** -Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI ExclusionProcess @@ -158,7 +158,7 @@ If you use PowerShell, you can retrieve the list in two ways: **Validate the exclusion list by using MpCmdRun:** -To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: ```DOS MpCmdRun.exe -CheckExclusion -path diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md index 1a297b77d7..caae6efc4e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md @@ -166,7 +166,7 @@ This section lists the default exclusions for all Windows Server 2016 roles. - The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File` > [!NOTE] - > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions). + > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions). - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$ diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md index b1dc15b985..5d16f8d6e6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md @@ -197,7 +197,7 @@ This setting will prevent a scan from occurring after receiving an update. You c ### Exclusions On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page: -- [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus) +- [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus) ## Additional resources diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index ca65e8d570..cb39ebc506 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -60,7 +60,7 @@ Microsoft Update allows for rapid releases, which means it will download small d The WSUS, Configuration Manager, and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger). > [!IMPORTANT] -> If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC when the current update is considered to be out-of-date (by default, this is 2 consecutive days of not being able to apply updates from the WSUS or Microsoft Update services). +> If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC when the current update is considered to be out-of-date (by default, this is 14 consecutive days of not being able to apply updates from the WSUS or Microsoft Update services). > You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date). Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table: diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index add0f3f650..4a6531ad42 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -39,7 +39,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi 2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android** and the deployment method to **Mobile Device Management / Microsoft Intune**. 3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. -5. Download **IntuneAppUtil** from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). +5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos). ![Windows Defender Security Center screenshot](images/MDATP_2_DownloadPackages.png) @@ -83,7 +83,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi ## Client device setup -You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). +You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp). 1. You'll be asked to confirm device management. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index 57f36fcbf5..a0c446dd3f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -74,7 +74,7 @@ The configuration profile contains a custom settings payload that includes: To set the onboarding information, add a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_, as a custom setting. You can do this by navigating to **Computers**>**Configuration Profiles**, selecting **New**, then choosing **Custom Settings**>**Configure**. From there, you can upload the property list. >[!IMPORTANT] - > You must set the the Preference Domain as "com.microsoft.wdav.atp" + > You must set the Preference Domain as "com.microsoft.wdav.atp" ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 2023523f4a..c074504ddd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -1,58 +1,58 @@ ---- -title: Prevent security settings changes with Tamper Protection -ms.reviewer: -manager: dansimp -description: Use tamper protection to prevent malicious apps from changing important security settings. -keywords: malware, defender, antivirus, tamper protection -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp ---- - -# Prevent security settings changes with tamper protection - -**Applies to:** - -- Windows 10 - -Tamper Protection helps prevent malicious apps from changing important security settings. These settings include: - -- Real-time protection -- Cloud-delivered protection -- IOfficeAntivirus (IOAV) -- Behavior monitoring -- Removing security intelligence updates - -With Tamper Protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings: - -- Mobile device management (MDM) apps like Intune -- Enterprise configuration management apps like System Center Configuration Manager (SCCM) -- Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures -- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup) -- Group Policy -- Other Windows Management Instrumentation (WMI) apps - -The Tamper Protection setting doesn't affect how third party antivirus apps register with the Windows Security app. - -On computers running Windows 10 Enterprise E5, users can't change the Tamper Protection setting. - -Tamper Protection is set to **On** by default. If you set Tamper Protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & Threat Protection**. - -## Configure tamper protection - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Select **Virus & threat protection**, then select **Virus & threat protection settings**. -3. Set **Tamper Protection** to **On** or **Off**. - ->[!NOTE] ->Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry. -> ->To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. -> ->Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors. +--- +title: Prevent security settings changes with Tamper Protection +ms.reviewer: +manager: dansimp +description: Use tamper protection to prevent malicious apps from changing important security settings. +keywords: malware, defender, antivirus, tamper protection +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: dansimp +ms.author: dansimp +--- + +# Prevent security settings changes with tamper protection + +**Applies to:** + +- Windows 10 + +Tamper Protection helps prevent malicious apps from changing important security settings. These settings include: + +- Real-time protection +- Cloud-delivered protection +- IOfficeAntivirus (IOAV) +- Behavior monitoring +- Removing security intelligence updates + +With Tamper Protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings: + +- Mobile device management (MDM) apps like Intune +- Enterprise configuration management apps like System Center Configuration Manager (SCCM) +- Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures +- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup) +- Group Policy +- Other Windows Management Instrumentation (WMI) apps + +The Tamper Protection setting doesn't affect how third party antivirus apps register with the Windows Security app. + +On computers running Windows 10 Enterprise E5, users can't change the Tamper Protection setting. + +Tamper Protection is set to **On** by default. If you set Tamper Protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & Threat Protection**. + +## Configure tamper protection + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +2. Select **Virus & threat protection**, then select **Virus & threat protection settings**. +3. Set **Tamper Protection** to **On** or **Off**. + +>[!NOTE] +>Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry. +> +>To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. +> +>Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 647debfcee..ac87bbc9ed 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -39,7 +39,7 @@ Attack surface reduction rules target behaviors that malware and malicious apps - Obfuscated or otherwise suspicious scripts - Behaviors that apps don't usually initiate during normal day-to-day work -You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. +You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center. @@ -185,7 +185,7 @@ This rule blocks the following file types from launching unless they either meet - Executable files (such as .exe, .dll, or .scr) >[!NOTE] ->You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. +>You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. >[!IMPORTANT] >The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. @@ -203,7 +203,7 @@ GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list. >[!NOTE] ->You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. +>You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. Intune name: Advanced ransomware protection diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index 3e7dd85f9c..6dd4b9f19f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -42,7 +42,7 @@ The limited subset of rules that can be used in Windows 10 Enterprise E3 include - Block process creations originating from PSExec and WMI commands - Block untrusted and unsigned processes that run from USB -For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard). +For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard). ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index 00e0789bab..3029df4d23 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -45,7 +45,7 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. Here is an example query diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 4559d896b6..2b7dec1738 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -40,7 +40,7 @@ You can exclude files and folders from being evaluated by attack surface reducti An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules. -An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. +An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index 43cdc009e2..6e52ff5447 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -42,7 +42,7 @@ You can add additional folders to be protected, but you cannot remove the defaul Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults. -You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). You can use the Windows Security app or Group Policy to add and remove additional protected folders. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index c238e5c8c2..0e744a0011 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -208,7 +208,7 @@ Where: For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command: ```PowerShell -Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode +Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode ``` You can disable audit mode by using the same command but replacing `-Enable` with `-Disable`. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 6240e524cc..b346df9a75 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -53,7 +53,7 @@ You can exclude files and folders from being evaluated by most attack surface re >- Block process creations originating from PSExec and WMI commands >- Block JavaScript or VBScript from launching downloaded executable content -You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. +You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). @@ -73,9 +73,9 @@ The following procedures for enabling ASR rules include instructions for how to ## MDM -Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. +Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. -The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). +The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 0c1ff68ba4..29ed15335f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -72,7 +72,7 @@ For more information about disabling local list merging, see [Prevent or allow u ## MDM -Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders. +Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders. ## SCCM diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index dcffecd121..7d3b72d249 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -65,7 +65,7 @@ You can also manually navigate to the event area that corresponds to the feature 3. On the left panel, under **Actions**, click **Create Custom View...** - ![Animation highlighting the create custom view option on the Event viewer window ](images/events-create.gif) + ![Animation highlighting the create custom view option on the Event viewer window](images/events-create.gif) 4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index 7bf07fbce8..d211891329 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -49,7 +49,7 @@ Windows 10 version 1709 or later | [Windows Defender AV real-time protection](.. Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. ## Review network protection events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 15fd8b2886..58f95ecbc5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -39,9 +39,9 @@ The following tables provide more information about the hardware, firmware, and |--------------------------------|----------------------------------------------------|-------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | | | Hardware: **CPU virtualization extensions**,
plus **extended page tables** | These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. | -| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | -| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | +| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | +| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | +| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | | Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | > **Important**  The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide. @@ -64,7 +64,7 @@ The following tables describe additional hardware and firmware qualifications, a | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|-----| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies).
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies).
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. | | Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md index 24b4c8ebd1..1a7b1eae79 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md @@ -21,7 +21,7 @@ ms.author: dansimp Windows Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. -See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune. +See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune. ## Group Policy settings diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index ceb1488e72..be6c791392 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -61,7 +61,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic ![Windows Security Center](images/secure-launch-msinfo.png) >[!NOTE] ->To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity). +>To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity). ## Requirements Met by System Guard Enabled Machines Any machine with System Guard enabled will automatically meet the following low-level hardware requirements: diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index f5a711db65..d9cd25a523 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -1,177 +1,177 @@ ---- -title: Common Criteria Certifications -description: This topic details how Microsoft supports the Common Criteria certification program. -ms.prod: w10 -audience: ITPro -author: dulcemontemayor -ms.author: dolmont -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 3/20/2019 -ms.reviewer: ---- - -# Common Criteria Certifications - -Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria certifications of Microsoft Windows products. - -## Common Criteria Security Targets - -### Information for Systems Integrators and Accreditors - -The Security Target describes security functionality and assurance measures used to evaluate Windows. - - - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf) - - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf) - - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf) - - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf) - - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx) - - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx) - - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx) - - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf) - - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx) - - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) - - [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf) - - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) - - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf) - - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf) - - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf) - - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf) - - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf) - - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf) - - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf) - - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf) - - [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305) - - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf) - - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf) - - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf) - - [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf) - - [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf) - - [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf) - -## Common Criteria Deployment and Administration - -### Information for IT Administrators - -These documents describe how to configure Windows to replicate the configuration used during the Common Criteria evaluation. - -**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2** - - - - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf) - - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf) - - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf) - - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf) - - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx) - - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx) - - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx) - - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf) - - [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx) - - [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf) - - [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf) - - [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf) - -**Windows 8.1 and Windows Phone 8.1** - - - [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) - - [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx) - -**Windows 8, Windows RT, and Windows Server 2012** - - - [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx) - - [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx) - - [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf) - - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx) - -**Windows 7 and Windows Server 2008 R2** - - - [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00) - - [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308) - -**Windows Vista and Windows Server 2008** - - - [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) - - [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08) - -**Windows Server 2003 SP2 including R2, x64, and Itanium** - - - [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949) - - [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc) - -**Windows Server 2003 SP1(x86), x64, and IA64** - - - [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef) - - [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8) - -**Windows Server 2003 SP1** - - - [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc) - - [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38) - -**Windows XP Professional SP2 (x86) and x64 Edition** - - - [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee) - - [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694) - - [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779) - - [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431) - - [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54) - - [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569) - -**Windows XP Professional SP2, and XP Embedded SP2** - - - [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60) - - [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de) - - [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8) - -**Windows Server 2003 Certificate Server** - - - [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d) - - [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2) - - [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e) - -## Common Criteria Evaluation Technical Reports and Certification / Validation Reports - -### Information for Systems Integrators and Accreditors - -An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team. - - - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf) - - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf) - - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf) - - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf) - - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf) - - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf) - - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf) - - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf) - - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf) - - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf) - - [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf) - - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf) - - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf) - - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf) - - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf) - - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf) - - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf) - - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf) - - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf) - - [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf) - - [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf) - - [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf) - - [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf) - - [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef) - - [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658) - - [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) - - [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) - - [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) - - [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265) - - [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf) - - [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314) - - [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf) - - [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf) - -## Other Common Criteria Related Documents - - - [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc) - +--- +title: Common Criteria Certifications +description: This topic details how Microsoft supports the Common Criteria certification program. +ms.prod: w10 +audience: ITPro +author: dulcemontemayor +ms.author: dolmont +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +ms.localizationpriority: medium +ms.date: 3/20/2019 +ms.reviewer: +--- + +# Common Criteria Certifications + +Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria certifications of Microsoft Windows products. + +## Common Criteria Security Targets + +### Information for Systems Integrators and Accreditors + +The Security Target describes security functionality and assurance measures used to evaluate Windows. + + - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf) + - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf) + - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf) + - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx) + - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx) + - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx) + - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf) + - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx) + - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) + - [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf) + - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) + - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf) + - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf) + - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf) + - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf) + - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf) + - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf) + - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf) + - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf) + - [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305) + - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf) + - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf) + - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf) + - [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf) + - [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf) + - [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf) + +## Common Criteria Deployment and Administration + +### Information for IT Administrators + +These documents describe how to configure Windows to replicate the configuration used during the Common Criteria evaluation. + +**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2** + + + - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf) + - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf) + - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf) + - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx) + - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx) + - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx) + - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf) + - [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx) + - [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf) + - [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf) + - [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf) + +**Windows 8.1 and Windows Phone 8.1** + + - [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) + - [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx) + +**Windows 8, Windows RT, and Windows Server 2012** + + - [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx) + - [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx) + - [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf) + - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx) + +**Windows 7 and Windows Server 2008 R2** + + - [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00) + - [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308) + +**Windows Vista and Windows Server 2008** + + - [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) + - [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08) + +**Windows Server 2003 SP2 including R2, x64, and Itanium** + + - [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949) + - [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc) + +**Windows Server 2003 SP1(x86), x64, and IA64** + + - [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef) + - [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8) + +**Windows Server 2003 SP1** + + - [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc) + - [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38) + +**Windows XP Professional SP2 (x86) and x64 Edition** + + - [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee) + - [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694) + - [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779) + - [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431) + - [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54) + - [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569) + +**Windows XP Professional SP2, and XP Embedded SP2** + + - [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60) + - [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de) + - [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8) + +**Windows Server 2003 Certificate Server** + + - [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d) + - [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2) + - [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e) + +## Common Criteria Evaluation Technical Reports and Certification / Validation Reports + +### Information for Systems Integrators and Accreditors + +An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team. + + - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf) + - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf) + - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf) + - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf) + - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf) + - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf) + - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf) + - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf) + - [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf) + - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf) + - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf) + - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf) + - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf) + - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf) + - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf) + - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf) + - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf) + - [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf) + - [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf) + - [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf) + - [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf) + - [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef) + - [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658) + - [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) + - [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) + - [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) + - [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265) + - [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf) + - [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314) + - [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf) + - [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf) + +## Other Common Criteria Related Documents + + - [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc) + diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md index 5ff581cba2..2e88240751 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md @@ -27,9 +27,9 @@ Microsoft recommends the following configuration for level 1 devices. Devices targeting Level 1 should support the following hardware features: -- [Trusted Platform Module (TPM) 2.0](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-tpm) -- [Bitlocker Drive Encryption](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker) -- [UEFI Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot) +- [Trusted Platform Module (TPM) 2.0](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-tpm) +- [Bitlocker Drive Encryption](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-bitlocker) +- [UEFI Secure Boot](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-secure-boot) - Drivers and Firmware Distributed through Windows Update ## Policies @@ -341,7 +341,7 @@ The controls enabled in level 1 enforce a reasonable security level while minimi | Feature | Config | Description | |-----------------------------------|-------------------------------------|--------------------| | [Local Admin Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) | Deployed to all devices | Generates a unique local admin password to devices, mitigating many lateral traversal attacks. | -| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. | +| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. | | [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | | [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | | [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md index 55172a03e1..6cf7155a9a 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md @@ -27,10 +27,10 @@ A level 2 configuration should include all the configurations from level 1 and a Devices targeting level 2 should support all level 1 features, and add the following hardware features: -- [Virtualization and HVCI Enabled](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs) -- [Drivers and Apps HVCI-Ready](https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard) -- [Windows Hello](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) -- [DMA I/O Protection](https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) +- [Virtualization and HVCI Enabled](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs) +- [Drivers and Apps HVCI-Ready](https://docs.microsoft.com/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard) +- [Windows Hello](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) +- [DMA I/O Protection](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) ## Policies @@ -110,11 +110,11 @@ is anticipated to be slightly longer than the process in level 1. | Feature Set | Feature | Description | |-------------------------------------------------------------|-------------------------------------------------------|----------------| -| [Windows Hello for Business](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification) | Configure and enforce Windows Hello for Business | In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. Windows Hello addresses the following problems with passwords:
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
- Passwords are subject to replay attacks.
- Users can inadvertently expose their passwords due to phishing attacks. | -| [Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/) | Configure and enforce Conditional Access rules based on
- Application Risk
- Session Risk | With conditional access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions. Conditional access policies are enforced after the first-factor authentication has been completed. Therefore, conditional access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (e.g. the sign-in risk level, location of the request, and so on) to determine access. | +| [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) | Configure and enforce Windows Hello for Business | In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. Windows Hello addresses the following problems with passwords:
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
- Passwords are subject to replay attacks.
- Users can inadvertently expose their passwords due to phishing attacks. | +| [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/) | Configure and enforce Conditional Access rules based on
- Application Risk
- Session Risk | With conditional access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions. Conditional access policies are enforced after the first-factor authentication has been completed. Therefore, conditional access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (e.g. the sign-in risk level, location of the request, and so on) to determine access. | | [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls:
- Control flow guard (CFG)
- Data Execution Protection (DEP)
- Mandatory ASLR
- Bottom-Up ASLR
- High-entropy ASLR
- Validate Exception Chains (SEHOP)
- Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | | [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and enforce [Attack Surface Reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules)| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode | -| [Controlled Folder Access (CFA)](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) | Configure and audit [Controlled Folder Access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) | Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. Controlled folder access works best with Microsoft Defender Advanced Threat Protection, which gives you detailed reporting into controlled folder access events and blocks as part of the usual alert investigation scenarios.
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode +| [Controlled Folder Access (CFA)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) | Configure and audit [Controlled Folder Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) | Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. Controlled folder access works best with Microsoft Defender Advanced Threat Protection, which gives you detailed reporting into controlled folder access events and blocks as part of the usual alert investigation scenarios.
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode ## Behaviors diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md index b5c294ad6c..e7cc86bf0e 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md @@ -27,8 +27,8 @@ A level 3 configuration should include all the configurations from level 2 and l Devices targeting Level 3 should support all Level 2 and Level 1 features, and add the following hardware features: -- [System Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) -- [Modern Standby](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby) +- [System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) +- [Modern Standby](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) ## Policies diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index de2548056a..5e5fc5b59d 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -47,4 +47,4 @@ For detailed information about Windows 10 servicing, see [Overview of Windows as ## See Also [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
-[Windows 10 - Release information](https://docs.microsoft.com/en-us/windows/windows-10/release-information): Windows 10 current versions by servicing option. \ No newline at end of file +[Windows 10 - Release information](https://docs.microsoft.com/windows/windows-10/release-information): Windows 10 current versions by servicing option. \ No newline at end of file diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 46e7f7bca5..0e1be04497 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -126,7 +126,7 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10 You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/). -Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/en-au/windows/mt782787). +Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/windows/mt782787). ### Windows Defender Antivirus Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 7f6354c1f2..61b20e6870 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -36,7 +36,7 @@ This article lists new and updated features and content that are of interest to Windows 10 Education support has been added to Windows 10 Subscription Activation. -With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation). +With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation). ### SetupDiag @@ -51,7 +51,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update ## Servicing - [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon! -- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. @@ -127,7 +127,7 @@ This new feature is displayed under the Device Security page with the string “ ### Identity Protection - [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. -- [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web. +- [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web. - Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience! - [Remote Desktop with Biometrics](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. @@ -143,7 +143,7 @@ Several new features are coming in the next version of Edge. See the [news from ## See Also -[What's New in Windows Server, version 1903](https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
+[What's New in Windows Server, version 1903](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
[What's new in Windows 10](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.