| Support for existing devices | This topic describes how Windows Autopilot can be used to convert Windows 7 or Windows 8.1 domain-joined computers to AAD-joined computers running Windows 10.
diff --git a/windows/deployment/windows-autopilot/registration-auth.md b/windows/deployment/windows-autopilot/registration-auth.md
index 413adf3a32..452de96733 100644
--- a/windows/deployment/windows-autopilot/registration-auth.md
+++ b/windows/deployment/windows-autopilot/registration-auth.md
@@ -44,7 +44,7 @@ For a CSP to register Windows Autopilot devices on behalf of a customer, the cus
- Select the checkbox indicating whether or not you want delegated admin rights:
- - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/en-us/partner-center/customers_revoke_admin_privileges
+ - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges
- Send the template above to the customer via email.
2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page:
diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md
index e2fb1ecaa1..48841e967b 100644
--- a/windows/deployment/windows-autopilot/self-deploying.md
+++ b/windows/deployment/windows-autopilot/self-deploying.md
@@ -1,71 +1,73 @@
----
-title: Windows Autopilot Self-Deploying mode (Preview)
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot Self-Deploying mode
-
-**Applies to: Windows 10, version 1809 or later**
-
-Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection).
-
-Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned.
-
->[!NOTE]
->Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory.
-
-Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details.
-
->[!NOTE]
->Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device.
-
-
-
-## Requirements
-
-Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. The devices must also support TPM device attestation. (All newly-manufactured Windows devices should meet these requirements.)
-
->[!NOTE]
->If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error. (Hyper-V virtual TPMs are not supported.)
-
-In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details.
-
-## Step by step
-
-In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed:
-
-- Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.)
-- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. Ensure that the profile has been assigned to the device before attempting to deploy that device.
-- Boot the device, connecting it to Wi-fi if required, then wait for the provisioning process to complete.
-
-## Validation
-
-When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed:
-
-- Once connected to a network, the Autopilot profile will be downloaded.
-- If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available. Otherwise, manual steps are required:
- - If multiple languages are preinstalled in Windows 10, the user must pick a language.
- - The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
-- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
-- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
-- The device will join Azure Active Directory.
-- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
-- The [enrollment status page](enrollment-status.md) will be displayed.
-- Depending on the device settings deployed, the device will either:
- - Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials.
- - Automatically sign in as a local account, for devices configured as a kiosk or digital signage.
-
-In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.
+---
+title: Windows Autopilot Self-Deploying mode
+description: Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.reviewer: mniehaus
+manager: laurawi
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Windows Autopilot Self-Deploying mode
+
+**Applies to: Windows 10, version 1903 or later**
+
+Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection).
+
+Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned.
+
+>[!NOTE]
+>Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory.
+
+Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details.
+
+>[!NOTE]
+>Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device.
+
+
+
+## Requirements
+
+Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. The devices must also support TPM device attestation. (All newly-manufactured Windows devices should meet these requirements.)
+
+>[!NOTE]
+>If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported).. Also note that Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.
+
+In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details.
+
+## Step by step
+
+In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed:
+
+- Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.)
+- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. Ensure that the profile has been assigned to the device before attempting to deploy that device.
+- Boot the device, connecting it to Wi-fi if required, then wait for the provisioning process to complete.
+
+## Validation
+
+When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed:
+
+- Once connected to a network, the Autopilot profile will be downloaded.
+- If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available. Otherwise, manual steps are required:
+ - If multiple languages are preinstalled in Windows 10, the user must pick a language.
+ - The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
+- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
+- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
+- The device will join Azure Active Directory.
+- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
+- The [enrollment status page](enrollment-status.md) will be displayed.
+- Depending on the device settings deployed, the device will either:
+ - Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials.
+ - Automatically sign in as a local account, for devices configured as a kiosk or digital signage.
+
+>[!NOTE]
+>Deploying EAS policies using self-deploying mode for kiosk deployments will cause auto-logon functionality to fail.
+
+In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.
diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md
index 0b60714d75..cce649aaf6 100644
--- a/windows/deployment/windows-autopilot/user-driven.md
+++ b/windows/deployment/windows-autopilot/user-driven.md
@@ -1,99 +1,99 @@
----
-title: Windows Autopilot User-Driven Mode
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot user-driven mode
-
-Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions:
-
-- Unbox the device, plug it in, and turn it on.
-- Choose a language, locale and keyboard.
-- Connect it to a wireless or wired network with internet access.
-- Specify your e-mail address and password for your organization account.
-
-After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be supressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available.
-
-Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
-
-## Available user-driven modes
-
-The following options are available for user-driven deployment:
-
-- [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain.
-- [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain.
-
-### User-driven mode for Azure Active Directory join
-
-In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed:
-
-- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information.
-- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected.
-- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
-
-For each device that will be deployed using user-driven deployment, these additional steps are needed:
-
-- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information.
-- Ensure an Autopilot profile has been assigned to the device:
- - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically.
- - If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
- - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
-
-Also see the [Validation](#validation) section below.
-
-### User-driven mode for hybrid Azure Active Directory join
-
-Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan).
-
-#### Requirements
-
-To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:
-
-- A Windows Autopilot profile for user-driven mode must be created and
- - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile.
-- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group.
-- The device must be running Windows 10, version 1809 or later.
-- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user).
-- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements.md).
-- The Intune Connector for Active Directory must be installed.
- - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf.
-- If using Proxy, WPAD Proxy settings option must be enabled and configured.
-
-**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default.
-
-#### Step by step instructions
-
-See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid).
-
-Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic.
-
-## Validation
-
-When performing a user-driven deployment using Windows Autopilot, the following end-user experience should be observed:
-
-- If multiple languages are preinstalled in Windows 10, the user must pick a language.
-- The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
-- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
-- Once connected to a network, the Autopilot profile will be downloaded.
-- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
-- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text.
-- Once correct credentials have been entered, the device will join Azure Active Directory.
-- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
-- If configured, the [enrollment status page](enrollment-status.md) will be displayed.
-- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided.
-- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks.
-
-In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.
+---
+title: Windows Autopilot User-Driven Mode
+description: Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.reviewer: mniehaus
+manager: laurawi
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot user-driven mode
+
+Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions:
+
+- Unbox the device, plug it in, and turn it on.
+- Choose a language, locale and keyboard.
+- Connect it to a wireless or wired network with internet access.
+- Specify your e-mail address and password for your organization account.
+
+After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be supressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available.
+
+Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
+
+## Available user-driven modes
+
+The following options are available for user-driven deployment:
+
+- [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain.
+- [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain.
+
+### User-driven mode for Azure Active Directory join
+
+In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed:
+
+- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information.
+- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected.
+- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
+
+For each device that will be deployed using user-driven deployment, these additional steps are needed:
+
+- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information.
+- Ensure an Autopilot profile has been assigned to the device:
+ - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically.
+ - If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
+ - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
+
+Also see the [Validation](#validation) section below.
+
+### User-driven mode for hybrid Azure Active Directory join
+
+Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan).
+
+#### Requirements
+
+To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:
+
+- A Windows Autopilot profile for user-driven mode must be created and
+ - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile.
+- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group.
+- The device must be running Windows 10, version 1809 or later.
+- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user).
+- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements.md).
+- The Intune Connector for Active Directory must be installed.
+ - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf.
+- If using Proxy, WPAD Proxy settings option must be enabled and configured.
+
+**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default.
+
+#### Step by step instructions
+
+See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid).
+
+Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic.
+
+## Validation
+
+When performing a user-driven deployment using Windows Autopilot, the following end-user experience should be observed:
+
+- If multiple languages are preinstalled in Windows 10, the user must pick a language.
+- The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
+- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
+- Once connected to a network, the Autopilot profile will be downloaded.
+- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
+- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text.
+- Once correct credentials have been entered, the device will join Azure Active Directory.
+- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
+- If configured, the [enrollment status page](enrollment-status.md) will be displayed.
+- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided.
+- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks.
+
+In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
index f4f79e0f88..5ef4bd2feb 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@@ -1,120 +1,121 @@
----
-title: Windows Autopilot requirements
-ms.reviewer:
-manager: laurawi
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot requirements
-
-**Applies to: Windows 10**
-
-Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met.
-
-**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot).
-
-## Software requirements
-
-- Windows 10 version 1703 (semi-annual channel) or higher is required.
-- The following editions are supported:
- - Windows 10 Pro
- - Windows 10 Pro Education
- - Windows 10 Pro for Workstations
- - Windows 10 Enterprise
- - Windows 10 Education
- - Windows 10 Enterprise 2019 LTSC
-
-## Networking requirements
-
-Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
-
-- Ensure DNS name resolution for internet DNS names
-- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
-
-In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the required services. For additional details about each of these services and their specific requirements, review the following details:
-
-| Service | Information
- | | Windows Autopilot Deployment Service and Windows Activation | After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 builds 18204 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com.
-
-For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See Windows activation or validation fails with error code 0x8004FE33 for details about problems that might occur when you connect to the Internet through a proxy server.
- | | Azure Active Directory | User credentials are validated by Azure Active Directory, and the device can also be joined to Azure Active Directory. See Office 365 IP Address and URL Web service for more information.
- | | Intune | Once authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: Intune network configuration requirements and bandwidth.
- | | Windows Update | During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see How to solve connection problems concerning Windows Update or Microsoft Update.
-
-If Windows Update is inaccessible, the AutoPilot process will still continue but critical updates will not be available.
-
- | | Delivery Optimization | When downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
-
-If the Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer).
-
- | | Network Time Protocol (NTP) Sync | When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible.
- | | Domain Name Services (DNS) | To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP. This DNS server must be able to resolve internet names.
- | | Diagnostics data | To enable Windows Analytics and related diagnostics capabilities, see Configure Windows diagnostic data in your organization.
-
-If diagnostic data cannot be sent, the Autopilot process will still continue, but services that depend on diagnostic data, such as Windows Analytics, will not work.
- | | Network Connection Status Indicator (NCSI) | Windows must be able to tell that the device is able to access the internet. For more information, see Network Connection Status Indicator (NCSI).
-
-www.msftconnecttest.com must be resolvable via DNS and accessible via HTTP.
- | | Windows Notification Services (WNS) | This service is used to enable Windows to receive notifications from apps and services. See Microsoft Store for more information.
-
-If the WNS services are not available, the Autopilot process will still continue without notifications.
- | | Microsoft Store, Microsoft Store for Business | Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM). App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
-
-If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps.
-
- | | Office 365 | As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above).
- | | Certificate revocation lists (CRLs) | Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services. A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains.
- |
-
-## Licensing requirements
-
-Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
-
-To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required:
- - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business)
- - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline)
- - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx)
- - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
- - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features.
- - [Intune for Education subscriptions](https://docs.microsoft.com/en-us/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
- - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/en-us/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service).
-
-Additionally, the following are also recommended (but not required):
-- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services).
-- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise.
-
-## Configuration requirements
-
-Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios.
-
-- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services.
-- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties).
-- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise.
-
-Specific scenarios will then have additional requirements. Generally, there are two specific tasks:
-
-- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details.
-- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information.
-
-See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details.
-
-For a walkthrough for some of these and related steps, see this video:
-
-
-
-There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications).
-
-## Related topics
-
-[Configure Autopilot deployment](configure-autopilot.md)
+---
+title: Windows Autopilot requirements
+ms.reviewer:
+manager: laurawi
+description: Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot requirements
+
+**Applies to: Windows 10**
+
+Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met.
+
+**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot).
+
+## Software requirements
+
+- Windows 10 version 1703 (semi-annual channel) or higher is required.
+- The following editions are supported:
+ - Windows 10 Pro
+ - Windows 10 Pro Education
+ - Windows 10 Pro for Workstations
+ - Windows 10 Enterprise
+ - Windows 10 Education
+ - Windows 10 Enterprise 2019 LTSC
+
+## Networking requirements
+
+Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
+
+- Ensure DNS name resolution for internet DNS names
+- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
+
+In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the required services. For additional details about each of these services and their specific requirements, review the following details:
+
+| Service | Information
+ | | Windows Autopilot Deployment Service and Windows Activation | After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 builds 18204 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com.
+
+For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See Windows activation or validation fails with error code 0x8004FE33 for details about problems that might occur when you connect to the Internet through a proxy server.
+ | | Azure Active Directory | User credentials are validated by Azure Active Directory, and the device can also be joined to Azure Active Directory. See Office 365 IP Address and URL Web service for more information.
+ | | Intune | Once authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: Intune network configuration requirements and bandwidth.
+ | | Windows Update | During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see How to solve connection problems concerning Windows Update or Microsoft Update.
+
+If Windows Update is inaccessible, the AutoPilot process will still continue but critical updates will not be available.
+
+ | | Delivery Optimization | When downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
+
+If the Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer).
+
+ | | Network Time Protocol (NTP) Sync | When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible.
+ | | Domain Name Services (DNS) | To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP. This DNS server must be able to resolve internet names.
+ | | Diagnostics data | To enable Windows Analytics and related diagnostics capabilities, see Configure Windows diagnostic data in your organization.
+
+If diagnostic data cannot be sent, the Autopilot process will still continue, but services that depend on diagnostic data, such as Windows Analytics, will not work.
+ | | Network Connection Status Indicator (NCSI) | Windows must be able to tell that the device is able to access the internet. For more information, see Network Connection Status Indicator (NCSI).
+
+www.msftconnecttest.com must be resolvable via DNS and accessible via HTTP.
+ | | Windows Notification Services (WNS) | This service is used to enable Windows to receive notifications from apps and services. See Microsoft Store for more information.
+
+If the WNS services are not available, the Autopilot process will still continue without notifications.
+ | | Microsoft Store, Microsoft Store for Business | Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM). App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
+
+If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps.
+
+ | | Office 365 | As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above).
+ | | Certificate revocation lists (CRLs) | Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services. A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains.
+ | | Hybrid AAD join | Hybrid AAD can be join, the machine should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode
+ |
+
+## Licensing requirements
+
+Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
+
+To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required:
+ - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business)
+ - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline)
+ - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx)
+ - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
+ - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features.
+ - [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
+ - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service).
+
+Additionally, the following are also recommended (but not required):
+- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services).
+- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise.
+
+## Configuration requirements
+
+Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios.
+
+- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services.
+- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties).
+- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise.
+
+Specific scenarios will then have additional requirements. Generally, there are two specific tasks:
+
+- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details.
+- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information.
+
+See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details.
+
+For a walkthrough for some of these and related steps, see this video:
+
+
+
+There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications).
+
+## Related topics
+
+[Configure Autopilot deployment](configure-autopilot.md)
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
index 8e06edad48..d58d236a4f 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
@@ -48,7 +48,7 @@ Additional requirements and configuration details apply with each scenario; see
**Applies to: Windows 10, version 1709 and above**
-The Intune Service Administrator role is required to perform this task. For more information, see [Add users and grant administrative permission to Intune](https://docs.microsoft.com/en-us/intune/users-add).
+The Intune Service Administrator role is required to perform this task. For more information, see [Add users and grant administrative permission to Intune](https://docs.microsoft.com/intune/users-add).
IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
index ec85b05086..3422c91127 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
@@ -1,68 +1,68 @@
----
-title: Windows Autopilot scenarios and capabilities
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot scenarios and capabilities
-
-**Applies to: Windows 10**
-
-## Scenarios
-
-Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management).
-
-The following Windows Autopilot scenarios are described in this guide:
-
-
-| Scenario | More information
- | | Deploy devices that will be set up by a member of the organization and configured for that person | [Windows Autopilot user-driven mode](user-driven.md)
- | | Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device. | [Windows Autopilot self-deploying mode](self-deploying.md)
- | | Re-deploy a device in a business-ready state. | [Windows Autopilot Reset](windows-autopilot-reset.md)
- | | Pre-provision a device with up-to-date applications, policies and settings. | [White glove](white-glove.md)
- | | Deploy Windows 10 on an existing Windows 7 or 8.1 device | [Windows Autopilot for existing devices](existing-devices.md)
- |
-
-## Windows Autopilot capabilities
-
-### Windows Autopilot is self-updating during OOBE
-
-Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly. Windows will alert the user that the device is checking for, downloading and installing the updates.
-
-### Cortana voiceover and speech recognition during OOBE
-
-In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs.
-
-If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default.
-
-HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions
-
-The key value is a DWORD with **0** = disabled and **1** = enabled.
-
-| Value | Description |
-| --- | --- |
-| 0 | Cortana voiceover is disabled |
-| 1 | Cortana voiceover is enabled |
-| No value | Device will fall back to default behavior of the edition |
-
-To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce).
-
-### Bitlocker encryption
-
-With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md)
-
-## Related topics
-
-[Windows Autopilot: What's new](windows-autopilot-whats-new.md)
+---
+title: Windows Autopilot scenarios and capabilities
+description: Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.reviewer: mniehaus
+manager: laurawi
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot scenarios and capabilities
+
+**Applies to: Windows 10**
+
+## Scenarios
+
+Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management).
+
+The following Windows Autopilot scenarios are described in this guide:
+
+
+| Scenario | More information
+ | | Deploy devices that will be set up by a member of the organization and configured for that person | [Windows Autopilot user-driven mode](user-driven.md)
+ | | Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device. | [Windows Autopilot self-deploying mode](self-deploying.md)
+ | | Re-deploy a device in a business-ready state. | [Windows Autopilot Reset](windows-autopilot-reset.md)
+ | | Pre-provision a device with up-to-date applications, policies and settings. | [White glove](white-glove.md)
+ | | Deploy Windows 10 on an existing Windows 7 or 8.1 device | [Windows Autopilot for existing devices](existing-devices.md)
+ |
+
+## Windows Autopilot capabilities
+
+### Windows Autopilot is self-updating during OOBE
+
+Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly. Windows will alert the user that the device is checking for, downloading and installing the updates.
+
+### Cortana voiceover and speech recognition during OOBE
+
+In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs.
+
+If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default.
+
+HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions
+
+The key value is a DWORD with **0** = disabled and **1** = enabled.
+
+| Value | Description |
+| --- | --- |
+| 0 | Cortana voiceover is disabled |
+| 1 | Cortana voiceover is enabled |
+| No value | Device will fall back to default behavior of the edition |
+
+To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce).
+
+### Bitlocker encryption
+
+With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md)
+
+## Related topics
+
+[Windows Autopilot: What's new](windows-autopilot-whats-new.md)
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
index 9f414b3464..57c91a67e4 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
@@ -42,6 +42,9 @@ Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch
You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
+>[!NOTE]
+>Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.
+
## Related topics
[What's new in Microsoft Intune](https://docs.microsoft.com/intune/whats-new)
diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md
index d728e20c8b..7ad46ca665 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot.md
@@ -61,5 +61,5 @@ Windows 10 version 1703 or higher is required to use Windows Autopilot. See [Win
## Related topics
-[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot)
+[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot)
[Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md)
\ No newline at end of file
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index c4e4de3c77..dfab99ad78 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -3,13 +3,13 @@ title: Windows 10 deployment tools (Windows 10)
description: To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process.
ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
ms.reviewer:
-manager: dansimp
-ms.author: dansimp
+manager: laurawi
+ms.author: greg-lindsay
keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: dansimp
+author: greg-lindsay
ms.topic: article
---
diff --git a/windows/device-security/index.md b/windows/device-security/index.md
deleted file mode 100644
index be91262028..0000000000
--- a/windows/device-security/index.md
+++ /dev/null
@@ -1,3 +0,0 @@
----
-redirect_url: https://docs.microsoft.com/windows/security/threat-protection/
----
\ No newline at end of file
diff --git a/windows/eulas/index.md b/windows/eulas/index.md
index 2eb00343d3..daa4838aac 100644
--- a/windows/eulas/index.md
+++ b/windows/eulas/index.md
@@ -1,12 +1,12 @@
----
-title: Windows 10 - Testing in live
-description: What are Windows, UWP, and Win32 apps
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
-ms.author: elizapo
-author: lizap
-ms.localizationpriority: medium
----
-# Testing non-editability
+---
+title: Windows 10 - Testing in live
+description: What are Windows, UWP, and Win32 apps
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+ms.author: elizapo
+author: lizap
+ms.localizationpriority: medium
+---
+# Testing non-editability
diff --git a/windows/hub/windows-10.yml b/windows/hub/windows-10.yml
index a981edf38a..e858c87806 100644
--- a/windows/hub/windows-10.yml
+++ b/windows/hub/windows-10.yml
@@ -40,7 +40,7 @@ sections:
- items:
- type: markdown
text: "
- Get answers to commom questions, or get help with a specific problem.
+ Get answers to common questions, or get help with a specific problem.
"
diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md
index 07465d680b..f1560f3a73 100644
--- a/windows/privacy/Microsoft-DiagnosticDataViewer.md
+++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md
@@ -46,7 +46,7 @@ Using the Diagnostic Data Viewer for PowerShell requires administrative (elevate
### Install the Diagnostic Data Viewer for PowerShell
>[!IMPORTANT]
- >It is recommended to visit the documentation on [Getting Started](https://docs.microsoft.com/en-us/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module.
+ >It is recommended to visit the documentation on [Getting Started](https://docs.microsoft.com/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module.
To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within an elevated PowerShell session:
```powershell
@@ -106,9 +106,9 @@ The Diagnostic Data Viewer for PowerShell provides you with the following featur
- **View your diagnostic events.** Running `PS C:\> Get-DiagnosticData`, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft.
- Each event is displayed as a PowerShell Object. By default each event shows the event name, the time when it was seen by your Windows device, whether the event is [Basic](https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization), its [diagnostic event category](#view-diagnostic-event-categories), and a detailed JSON view of the information it contains, which shows the event exactly as it was when sent to Microsoft. Microsoft uses this info to continually improve the Windows operating system.
+ Each event is displayed as a PowerShell Object. By default each event shows the event name, the time when it was seen by your Windows device, whether the event is [Basic](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization), its [diagnostic event category](#view-diagnostic-event-categories), and a detailed JSON view of the information it contains, which shows the event exactly as it was when sent to Microsoft. Microsoft uses this info to continually improve the Windows operating system.
-- **View diagnostic event categories.** Each event shows the diagnostic event categories that it belongs to. These categories define how events are used by Microsoft. The categories are shown as numeric identifiers. For more information about these categories, see [Windows Diagnostic Data](https://docs.microsoft.com/en-us/windows/privacy/windows-diagnostic-data).
+- **View diagnostic event categories.** Each event shows the diagnostic event categories that it belongs to. These categories define how events are used by Microsoft. The categories are shown as numeric identifiers. For more information about these categories, see [Windows Diagnostic Data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data).
To view the diagnostic category represented by each numeric identifier and what the category means, you can run the command:
@@ -186,4 +186,4 @@ When resetting the size of your data history to a lower value, be sure to turn o
## Related Links
- [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer)
-- [Documentation for Diagnostic Data Viewer for PowerShell](https://docs.microsoft.com/en-us/powershell/module/microsoft.diagnosticdataviewer/?view=win10-ps)
+- [Documentation for Diagnostic Data Viewer for PowerShell](https://docs.microsoft.com/powershell/module/microsoft.diagnosticdataviewer/?view=win10-ps)
diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md
index 1dd34ad810..e4021e6946 100644
--- a/windows/privacy/TOC.md
+++ b/windows/privacy/TOC.md
@@ -1,32 +1,32 @@
-# [Privacy](index.yml)
-## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
-## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md)
-## [Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals](Windows-10-and-privacy-compliance.md)
-## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md)
-## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
-## Diagnostic Data Viewer
-### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
-### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md)
-## Basic level Windows diagnostic data events and fields
-### [Windows 10, version 1903 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
-### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
-### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
-### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
-### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
-## Enhanced level Windows diagnostic data events and fields
-### [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
-## Full level categories
-### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md)
-### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
-## Manage Windows 10 connection endpoints
-### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-### [Manage connections from Windows operating system components to Microsoft services using MDM](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md)
-### [Connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
-### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
-### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
-### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
-### [Connection endpoints for non-Enterprise editions of Windows 10, version 1903](windows-endpoints-1903-non-enterprise-editions.md)
-### [Connection endpoints for non-Enterprise editions of Windows 10, version 1809](windows-endpoints-1809-non-enterprise-editions.md)
-### [Connection endpoints for non-Enterprise editions of Windows 10, version 1803](windows-endpoints-1803-non-enterprise-editions.md)
-### [Connection endpoints for non-Enterprise editions of Windows 10, version 1709](windows-endpoints-1709-non-enterprise-editions.md)
-
+# [Privacy](index.yml)
+## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
+## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md)
+## [Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals](Windows-10-and-privacy-compliance.md)
+## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md)
+## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
+## Diagnostic Data Viewer
+### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
+### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md)
+## Basic level Windows diagnostic data events and fields
+### [Windows 10, version 1903 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
+### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
+### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
+### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
+### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
+## Enhanced level Windows diagnostic data events and fields
+### [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
+## Full level categories
+### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md)
+### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
+## Manage Windows 10 connection endpoints
+### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+### [Manage connections from Windows operating system components to Microsoft services using MDM](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md)
+### [Connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
+### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
+### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+### [Connection endpoints for non-Enterprise editions of Windows 10, version 1903](windows-endpoints-1903-non-enterprise-editions.md)
+### [Connection endpoints for non-Enterprise editions of Windows 10, version 1809](windows-endpoints-1809-non-enterprise-editions.md)
+### [Connection endpoints for non-Enterprise editions of Windows 10, version 1803](windows-endpoints-1803-non-enterprise-editions.md)
+### [Connection endpoints for non-Enterprise editions of Windows 10, version 1709](windows-endpoints-1709-non-enterprise-editions.md)
+
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index 4b6a124ff2..fc00e91cc2 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -342,7 +342,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+This event indicates that the DecisionApplicationFile object is no longer present.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -678,7 +678,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2457,7 +2457,7 @@ The following fields are available:
- **Enumerator** Identifies the bus that enumerated the device.
- **HWID** A list of hardware IDs for the device. See [HWID](#hwid).
- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf).
-- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
- **InventoryVersion** The version number of the inventory process generating the events.
- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device.
- **LowerFilters** The identifiers of the Lower filters installed for the device.
@@ -5029,7 +5029,7 @@ The following fields are available:
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index a88ae5d6a4..14db4d2683 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -362,7 +362,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+This event indicates that the DecisionApplicationFile object is no longer present.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -710,7 +710,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2497,7 +2497,7 @@ The following fields are available:
- **Enumerator** Identifies the bus that enumerated the device.
- **HWID** A list of hardware IDs for the device.
- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf).
-- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
- **InventoryVersion** The version number of the inventory process generating the events.
- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device.
- **LowerFilters** The identifiers of the Lower filters installed for the device.
@@ -5274,7 +5274,7 @@ The following fields are available:
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index ac8f4d3e3c..d6eb2975ad 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -396,7 +396,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+This event indicates that the DecisionApplicationFile object is no longer present.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -747,7 +747,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3415,7 +3415,7 @@ The following fields are available:
- **Enumerator** Identifies the bus that enumerated the device.
- **HWID** A list of hardware IDs for the device.
- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf).
-- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
- **InventoryVersion** The version number of the inventory process generating the events.
- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device.
- **LowerFilters** The identifiers of the Lower filters installed for the device.
@@ -6041,7 +6041,7 @@ The following fields are available:
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 765419c245..b5c02de9bd 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -821,7 +821,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+This event indicates that the DecisionApplicationFile object is no longer present.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1173,7 +1173,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3914,7 +3914,7 @@ The following fields are available:
- **HWID** A list of hardware IDs for the device.
- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf).
- **InstallDate** The date of the most recent installation of the device on the machine.
-- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
- **InventoryVersion** The version number of the inventory process generating the events.
- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device.
- **LowerFilters** The identifiers of the Lower filters installed for the device.
@@ -6512,7 +6512,7 @@ The following fields are available:
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index 9f8a2900c9..54f9081648 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -681,7 +681,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+This event indicates that the DecisionApplicationFile object is no longer present.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1000,7 +1000,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3352,7 +3352,7 @@ The following fields are available:
- **HWID** The version of the driver loaded for the device.
- **Inf** The bus that enumerated the device.
- **InstallDate** The date of the most recent installation of the device on the machine.
-- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
- **InventoryVersion** List of hardware ids for the device.
- **LowerClassFilters** Lower filter class drivers IDs installed for the device
- **LowerFilters** Lower filter drivers IDs installed for the device
@@ -6285,7 +6285,7 @@ The following fields are available:
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 12a92da773..12db0fe2fe 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -1,454 +1,454 @@
----
-description: Use this article to make informed decisions about how you can configure diagnostic data in your organization.
-title: Configure Windows diagnostic data in your organization (Windows 10)
-keywords: privacy
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 04/29/2019
----
-
-# Configure Windows diagnostic data in your organization
-
-**Applies to**
-
-- Windows 10 Enterprise
-- Windows 10 Mobile
-- Windows Server
-
-This article applies to Windows and Windows Server diagnostic data only. It describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
-
-Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. Microsoft uses diagnostic data to keep Windows secure and up to date, troubleshoot problems, and make product improvements.
-
-We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-
-## Overview of Windows diagnostic data
-
-At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how.
-
-To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways:
-
-- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
-- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
-- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection.
-- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
-- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting.
-- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
-
-In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM.
-
-For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
-
-## Understanding Windows diagnostic data
-
-Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
-
-The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts.
-
-### What is Windows diagnostic data?
-Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
-
-- Keep Windows up to date
-- Keep Windows secure, reliable, and performant
-- Improve Windows – through the aggregate analysis of the use of Windows
-- Personalize Windows engagement surfaces
-
-Here are some specific examples of Windows diagnostic data:
-
-- Type of hardware being used
-- Applications installed and usage details
-- Reliability information on device drivers
-
-### What is NOT diagnostic data?
-
-Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request.
-
-There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
-
-If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services).
-
-The following are specific examples of functional data:
-
-- Current location for weather
-- Bing searches
-- Wallpaper and desktop settings synced across multiple devices
-
-### Diagnostic data gives users a voice
-
-Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
-
-### Improve app and driver quality
-
-Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
-
-#### Real-world example of how Windows diagnostic data helps
-There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
-
-### Improve end-user productivity
-
-Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are:
-
-- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time.
-- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
-- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
-
-**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
-
-### Insights into your own organization
-
-Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
-
-#### Upgrade Readiness
-
-Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
-
-To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
-
-With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
-
-Use Upgrade Readiness to get:
-
-- A visual workflow that guides you from pilot to production
-- Detailed computer, driver, and application inventory
-- Powerful computer level search and drill-downs
-- Guidance and insights into application and driver compatibility issues with suggested fixes
-- Data driven application rationalization tools
-- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
-- Data export to commonly used software deployment tools
-
-The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
-
-## How Microsoft handles diagnostic data
-
-The diagnostic data is categorized into four levels:
-
-- [**Security**](#security-level). Information that’s required to help keep Windows and Windows Server secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
-
-- [**Basic**](#basic-level). Basic device info, including: quality-related data, app compatibility, and data from the **Security** level.
-
-- [**Enhanced**](#enhanced-level). Additional insights, including: how Windows, Windows Server, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
-
-- [**Full**](#full-level). Includes information about the websites you browse, how you use apps and features, plus additional information about device health, device activity (sometimes referred to as usage), and enhanced error reporting. At Full, Microsoft also collects the memory state of your device when a system or app crash occurs. It includes data from the **Security**, **Basic**, and **Enhanced** levels.
-
-Diagnostic data levels are cumulative, meaning each subsequent level includes data collected through lower levels. For more information see the [Diagnostic data levels](#diagnostic-data-levels) section.
-
-### Data collection
-
-Windows 10 and Windows Server includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
-
-1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
-2. Events are gathered using public operating system event logging and tracing APIs.
-3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings.
-4. The Connected User Experiences and Telemetry component transmits the diagnostic data.
-
-Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
-
-### Data transmission
-
-All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
-
-The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day).
-
-### Endpoints
-
-The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
-
-The following table defines the endpoints for Connected User Experiences and Telemetry component:
-
-Windows release | Endpoint
---- | ---
-Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed| **Diagnostics data** - v10c.vortex-win.data.microsoft.com**Functional** - v20.vortex-win.data.microsoft.com**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com**Settings** - win.data.microsoft.com
-Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | **Diagnostics data** - v10.events.data.microsoft.com**Functional** - v20.vortex-win.data.microsoft.com**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com**Settings** - win.data.microsoft.com
-Windows 10, version 1709 or earlier | **Diagnostics data** - v10.vortex-win.data.microsoft.com**Functional** - v20.vortex-win.data.microsoft.com**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com**Settings** - win.data.microsoft.com
-
-The following table defines the endpoints for other diagnostic data services:
-
-| Service | Endpoint |
-| - | - |
-| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
-| | ceuswatcab01.blob.core.windows.net |
-| | ceuswatcab02.blob.core.windows.net |
-| | eaus2watcab01.blob.core.windows.net |
-| | eaus2watcab02.blob.core.windows.net |
-| | weus2watcab01.blob.core.windows.net |
-| | weus2watcab02.blob.core.windows.net |
-| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
-| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
-| Microsoft Defender Advanced Threat Protection | https://wdcp.microsoft.comhttps://wdcpalt.microsoft.com |
-
-### Data use and access
-
-The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
-
-### Retention
-
-Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history.
-
-## Manage enterprise diagnostic data level
-
-### Enterprise management
-
-Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option.
-
-Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, in **Privacy** > **Diagnostics & feedback**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available.
-
-IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this article describes how to use group policy to configure levels and settings interface.
-
-
-#### Manage your diagnostic data settings
-
-Use the steps in this article to set and/or adjust the diagnostic data settings for Windows and Windows Server in your organization.
-
-> [!IMPORTANT]
-> These diagnostic data levels only apply to Windows and Windows Server components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Office 365 ProPlus](/deployoffice/privacy/overview-privacy-controls).
-
-The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server is **Enhanced**.
-
-### Configure the diagnostic data level
-
-You can configure your device's diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device.
-
-Use the appropriate value in the table below when you configure the management policy.
-
-| Level | Value |
-| - | - |
-| Security | **0** |
-| Basic | **1** |
-| Enhanced | **2** |
-| Full | **3** |
-
- > [!NOTE]
- > When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
-
-### Use Group Policy to set the diagnostic data level
-
-Use a Group Policy object to set your organization’s diagnostic data level.
-
-1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
-
-2. Double-click **Allow Telemetry**.
-
-3. In the **Options** box, select the level that you want to configure, and then click **OK**.
-
-### Use MDM to set the diagnostic data level
-
-Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
-
-### Use Registry Editor to set the diagnostic data level
-
-Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
-
-1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**.
-
-2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
-
-3. Type **AllowTelemetry**, and then press ENTER.
-
-4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
-
-5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
-
-### Additional diagnostic data controls
-
-There are a few more settings that you can turn off that may send diagnostic data information:
-
-- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
-
-- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
-
-- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
-
-- Turn off **Improve inking and typing** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
-
- > [!NOTE]
- > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
-
-## Diagnostic data levels
-
-These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server.
-
-### Security level
-
-The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
-
-> [!NOTE]
-> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
-
-Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered.
-
-The data gathered at this level includes:
-
-- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
-
-- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
-
- > [!NOTE]
- > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
-
-- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
-
- > [!NOTE]
- > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).
-
- Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
-
-For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
-
-No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
-
-### Basic level
-
-The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent.
-
-This is the default level for Windows 10 Education editions, as well as all desktop editions starting with Windows 10, version 1903.
-
-The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device.
-
-The data gathered at this level includes:
-
-- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Servers in the ecosystem. Examples include:
-
- - Device attributes, such as camera resolution and display type
-
- - Internet Explorer version
-
- - Battery attributes, such as capacity and type
-
- - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
-
- - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
-
- - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
-
- - Operating system attributes, such as Windows edition and virtualization state
-
- - Storage attributes, such as number of drives, type, and size
-
-- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
-
-- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
-
-- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
-
- - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
-
- - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
-
- - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
-
- - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
-
- - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
-
-- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses.
-
-
-### Enhanced level
-
-The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
-
-This level is needed to quickly identify and address Windows and Windows Server quality issues.
-
-The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device.
-
-The data gathered at this level includes:
-
-- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
-
-- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
-
-- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
-
-- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
-
-If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue.
-
-### Full level
-
-The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the Basic, Enhanced, and Security levels.
-
-Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
-
-If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem.
-
-However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
-
-- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
-
-- Ability to get registry keys.
-
-- All crash dump types, including heap dumps and full dumps.
-
-> [!NOTE]
-> Crash dumps collected at this diagnostic data level may unintentionally contain personal data, such as portions of memory from a documents, a web page, etc.
-
-## Limit Enhanced diagnostic data to the minimum required by Windows Analytics
-
-Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**.
-
-In Windows 10, version 1709, we introduced the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic.
-
-- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic.
-
-- **Some crash dump types.** Triage dumps for user mode and mini dumps for kernel mode.
-
->[!NOTE]
-> Triage dumps are a type of [minidumps](https://docs.microsoft.com/windows/desktop/debug/minidump-files) that go through a process of user-sensitive information scrubbing. Some user-sensitive information may be missed in the process, and will therefore be sent with the dump.
-
-### Enable limiting enhanced diagnostic data to the minimum required by Windows Analytics
-
-1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM.
-
- a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**.
-
- -OR-
-
- b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**.
-
- -AND-
-
-2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM.
-
- a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**.
-
- -OR-
-
- b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**.
-
-## Additional resources
-
-FAQs
-
-- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy)
-- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
-- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy)
-- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy)
-- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
-- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq)
-- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
-- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
-- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization)
-
-Blogs
-
-- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
-
-Privacy Statement
-
-- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
-
-TechNet
-
-- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-
-Web Pages
-
-- [Privacy at Microsoft](https://privacy.microsoft.com)
+---
+description: Use this article to make informed decisions about how you can configure diagnostic data in your organization.
+title: Configure Windows diagnostic data in your organization (Windows 10)
+keywords: privacy
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 04/29/2019
+---
+
+# Configure Windows diagnostic data in your organization
+
+**Applies to**
+
+- Windows 10 Enterprise
+- Windows 10 Mobile
+- Windows Server
+
+This article applies to Windows and Windows Server diagnostic data only. It describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
+
+Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. Microsoft uses diagnostic data to keep Windows secure and up to date, troubleshoot problems, and make product improvements.
+
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
+
+## Overview of Windows diagnostic data
+
+At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how.
+
+To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways:
+
+- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
+- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
+- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection.
+- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
+- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting.
+- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
+
+In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM.
+
+For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
+
+## Understanding Windows diagnostic data
+
+Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
+
+The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts.
+
+### What is Windows diagnostic data?
+Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
+
+- Keep Windows up to date
+- Keep Windows secure, reliable, and performant
+- Improve Windows – through the aggregate analysis of the use of Windows
+- Personalize Windows engagement surfaces
+
+Here are some specific examples of Windows diagnostic data:
+
+- Type of hardware being used
+- Applications installed and usage details
+- Reliability information on device drivers
+
+### What is NOT diagnostic data?
+
+Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request.
+
+There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
+
+If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services).
+
+The following are specific examples of functional data:
+
+- Current location for weather
+- Bing searches
+- Wallpaper and desktop settings synced across multiple devices
+
+### Diagnostic data gives users a voice
+
+Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
+
+### Improve app and driver quality
+
+Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
+
+#### Real-world example of how Windows diagnostic data helps
+There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
+
+### Improve end-user productivity
+
+Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are:
+
+- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time.
+- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
+- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
+
+**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
+
+### Insights into your own organization
+
+Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
+
+#### Upgrade Readiness
+
+Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
+
+To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
+
+With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
+
+Use Upgrade Readiness to get:
+
+- A visual workflow that guides you from pilot to production
+- Detailed computer, driver, and application inventory
+- Powerful computer level search and drill-downs
+- Guidance and insights into application and driver compatibility issues with suggested fixes
+- Data driven application rationalization tools
+- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
+- Data export to commonly used software deployment tools
+
+The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
+
+## How Microsoft handles diagnostic data
+
+The diagnostic data is categorized into four levels:
+
+- [**Security**](#security-level). Information that’s required to help keep Windows and Windows Server secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
+
+- [**Basic**](#basic-level). Basic device info, including: quality-related data, app compatibility, and data from the **Security** level.
+
+- [**Enhanced**](#enhanced-level). Additional insights, including: how Windows, Windows Server, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
+
+- [**Full**](#full-level). Includes information about the websites you browse, how you use apps and features, plus additional information about device health, device activity (sometimes referred to as usage), and enhanced error reporting. At Full, Microsoft also collects the memory state of your device when a system or app crash occurs. It includes data from the **Security**, **Basic**, and **Enhanced** levels.
+
+Diagnostic data levels are cumulative, meaning each subsequent level includes data collected through lower levels. For more information see the [Diagnostic data levels](#diagnostic-data-levels) section.
+
+### Data collection
+
+Windows 10 and Windows Server includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
+
+1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
+2. Events are gathered using public operating system event logging and tracing APIs.
+3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings.
+4. The Connected User Experiences and Telemetry component transmits the diagnostic data.
+
+Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
+
+### Data transmission
+
+All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
+
+The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day).
+
+### Endpoints
+
+The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
+
+The following table defines the endpoints for Connected User Experiences and Telemetry component:
+
+Windows release | Endpoint
+--- | ---
+Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed| **Diagnostics data** - v10c.vortex-win.data.microsoft.com**Functional** - v20.vortex-win.data.microsoft.com**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com**Settings** - win.data.microsoft.com
+Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | **Diagnostics data** - v10.events.data.microsoft.com**Functional** - v20.vortex-win.data.microsoft.com**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com**Settings** - win.data.microsoft.com
+Windows 10, version 1709 or earlier | **Diagnostics data** - v10.vortex-win.data.microsoft.com**Functional** - v20.vortex-win.data.microsoft.com**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com**Settings** - win.data.microsoft.com
+
+The following table defines the endpoints for other diagnostic data services:
+
+| Service | Endpoint |
+| - | - |
+| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
+| | ceuswatcab01.blob.core.windows.net |
+| | ceuswatcab02.blob.core.windows.net |
+| | eaus2watcab01.blob.core.windows.net |
+| | eaus2watcab02.blob.core.windows.net |
+| | weus2watcab01.blob.core.windows.net |
+| | weus2watcab02.blob.core.windows.net |
+| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
+| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
+| Microsoft Defender Advanced Threat Protection | https://wdcp.microsoft.comhttps://wdcpalt.microsoft.com |
+
+### Data use and access
+
+The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
+
+### Retention
+
+Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history.
+
+## Manage enterprise diagnostic data level
+
+### Enterprise management
+
+Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option.
+
+Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, in **Privacy** > **Diagnostics & feedback**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available.
+
+IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this article describes how to use group policy to configure levels and settings interface.
+
+
+#### Manage your diagnostic data settings
+
+Use the steps in this article to set and/or adjust the diagnostic data settings for Windows and Windows Server in your organization.
+
+> [!IMPORTANT]
+> These diagnostic data levels only apply to Windows and Windows Server components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Office 365 ProPlus](/deployoffice/privacy/overview-privacy-controls).
+
+The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server is **Enhanced**.
+
+### Configure the diagnostic data level
+
+You can configure your device's diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device.
+
+Use the appropriate value in the table below when you configure the management policy.
+
+| Level | Value |
+| - | - |
+| Security | **0** |
+| Basic | **1** |
+| Enhanced | **2** |
+| Full | **3** |
+
+ > [!NOTE]
+ > When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
+
+### Use Group Policy to set the diagnostic data level
+
+Use a Group Policy object to set your organization’s diagnostic data level.
+
+1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
+
+2. Double-click **Allow Telemetry**.
+
+3. In the **Options** box, select the level that you want to configure, and then click **OK**.
+
+### Use MDM to set the diagnostic data level
+
+Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
+
+### Use Registry Editor to set the diagnostic data level
+
+Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
+
+1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**.
+
+2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
+
+3. Type **AllowTelemetry**, and then press ENTER.
+
+4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
+
+5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
+
+### Additional diagnostic data controls
+
+There are a few more settings that you can turn off that may send diagnostic data information:
+
+- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
+
+- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
+
+- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
+
+- Turn off **Improve inking and typing** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
+
+ > [!NOTE]
+ > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
+
+## Diagnostic data levels
+
+These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server.
+
+### Security level
+
+The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
+
+> [!NOTE]
+> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
+
+Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered.
+
+The data gathered at this level includes:
+
+- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
+
+- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
+
+ > [!NOTE]
+ > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
+
+- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
+
+ > [!NOTE]
+ > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).
+
+ Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
+
+For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
+
+No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
+
+### Basic level
+
+The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent.
+
+This is the default level for Windows 10 Education editions, as well as all desktop editions starting with Windows 10, version 1903.
+
+The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device.
+
+The data gathered at this level includes:
+
+- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Servers in the ecosystem. Examples include:
+
+ - Device attributes, such as camera resolution and display type
+
+ - Internet Explorer version
+
+ - Battery attributes, such as capacity and type
+
+ - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
+
+ - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
+
+ - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
+
+ - Operating system attributes, such as Windows edition and virtualization state
+
+ - Storage attributes, such as number of drives, type, and size
+
+- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
+
+- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
+
+- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
+
+ - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
+
+ - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
+
+ - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
+
+ - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
+
+ - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
+
+- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses.
+
+
+### Enhanced level
+
+The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
+
+This level is needed to quickly identify and address Windows and Windows Server quality issues.
+
+The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device.
+
+The data gathered at this level includes:
+
+- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
+
+- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
+
+- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
+
+- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
+
+If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue.
+
+### Full level
+
+The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the Basic, Enhanced, and Security levels.
+
+Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
+
+If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem.
+
+However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
+
+- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
+
+- Ability to get registry keys.
+
+- All crash dump types, including heap dumps and full dumps.
+
+> [!NOTE]
+> Crash dumps collected at this diagnostic data level may unintentionally contain personal data, such as portions of memory from a documents, a web page, etc.
+
+## Limit Enhanced diagnostic data to the minimum required by Windows Analytics
+
+Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**.
+
+In Windows 10, version 1709, we introduced the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic.
+
+- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic.
+
+- **Some crash dump types.** Triage dumps for user mode and mini dumps for kernel mode.
+
+>[!NOTE]
+> Triage dumps are a type of [minidumps](https://docs.microsoft.com/windows/desktop/debug/minidump-files) that go through a process of user-sensitive information scrubbing. Some user-sensitive information may be missed in the process, and will therefore be sent with the dump.
+
+### Enable limiting enhanced diagnostic data to the minimum required by Windows Analytics
+
+1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM.
+
+ a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**.
+
+ -OR-
+
+ b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**.
+
+ -AND-
+
+2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM.
+
+ a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**.
+
+ -OR-
+
+ b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**.
+
+## Additional resources
+
+FAQs
+
+- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy)
+- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
+- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy)
+- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy)
+- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
+- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq)
+- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
+- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
+- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization)
+
+Blogs
+
+- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
+
+Privacy Statement
+
+- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
+
+TechNet
+
+- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+
+Web Pages
+
+- [Privacy at Microsoft](https://privacy.microsoft.com)
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index f5e4bd8b0e..8577fea884 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -45,7 +45,7 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn
Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
>[!Important]
- >It's possible that your Windows machine may not have the Microsoft Store available (e.g. Windows Server). If this is the case, please check out [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2023830).
+ >It's possible that your Windows machine may not have the Microsoft Store available (e.g. Windows Server). If this is the case, please check out [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2094264).
### Start the Diagnostic Data Viewer
You can start this app from the **Settings** panel.
diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md
index d032754214..088f0adccd 100644
--- a/windows/privacy/gdpr-it-guidance.md
+++ b/windows/privacy/gdpr-it-guidance.md
@@ -1,309 +1,309 @@
----
-title: Windows and the GDPR-Information for IT Administrators and Decision Makers
-description: Use this topic to understand the relationship between users in your organization and Microsoft in the context of the GDPR (General Data Protection Regulation).
-keywords: privacy, GDPR, windows, IT
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 05/11/2018
-ms.reviewer:
----
-# Windows and the GDPR: Information for IT Administrators and Decision Makers
-
-Applies to:
-- Windows 10, version 1809
-- Windows 10, version 1803
-- Windows 10, version 1709
-- Windows 10, version 1703
-- Windows 10 Team Edition, version 1703 for Surface Hub
-- Windows Server 2019
-- Windows Server 2016
-- Windows Analytics
-
-This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship.
-
-For more information about the GDPR, see:
-* [Microsoft GDPR Overview](https://aka.ms/GDPROverview)
-* [Microsoft Trust Center FAQs about the GDPR](https://aka.ms/gdpr-faq)
-* [Microsoft Service Trust Portal (STP)](https://aka.ms/stp)
-* [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted)
-
-## GDPR fundamentals
-
-Here are some GDPR fundamentals:
-
-* On May 25, 2018, this EU data privacy law is implemented. It sets a new global bar for data privacy rights, security, and compliance.
-* The GDPR is fundamentally about protecting and enabling the privacy rights of individuals – both customers and employees.
-* The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice – no matter where data is sent, processed, or stored.
-* A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*.
-
-Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization.
-
-### What is personal data under the GDPR?
-
-Article 4 (1) of [the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=en) defines personal data as any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. As defined by the GDPR, personal data includes, but is not limited to:
-* Name
-* Email address
-* Credit card numbers
-* IP addresses
-* Social media posts
-* Location information
-* Handwriting patterns
-* Voice input to cloud-based speech services
-
-### Controller and processor under the GDPR: Who does what
-
-#### Definition
-
-The GDPR describes specific requirements for allocating responsibility for controller and processor activities related to personal data. Thus, every organization that processes personal data must determine whether it is acting as a controller or processor for a specific scenario.
-
-* **Controller**: GDPR Article 4 (7) defines the ‘controller’ as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
-* **Processor**: According to the GDPR Article 4 (8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
-
-#### Controller scenario
-
-For example, when an organization is using Microsoft Windows Defender Advanced Threat Protection (ATP) to detect, investigate, and respond to advanced threats on their networks as part of their IT operations, that organization is collecting data from the user’s device – data, that might include personal data. In this scenario, the organization is the *controller* of the respective personal data, since the organization controls the purpose and means of the processing for data being collected from the devices that have Windows Defender ATP enabled.
-
-#### Processor scenario
-
-In the controller scenario described above, Microsoft is a *processor* because Microsoft provides data processing services to that controller (in the given example, an organization that subscribed to Windows Defender ATP and enabled it for the user’s device). As processor, Microsoft only processes data on behalf of the enterprise customer and does not have the right to process data beyond their instructions as specified in a written contract, such as the [Microsoft Product Terms and the Microsoft Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx).
-
-## GDPR relationship between a Windows 10 user and Microsoft
-
-For Windows 10 services, Microsoft usually is the controller (with exceptions, such as Windows Defender ATP). The following sections describe what that means for the related data.
-
-### Types of data exchanged with Microsoft
-
-Microsoft collects data from or generates data through interactions with users of Windows 10 devices. This information can contain personal data, as defined in [Article 4 (1) of the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN), that may be used to provide, support, and improve Windows 10 services.
-
-Microsoft discloses data collection and privacy practices in detail, for example:
-* As part of the Windows 10 installation;
-* In the Windows 10 privacy settings;
-* Via the web-based [Microsoft Privacy dashboard](https://account.microsoft.com/privacy); and
-* In the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement).
-
-It is important to differentiate between two distinct types of data Windows services are dealing with.
-
-#### Windows functional data
-
-A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows *functional data*. Some Windows components and applications connecting to Microsoft services also exchange Windows functional data to provide user functionality.
-
-Some other examples of Windows functional data:
-* The Weather app which can use the device’s location to retrieve local weather or community news.
-* Wallpaper and desktop settings that are synchronized across multiple devices.
-
-For more info on how IT Professionals can manage Windows functional data sent from an organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
-
-#### Windows diagnostic data
-
-Windows diagnostic data is used to keep the operating system secure and up-to-date, troubleshoot problems, and make product improvements. The data is encrypted before being sent back to Microsoft.
-
-Some examples of diagnostic data include:
-* The type of hardware being used, information about installed apps and usage details, and reliability data on drivers running on the device.
-* For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for the needs of the user.
-
-Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data).
-
->[!IMPORTANT]
->Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services.
-
-### Windows services where Microsoft is the processor under the GDPR
-
-Most Windows 10 services are controller services in terms of the GDPR – for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/windowsforbusiness/windows-atp).
-
->[!NOTE]
->Both Windows Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)).
-
-#### Windows Analytics
-
-[Windows Analytics](https://www.microsoft.com/en-us/windowsforbusiness/windows-analytics) is a service that provides rich, actionable information for helping organizations to gain deep insights into the operational efficiency and health of the Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise into the Windows Analytics service.
-
-Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Windows Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10.
-
-As a result, in terms of the GDPR, the organization that has subscribed to Windows Analytics is acting as the controller, while Microsoft is the processor for Windows Analytics.
->[!NOTE]
->The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes.
-
->[!IMPORTANT]
->Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device.
-
-#### Windows Defender ATP
-
-[Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) is cloud-based service that collects and analyzes usage data from an organization’s devices to detect security threats. Some of the data can contain personal data as defined by the GDPR. Enrolled devices transmit usage data to Microsoft datacenters, where that data is analyzed, processed, and stored. The security operations center (SOC) of the organization can view the analyzed data using the [Windows Defender ATP portal](https://securitycenter.windows.com/).
-
-As a result, in terms of the GDPR, the organization that has subscribed to Windows Defender ATP is acting as the controller, while Microsoft is the processor for Windows Defender ATP.
-
->[!NOTE]
->The IT organization must explicitly enable Windows Defender ATP for a device after the organization subscribes.
-
-#### At a glance – Windows 10 services GDPR mode of operations
-
-The following table lists in what GDPR mode – controller or processor – Windows 10 services are operating.
-
-| Service | Microsoft GDPR mode of operation |
-| --- | --- |
-| Windows Functional data | Controller or Processor* |
-| Windows Diagnostic data | Controller |
-| Windows Analytics | Processor |
-| Windows Defender Advanced Threat Detection (ATP) | Processor |
-
-*Table 1: Windows 10 GDPR modes of operations for different Windows 10 services*
-
-*/*Depending on which application/feature this is referring to.*
-
-## Windows diagnostic data and Windows 10
-
-
-### Recommended Windows 10 settings
-
-Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques.
-
-* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics).
-
->[!NOTE]
->For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
-
-* For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”.
-
->[!NOTE]
->For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10.
-
-### Additional information for Windows Analytics
-
-Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”.
-
-Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics.
-
->[!NOTE]
->Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy
-).
-
-## Controlling Windows 10 data collection and notification about it
-
-Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the user and the IT organization have the ability to control the transmission of that data to Microsoft.
-
-### Adjusting privacy settings by the user
-
-A user has the ability to adjust additional privacy settings in Windows by navigating to *Start > Settings > Privacy*. For example, a user can control if location is enabled or disabled, whether or not to transmit feedback on inking and typing input to Microsoft for improving the personal accuracy of these services, or if Windows collects activities for syncing it with other devices.
-
-For a standard user in an organization, some privacy settings might be controlled by their IT department. This is done using Group Policies or Mobile Device Management (MDM) settings. If this is the case, the user will see an alert that says ‘Some settings are hidden or managed by your organization’ when they navigate to *Start > Settings > Privacy*. As such, the user can only change some settings, but not all.
-
-### Users can lower the diagnostic level
-
-Starting with Windows 10, version 1803, a user can change the Windows diagnostics data level for their device below to what was set by their IT department. Organizations can allow or disallow this feature by configuring the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface** or the MDM policy **ConfigureTelemetryOptInSettingsUx**.
-
-If an IT organization has not disabled this policy, users within the organization can change their own Windows diagnostic data collection level in *Start > Settings > Privacy > Diagnostics & feedback*. For example, if the IT organization enabled this policy and set the level to “Full”, a user can modify the Windows diagnostics data level setting to “Basic”.
-
-### Notification at logon
-
-Windows 10, version 1803, and later can provide users with a notification during their logon. If the IT organization has not disabled the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in change notifications** or the MDM policy **ConfigureTelemetryOptInChangeNotification**, Windows diagnostic data notifications can appear at logon so that the users of a device are aware of the data collection.
-
-This notification can also be shown when the diagnostic level for the device was changed. For instance, if the diagnostic level on the device is set to “Basic” and the IT organization changes it to “Full”, users will be notified on their next logon.
-
-### Diagnostic Data Viewer (DDV)
-
-In Windows 10, version 1803 and later, users can invoke the [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) to see what Windows diagnostic data is collected on their local device. This app lets a user review the diagnostic data collected on his device that is being sent to Microsoft. The DDV groups the information into simple categories based on how it is used by Microsoft.
-
-A user can turn on Windows diagnostic data viewing by going to go to *Start > Settings > Privacy > Diagnostics & feedback*. Under the ‘Diagnostic data viewer’ section, the user has to enable the ‘If data viewing is enabled, you can see your diagnostics data’ option. After DDV is installed on the device, the user can start it by clicking the ‘Diagnostic Data Viewer’ in the ‘Diagnostic data viewer’ section of *Start > Settings > Privacy > Diagnostics & feedback*.
-
-Also, the user can delete all Windows diagnostic data collected from the device. This is done by clicking the ‘Delete’ button in the ‘Delete diagnostic data’ section of *Start > Settings > Privacy > Diagnostics & feedback*.
-
-### Windows 10 personal data services configuration
-
-Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization.
-
-IT Professionals that are interested in this configuration, see [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md).
-
-### Windows 10 connections to Microsoft
-
-To find out more about the network connections that Windows components make to Microsoft as well as the privacy settings that affect data shared with either Microsoft or apps, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) and [Manage Windows 10 connection endpoints](manage-windows-endpoints.md). These articles describe how these settings can be managed by an IT Professional.
-
-### At-a-glance: the relationship between an IT organization and the GDPR
-
-Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT organization can influence that relationship in an enterprise scenario. For example, the IT organization has the ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings.
-
-## Windows Server
-
-Windows Server follows the same mechanisms as Windows 10 for handling of personal data – for example, when collecting Windows diagnostic data.
-
-More detailed information about Windows Server and the GDPR is available at Beginning your General Data Protection Regulation (GDPR) journey for Windows Server.
-
-### Windows diagnostic data and Windows Server
-
-The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”. The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”.
-
-IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings.
-
-There are two options for deleting Windows diagnostic data from a Windows Server machine:
-
-- If the “Desktop Experience” option was chosen during the installation of Windows Server 2019, then there are the same options available for an IT administrator that end users have with Windows 10, version 1803 and version 1809, to submit a request for deleting that device’s diagnostic data. This is done by clicking the **Delete** button in the **Delete diagnostic data** section of **Start > Settings > Privacy > Diagnostics & feedback**.
-- Microsoft has provided a [PowerShell cmdlet](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata) that IT administrators can use to delete Windows diagnostic data via the command line on a machine running Windows Server 2016 or Windows Server 2019. This cmdlet provides the same functionality for deleting Windows diagnostic data as with Desktop Experience on Windows Server 2019. For more information, see [the PowerShell Gallery](https://www.powershellgallery.com/packages/WindowsDiagnosticData).
-
-### Backups and Windows Server
-
-Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data.
-
-- Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control. For example, for exporting personal data contained in a backup, the organization needs to restore the appropriate backup sets to facilitate the respective data subject request (DSR).
-- The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to restore the data in order to exercise the respective DSR.
-
-## Windows 10 Team Edition, Version 1703 for Surface Hub
-
-Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store.
-
->[!NOTE]
->Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this.
-
-An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub).
-
-## Further reading
-
-### Optional settings / features that further improve the protection of personal data
-
-Personal data protection is one of the goals of the GDPR. One way of improving personal data protection is to use the modern and advanced security features of Windows 10. An IT organization can learn more at [Mitigate threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10) and [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure).
-
->[!NOTE]
->Some of these features might require a particular Windows hardware, such as a computer with a Trusted Platform Module (TPM) chip, and can depend on a particular Windows product (such as Windows 10 E5).
-
-### Windows Security Baselines
-
-Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines).
-
-### Windows Restricted Traffic Limited Functionality Baseline
-
-To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887).
-
->[!IMPORTANT]
->Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security configuration of a device in the organization and are therefore not recommended.
-
-### Microsoft Trust Center and Service Trust Portal
-
-Please visit our [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr) to obtain additional resources and to learn more about how Microsoft can help you fulfill specific GDPR requirements. There you can find lots of useful information about the GDPR, including how Microsoft is helping customers to successfully master the GDPR, a FAQ list, and a list of [resources for GDPR compliance](https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/resources). Also, please check out the [Compliance Manager](https://aka.ms/compliancemanager) of the Microsoft [Service Trust Portal (STP)](https://aka.ms/stp) and [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted).
-
-### Additional resources
-
-#### FAQs
-
-* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
-* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
-* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
-* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
-
-#### Blogs
-
-* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
-
-#### Privacy Statement
-
-* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
-
-#### Other resources
-
-* [Privacy at Microsoft](https://privacy.microsoft.com/)
+---
+title: Windows and the GDPR-Information for IT Administrators and Decision Makers
+description: Use this topic to understand the relationship between users in your organization and Microsoft in the context of the GDPR (General Data Protection Regulation).
+keywords: privacy, GDPR, windows, IT
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 05/11/2018
+ms.reviewer:
+---
+# Windows and the GDPR: Information for IT Administrators and Decision Makers
+
+Applies to:
+- Windows 10, version 1809
+- Windows 10, version 1803
+- Windows 10, version 1709
+- Windows 10, version 1703
+- Windows 10 Team Edition, version 1703 for Surface Hub
+- Windows Server 2019
+- Windows Server 2016
+- Windows Analytics
+
+This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship.
+
+For more information about the GDPR, see:
+* [Microsoft GDPR Overview](https://aka.ms/GDPROverview)
+* [Microsoft Trust Center FAQs about the GDPR](https://aka.ms/gdpr-faq)
+* [Microsoft Service Trust Portal (STP)](https://aka.ms/stp)
+* [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted)
+
+## GDPR fundamentals
+
+Here are some GDPR fundamentals:
+
+* On May 25, 2018, this EU data privacy law is implemented. It sets a new global bar for data privacy rights, security, and compliance.
+* The GDPR is fundamentally about protecting and enabling the privacy rights of individuals – both customers and employees.
+* The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice – no matter where data is sent, processed, or stored.
+* A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*.
+
+Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization.
+
+### What is personal data under the GDPR?
+
+Article 4 (1) of [the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=en) defines personal data as any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. As defined by the GDPR, personal data includes, but is not limited to:
+* Name
+* Email address
+* Credit card numbers
+* IP addresses
+* Social media posts
+* Location information
+* Handwriting patterns
+* Voice input to cloud-based speech services
+
+### Controller and processor under the GDPR: Who does what
+
+#### Definition
+
+The GDPR describes specific requirements for allocating responsibility for controller and processor activities related to personal data. Thus, every organization that processes personal data must determine whether it is acting as a controller or processor for a specific scenario.
+
+* **Controller**: GDPR Article 4 (7) defines the ‘controller’ as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
+* **Processor**: According to the GDPR Article 4 (8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
+
+#### Controller scenario
+
+For example, when an organization is using Microsoft Windows Defender Advanced Threat Protection (ATP) to detect, investigate, and respond to advanced threats on their networks as part of their IT operations, that organization is collecting data from the user’s device – data, that might include personal data. In this scenario, the organization is the *controller* of the respective personal data, since the organization controls the purpose and means of the processing for data being collected from the devices that have Windows Defender ATP enabled.
+
+#### Processor scenario
+
+In the controller scenario described above, Microsoft is a *processor* because Microsoft provides data processing services to that controller (in the given example, an organization that subscribed to Windows Defender ATP and enabled it for the user’s device). As processor, Microsoft only processes data on behalf of the enterprise customer and does not have the right to process data beyond their instructions as specified in a written contract, such as the [Microsoft Product Terms and the Microsoft Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx).
+
+## GDPR relationship between a Windows 10 user and Microsoft
+
+For Windows 10 services, Microsoft usually is the controller (with exceptions, such as Windows Defender ATP). The following sections describe what that means for the related data.
+
+### Types of data exchanged with Microsoft
+
+Microsoft collects data from or generates data through interactions with users of Windows 10 devices. This information can contain personal data, as defined in [Article 4 (1) of the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN), that may be used to provide, support, and improve Windows 10 services.
+
+Microsoft discloses data collection and privacy practices in detail, for example:
+* As part of the Windows 10 installation;
+* In the Windows 10 privacy settings;
+* Via the web-based [Microsoft Privacy dashboard](https://account.microsoft.com/privacy); and
+* In the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement).
+
+It is important to differentiate between two distinct types of data Windows services are dealing with.
+
+#### Windows functional data
+
+A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows *functional data*. Some Windows components and applications connecting to Microsoft services also exchange Windows functional data to provide user functionality.
+
+Some other examples of Windows functional data:
+* The Weather app which can use the device’s location to retrieve local weather or community news.
+* Wallpaper and desktop settings that are synchronized across multiple devices.
+
+For more info on how IT Professionals can manage Windows functional data sent from an organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+
+#### Windows diagnostic data
+
+Windows diagnostic data is used to keep the operating system secure and up-to-date, troubleshoot problems, and make product improvements. The data is encrypted before being sent back to Microsoft.
+
+Some examples of diagnostic data include:
+* The type of hardware being used, information about installed apps and usage details, and reliability data on drivers running on the device.
+* For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for the needs of the user.
+
+Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data).
+
+>[!IMPORTANT]
+>Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services.
+
+### Windows services where Microsoft is the processor under the GDPR
+
+Most Windows 10 services are controller services in terms of the GDPR – for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/windowsforbusiness/windows-atp).
+
+>[!NOTE]
+>Both Windows Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)).
+
+#### Windows Analytics
+
+[Windows Analytics](https://www.microsoft.com/en-us/windowsforbusiness/windows-analytics) is a service that provides rich, actionable information for helping organizations to gain deep insights into the operational efficiency and health of the Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise into the Windows Analytics service.
+
+Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Windows Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10.
+
+As a result, in terms of the GDPR, the organization that has subscribed to Windows Analytics is acting as the controller, while Microsoft is the processor for Windows Analytics.
+>[!NOTE]
+>The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes.
+
+>[!IMPORTANT]
+>Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device.
+
+#### Windows Defender ATP
+
+[Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) is cloud-based service that collects and analyzes usage data from an organization’s devices to detect security threats. Some of the data can contain personal data as defined by the GDPR. Enrolled devices transmit usage data to Microsoft datacenters, where that data is analyzed, processed, and stored. The security operations center (SOC) of the organization can view the analyzed data using the [Windows Defender ATP portal](https://securitycenter.windows.com/).
+
+As a result, in terms of the GDPR, the organization that has subscribed to Windows Defender ATP is acting as the controller, while Microsoft is the processor for Windows Defender ATP.
+
+>[!NOTE]
+>The IT organization must explicitly enable Windows Defender ATP for a device after the organization subscribes.
+
+#### At a glance – Windows 10 services GDPR mode of operations
+
+The following table lists in what GDPR mode – controller or processor – Windows 10 services are operating.
+
+| Service | Microsoft GDPR mode of operation |
+| --- | --- |
+| Windows Functional data | Controller or Processor* |
+| Windows Diagnostic data | Controller |
+| Windows Analytics | Processor |
+| Windows Defender Advanced Threat Detection (ATP) | Processor |
+
+*Table 1: Windows 10 GDPR modes of operations for different Windows 10 services*
+
+*/*Depending on which application/feature this is referring to.*
+
+## Windows diagnostic data and Windows 10
+
+
+### Recommended Windows 10 settings
+
+Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques.
+
+* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics).
+
+>[!NOTE]
+>For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
+
+* For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”.
+
+>[!NOTE]
+>For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10.
+
+### Additional information for Windows Analytics
+
+Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”.
+
+Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics.
+
+>[!NOTE]
+>Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy
+).
+
+## Controlling Windows 10 data collection and notification about it
+
+Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the user and the IT organization have the ability to control the transmission of that data to Microsoft.
+
+### Adjusting privacy settings by the user
+
+A user has the ability to adjust additional privacy settings in Windows by navigating to *Start > Settings > Privacy*. For example, a user can control if location is enabled or disabled, whether or not to transmit feedback on inking and typing input to Microsoft for improving the personal accuracy of these services, or if Windows collects activities for syncing it with other devices.
+
+For a standard user in an organization, some privacy settings might be controlled by their IT department. This is done using Group Policies or Mobile Device Management (MDM) settings. If this is the case, the user will see an alert that says ‘Some settings are hidden or managed by your organization’ when they navigate to *Start > Settings > Privacy*. As such, the user can only change some settings, but not all.
+
+### Users can lower the diagnostic level
+
+Starting with Windows 10, version 1803, a user can change the Windows diagnostics data level for their device below to what was set by their IT department. Organizations can allow or disallow this feature by configuring the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface** or the MDM policy **ConfigureTelemetryOptInSettingsUx**.
+
+If an IT organization has not disabled this policy, users within the organization can change their own Windows diagnostic data collection level in *Start > Settings > Privacy > Diagnostics & feedback*. For example, if the IT organization enabled this policy and set the level to “Full”, a user can modify the Windows diagnostics data level setting to “Basic”.
+
+### Notification at logon
+
+Windows 10, version 1803, and later can provide users with a notification during their logon. If the IT organization has not disabled the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in change notifications** or the MDM policy **ConfigureTelemetryOptInChangeNotification**, Windows diagnostic data notifications can appear at logon so that the users of a device are aware of the data collection.
+
+This notification can also be shown when the diagnostic level for the device was changed. For instance, if the diagnostic level on the device is set to “Basic” and the IT organization changes it to “Full”, users will be notified on their next logon.
+
+### Diagnostic Data Viewer (DDV)
+
+In Windows 10, version 1803 and later, users can invoke the [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) to see what Windows diagnostic data is collected on their local device. This app lets a user review the diagnostic data collected on his device that is being sent to Microsoft. The DDV groups the information into simple categories based on how it is used by Microsoft.
+
+A user can turn on Windows diagnostic data viewing by going to go to *Start > Settings > Privacy > Diagnostics & feedback*. Under the ‘Diagnostic data viewer’ section, the user has to enable the ‘If data viewing is enabled, you can see your diagnostics data’ option. After DDV is installed on the device, the user can start it by clicking the ‘Diagnostic Data Viewer’ in the ‘Diagnostic data viewer’ section of *Start > Settings > Privacy > Diagnostics & feedback*.
+
+Also, the user can delete all Windows diagnostic data collected from the device. This is done by clicking the ‘Delete’ button in the ‘Delete diagnostic data’ section of *Start > Settings > Privacy > Diagnostics & feedback*.
+
+### Windows 10 personal data services configuration
+
+Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization.
+
+IT Professionals that are interested in this configuration, see [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md).
+
+### Windows 10 connections to Microsoft
+
+To find out more about the network connections that Windows components make to Microsoft as well as the privacy settings that affect data shared with either Microsoft or apps, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) and [Manage Windows 10 connection endpoints](manage-windows-endpoints.md). These articles describe how these settings can be managed by an IT Professional.
+
+### At-a-glance: the relationship between an IT organization and the GDPR
+
+Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT organization can influence that relationship in an enterprise scenario. For example, the IT organization has the ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings.
+
+## Windows Server
+
+Windows Server follows the same mechanisms as Windows 10 for handling of personal data – for example, when collecting Windows diagnostic data.
+
+More detailed information about Windows Server and the GDPR is available at Beginning your General Data Protection Regulation (GDPR) journey for Windows Server.
+
+### Windows diagnostic data and Windows Server
+
+The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”. The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”.
+
+IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings.
+
+There are two options for deleting Windows diagnostic data from a Windows Server machine:
+
+- If the “Desktop Experience” option was chosen during the installation of Windows Server 2019, then there are the same options available for an IT administrator that end users have with Windows 10, version 1803 and version 1809, to submit a request for deleting that device’s diagnostic data. This is done by clicking the **Delete** button in the **Delete diagnostic data** section of **Start > Settings > Privacy > Diagnostics & feedback**.
+- Microsoft has provided a [PowerShell cmdlet](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata) that IT administrators can use to delete Windows diagnostic data via the command line on a machine running Windows Server 2016 or Windows Server 2019. This cmdlet provides the same functionality for deleting Windows diagnostic data as with Desktop Experience on Windows Server 2019. For more information, see [the PowerShell Gallery](https://www.powershellgallery.com/packages/WindowsDiagnosticData).
+
+### Backups and Windows Server
+
+Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data.
+
+- Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control. For example, for exporting personal data contained in a backup, the organization needs to restore the appropriate backup sets to facilitate the respective data subject request (DSR).
+- The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to restore the data in order to exercise the respective DSR.
+
+## Windows 10 Team Edition, Version 1703 for Surface Hub
+
+Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store.
+
+>[!NOTE]
+>Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this.
+
+An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub).
+
+## Further reading
+
+### Optional settings / features that further improve the protection of personal data
+
+Personal data protection is one of the goals of the GDPR. One way of improving personal data protection is to use the modern and advanced security features of Windows 10. An IT organization can learn more at [Mitigate threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10) and [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure).
+
+>[!NOTE]
+>Some of these features might require a particular Windows hardware, such as a computer with a Trusted Platform Module (TPM) chip, and can depend on a particular Windows product (such as Windows 10 E5).
+
+### Windows Security Baselines
+
+Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines).
+
+### Windows Restricted Traffic Limited Functionality Baseline
+
+To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887).
+
+>[!IMPORTANT]
+>Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security configuration of a device in the organization and are therefore not recommended.
+
+### Microsoft Trust Center and Service Trust Portal
+
+Please visit our [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr) to obtain additional resources and to learn more about how Microsoft can help you fulfill specific GDPR requirements. There you can find lots of useful information about the GDPR, including how Microsoft is helping customers to successfully master the GDPR, a FAQ list, and a list of [resources for GDPR compliance](https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/resources). Also, please check out the [Compliance Manager](https://aka.ms/compliancemanager) of the Microsoft [Service Trust Portal (STP)](https://aka.ms/stp) and [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted).
+
+### Additional resources
+
+#### FAQs
+
+* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
+* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
+* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
+* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
+
+#### Blogs
+
+* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
+
+#### Privacy Statement
+
+* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
+
+#### Other resources
+
+* [Privacy at Microsoft](https://privacy.microsoft.com/)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index 53034ea742..9f89972a1f 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -18,17 +18,17 @@ ms.date: 3/1/2019
- Windows 10 Enterprise 1903 version and newer
-You can use Microsoft InTune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/en-us/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
+You can use Microsoft InTune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
-To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
+To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
Note, there is some traffic which is required (i.e. "whitelisted") for the operation of Windows and the Microsoft InTune based management. This traffic includes CRL and OCSP network traffic which will show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Additional whitelisted traffic specifically for MDM managed devices includes Windows Notification Service related traffic as well as some specific Microsoft InTune and Windows Update related traffic.
-For more information on Microsoft InTune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/en-us/intune/).
+For more information on Microsoft InTune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
-For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
+For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
The endpoints for the MDM “whitelisted” traffic are in the [Whitelisted Traffic](#bkmk-mdm-whitelist).
@@ -43,76 +43,76 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
| Setting | MDM Policy | Description |
| --- | --- | --- |
| 1. Automatic Root Certificates Update | There is intentionally no MDM available for Automatic Root Certificate Update. | This MDM does not exist since it would prevent the operation and management of MDM management of devices.
-| 2. Cortana and Search | [Experience/AllowCortana](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Choose whether to let Cortana install and run on the device. **Set to 0 (zero)**
-| | [Search/AllowSearchToUseLocation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation) | Choose whether Cortana and Search can provide location-aware search results. **Set to 0 (zero)**
-| 3. Date & Time | [Settings/AllowDateTime](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-settings#settings-allowdatetime)| Allows the user to change date and time settings. **Set to 0 (zero)**
-| 4. Device metadata retrieval | [DeviceInstallation/PreventDeviceMetadataFromNetwork](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork) | Choose whether to prevent Windows from retrieving device metadata from the Internet. **Set to Enabled**
-| 5. Find My Device | [Experience/AllowFindMyDevice](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice)| This policy turns on Find My Device. **Set to 0 (zero)**
-| 6. Font streaming | [System/AllowFontProviders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowfontproviders) | Setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. **Set to 0 (zero)**
-| 7. Insider Preview builds | [System/AllowBuildPreview](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowbuildpreview) | This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. **Set to 0 (zero)**
-| 8. Internet Explorer | The following Microsoft Internet Explorer MDM policies are available in the [Internet Explorer CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer) |
-| | [InternetExplorer/AllowSuggestedSites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-allowsuggestedsites) | Recommends websites based on the user’s browsing activity. **Set to Disabled**
-| | [InternetExplorer/PreventManagingSmartScreenFilter]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-preventmanagingsmartscreenfilter) | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. **Set to Enabled**
-| | [InternetExplorer/DisableFlipAheadFeature]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disableflipaheadfeature) | Determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. **Set to Enabled**
-| | [InternetExplorer/DisableHomePageChange]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablehomepagechange) | Determines whether users can change the default Home Page or not. **Set to Enabled**
-| | [InternetExplorer/DisableFirstRunWizard]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablefirstrunwizard) | Prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. **Set to Enabled**
-| 9. Live Tiles | [Notifications/DisallowTileNotification](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-notifications)| This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. **Set to Enabled**
-| 10. Mail synchronization | [Accounts/AllowMicrosoftAccountConnection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection) | Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. **Set to 0 (zero)**
-| 11. Microsoft Account | [Accounts/AllowMicrosoftAccountSignInAssistant](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant) | Disable the Microsoft Account Sign-In Assistant. **Set to 0 (zero)**
+| 2. Cortana and Search | [Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Choose whether to let Cortana install and run on the device. **Set to 0 (zero)**
+| | [Search/AllowSearchToUseLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation) | Choose whether Cortana and Search can provide location-aware search results. **Set to 0 (zero)**
+| 3. Date & Time | [Settings/AllowDateTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-allowdatetime)| Allows the user to change date and time settings. **Set to 0 (zero)**
+| 4. Device metadata retrieval | [DeviceInstallation/PreventDeviceMetadataFromNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork) | Choose whether to prevent Windows from retrieving device metadata from the Internet. **Set to Enabled**
+| 5. Find My Device | [Experience/AllowFindMyDevice](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice)| This policy turns on Find My Device. **Set to 0 (zero)**
+| 6. Font streaming | [System/AllowFontProviders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowfontproviders) | Setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. **Set to 0 (zero)**
+| 7. Insider Preview builds | [System/AllowBuildPreview](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowbuildpreview) | This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. **Set to 0 (zero)**
+| 8. Internet Explorer | The following Microsoft Internet Explorer MDM policies are available in the [Internet Explorer CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer) |
+| | [InternetExplorer/AllowSuggestedSites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-allowsuggestedsites) | Recommends websites based on the user’s browsing activity. **Set to Disabled**
+| | [InternetExplorer/PreventManagingSmartScreenFilter]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-preventmanagingsmartscreenfilter) | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. **Set to Enabled**
+| | [InternetExplorer/DisableFlipAheadFeature]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disableflipaheadfeature) | Determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. **Set to Enabled**
+| | [InternetExplorer/DisableHomePageChange]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablehomepagechange) | Determines whether users can change the default Home Page or not. **Set to Enabled**
+| | [InternetExplorer/DisableFirstRunWizard]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablefirstrunwizard) | Prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. **Set to Enabled**
+| 9. Live Tiles | [Notifications/DisallowTileNotification](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications)| This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. **Set to Enabled**
+| 10. Mail synchronization | [Accounts/AllowMicrosoftAccountConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection) | Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. **Set to 0 (zero)**
+| 11. Microsoft Account | [Accounts/AllowMicrosoftAccountSignInAssistant](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant) | Disable the Microsoft Account Sign-In Assistant. **Set to 0 (zero)**
| 12. Microsoft Edge | | The following Microsoft Edge MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/available-policies).
-| | [Browser/AllowAutoFill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | Choose whether employees can use autofill on websites. **Set to 0 (zero)**
-| | [Browser/AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | Choose whether employees can send Do Not Track headers. **Set to 0 (zero)**
-| | [Browser/AllowMicrosoftCompatbilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | Specify the Microsoft compatibility list in Microsoft Edge. **Set to 0 (zero)**
-| | [Browser/AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | Choose whether employees can save passwords locally on their devices. **Set to 0 (zero)**
-| | [Browser/AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) | Choose whether the Address Bar shows search suggestions. **Set to 0 (zero)**
-| | [Browser/AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Choose whether SmartScreen is turned on or off. **Set to 0 (zero)**
-| 13. Network Connection Status Indicator | [Connectivity/DisallowNetworkConnectivityActiveTests](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) | Note: After you apply this policy you must restart the device for the policy setting to take effect. **Set to 1 (one)**
-| 14. Offline maps | [AllowOfflineMapsDownloadOverMeteredConnection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-maps)|Allows the download and update of map data over metered connections.
**Set to 0 (zero)**
-| | [EnableOfflineMapsAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate)|Disables the automatic download and update of map data. **Set to 0 (zero)**
-| 15. OneDrive | [DisableOneDriveFileSync](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync)| Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)**
+| | [Browser/AllowAutoFill](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | Choose whether employees can use autofill on websites. **Set to 0 (zero)**
+| | [Browser/AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | Choose whether employees can send Do Not Track headers. **Set to 0 (zero)**
+| | [Browser/AllowMicrosoftCompatbilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | Specify the Microsoft compatibility list in Microsoft Edge. **Set to 0 (zero)**
+| | [Browser/AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | Choose whether employees can save passwords locally on their devices. **Set to 0 (zero)**
+| | [Browser/AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) | Choose whether the Address Bar shows search suggestions. **Set to 0 (zero)**
+| | [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Choose whether SmartScreen is turned on or off. **Set to 0 (zero)**
+| 13. Network Connection Status Indicator | [Connectivity/DisallowNetworkConnectivityActiveTests](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) | Note: After you apply this policy you must restart the device for the policy setting to take effect. **Set to 1 (one)**
+| 14. Offline maps | [AllowOfflineMapsDownloadOverMeteredConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps)|Allows the download and update of map data over metered connections.
**Set to 0 (zero)**
+| | [EnableOfflineMapsAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate)|Disables the automatic download and update of map data. **Set to 0 (zero)**
+| 15. OneDrive | [DisableOneDriveFileSync](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync)| Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)**
| 16. Preinstalled apps | N/A | N/A
| 17. Privacy settings | | Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
-| 17.1 General | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | This policy setting controls the ability to send inking and typing data to Microsoft. **Set to 0 (zero)**
-| 17.2 Location | [System/AllowLocation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowlocation) | Specifies whether to allow app access to the Location service. **Set to 0 (zero)**
-| 17.3 Camera | [Camera/AllowCamera](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-camera#camera-allowcamera) | Disables or enables the camera. **Set to 0 (zero)**
-| 17.4 Microphone | [Privacy/LetAppsAccessMicrophone](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone) | Specifies whether Windows apps can access the microphone. **Set to 2 (two)**
-| 17.5 Notifications | [Notifications/DisallowCloudNotification](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification) | Turn off notifications network usage. **DO NOT TURN OFF WNS Notifications if you want manage your device(s) using Microsoft InTune**
-| | [Privacy/LetAppsAccessNotifications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications) | Specifies whether Windows apps can access notifications. **Set to 2 (two)**
-| | [Settings/AllowOnlineTips]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-settings#settings-allowonlinetips) | Enables or disables the retrieval of online tips and help for the Settings app. **Set to Disabled**
-| 17.6 Speech, Inking, & Typing | [Privacy/AllowInputPersonalization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | This policy specifies whether users on the device have the option to enable online speech recognition. **Set to 0 (zero)**
-| | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection)| This policy setting controls the ability to send inking and typing data to Microsoft **Set to 0 (zero)**
-| 17.7 Account info | [Privacy/LetAppsAccessAccountInfo](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessaccountinfo) | Specifies whether Windows apps can access account information. **Set to 2 (two)**
-| 17.8 Contacts | [Privacy/LetAppsAccessContacts](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscontacts) | Specifies whether Windows apps can access contacts. **Set to 2 (two)**
-| 17.9 Calendar | [Privacy/LetAppsAccessCalendar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscalendar) | Specifies whether Windows apps can access the calendar. **Set to 2 (two)**
-| 17.10 Call history | [Privacy/LetAppsAccessCallHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscallhistory) | Specifies whether Windows apps can access account information. **Set to 2 (two)**
-| 17.11 Email | [Privacy/LetAppsAccessEmail](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessemail) | Specifies whether Windows apps can access email. **Set to 2 (two)**
-| 17.12 Messaging | [Privacy/LetAppsAccessMessaging](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging) | Specifies whether Windows apps can read or send messages (text or MMS). **Set to 2 (two)**
-| 17.13 Phone calls | [Privacy/LetAppsAccessPhone](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone) | Specifies whether Windows apps can make phone calls. **Set to 2 (two)**
-| 17.14 Radios | [Privacy/LetAppsAccessRadios](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessradios) | Specifies whether Windows apps have access to control radios. **Set to 2 (two)**
-| 17.15 Other devices | [Privacy/LetAppsSyncWithDevices](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappssyncwithdevices) | Specifies whether Windows apps can sync with devices. **Set to 2 (two)**
-| | [Privacy/LetAppsAccessTrustedDevices](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstrusteddevices) | Specifies whether Windows apps can access trusted devices. **Set to 2 (two)**
-| 17.16 Feedback & diagnostics | [System/AllowTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Allow the device to send diagnostic and usage telemetry data, such as Watson. **Set to 0 (zero)**
-| | [Experience/DoNotShowFeedbackNotifications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotshowfeedbacknotifications)| Prevents devices from showing feedback questions from Microsoft. **Set to 1 (one)**
-| 17.17 Background apps | [Privacy/LetAppsRunInBackground](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsruninbackground) | Specifies whether Windows apps can run in the background. **Set to 2 (two)**
-| 17.18 Motion | [Privacy/LetAppsAccessMotion](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmotion) | Specifies whether Windows apps can access motion data. **Set to 2 (two)**
-| 17.19 Tasks | [Privacy/LetAppsAccessTasks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstasks) | Turn off the ability to choose which apps have access to tasks. **Set to 2 (two)**
-| 17.20 App Diagnostics | [Privacy/LetAppsGetDiagnosticInfo](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo) | Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. **Set to 2 (two)**
-| 18. Software Protection Platform | [Licensing/DisallowKMSClientOnlineAVSValidation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-licensing#licensing-disallowkmsclientonlineavsvalidation) | Opt out of sending KMS client activation data to Microsoft automatically. **Set to 1 (one)**
-| 19. Storage Health | [Storage/AllowDiskHealthModelUpdates](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-storage#storage-allowdiskhealthmodelupdates) | Allows disk health model updates. **Set to 0 (zero)**
-| 20. Sync your settings | [Experience/AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | Control whether your settings are synchronized. **Set to 0 (zero)**
+| 17.1 General | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | This policy setting controls the ability to send inking and typing data to Microsoft. **Set to 0 (zero)**
+| 17.2 Location | [System/AllowLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowlocation) | Specifies whether to allow app access to the Location service. **Set to 0 (zero)**
+| 17.3 Camera | [Camera/AllowCamera](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-camera#camera-allowcamera) | Disables or enables the camera. **Set to 0 (zero)**
+| 17.4 Microphone | [Privacy/LetAppsAccessMicrophone](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone) | Specifies whether Windows apps can access the microphone. **Set to 2 (two)**
+| 17.5 Notifications | [Notifications/DisallowCloudNotification](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification) | Turn off notifications network usage. **DO NOT TURN OFF WNS Notifications if you want manage your device(s) using Microsoft InTune**
+| | [Privacy/LetAppsAccessNotifications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications) | Specifies whether Windows apps can access notifications. **Set to 2 (two)**
+| | [Settings/AllowOnlineTips]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-allowonlinetips) | Enables or disables the retrieval of online tips and help for the Settings app. **Set to Disabled**
+| 17.6 Speech, Inking, & Typing | [Privacy/AllowInputPersonalization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | This policy specifies whether users on the device have the option to enable online speech recognition. **Set to 0 (zero)**
+| | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection)| This policy setting controls the ability to send inking and typing data to Microsoft **Set to 0 (zero)**
+| 17.7 Account info | [Privacy/LetAppsAccessAccountInfo](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessaccountinfo) | Specifies whether Windows apps can access account information. **Set to 2 (two)**
+| 17.8 Contacts | [Privacy/LetAppsAccessContacts](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscontacts) | Specifies whether Windows apps can access contacts. **Set to 2 (two)**
+| 17.9 Calendar | [Privacy/LetAppsAccessCalendar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscalendar) | Specifies whether Windows apps can access the calendar. **Set to 2 (two)**
+| 17.10 Call history | [Privacy/LetAppsAccessCallHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscallhistory) | Specifies whether Windows apps can access account information. **Set to 2 (two)**
+| 17.11 Email | [Privacy/LetAppsAccessEmail](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessemail) | Specifies whether Windows apps can access email. **Set to 2 (two)**
+| 17.12 Messaging | [Privacy/LetAppsAccessMessaging](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging) | Specifies whether Windows apps can read or send messages (text or MMS). **Set to 2 (two)**
+| 17.13 Phone calls | [Privacy/LetAppsAccessPhone](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone) | Specifies whether Windows apps can make phone calls. **Set to 2 (two)**
+| 17.14 Radios | [Privacy/LetAppsAccessRadios](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessradios) | Specifies whether Windows apps have access to control radios. **Set to 2 (two)**
+| 17.15 Other devices | [Privacy/LetAppsSyncWithDevices](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappssyncwithdevices) | Specifies whether Windows apps can sync with devices. **Set to 2 (two)**
+| | [Privacy/LetAppsAccessTrustedDevices](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstrusteddevices) | Specifies whether Windows apps can access trusted devices. **Set to 2 (two)**
+| 17.16 Feedback & diagnostics | [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Allow the device to send diagnostic and usage telemetry data, such as Watson. **Set to 0 (zero)**
+| | [Experience/DoNotShowFeedbackNotifications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotshowfeedbacknotifications)| Prevents devices from showing feedback questions from Microsoft. **Set to 1 (one)**
+| 17.17 Background apps | [Privacy/LetAppsRunInBackground](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsruninbackground) | Specifies whether Windows apps can run in the background. **Set to 2 (two)**
+| 17.18 Motion | [Privacy/LetAppsAccessMotion](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmotion) | Specifies whether Windows apps can access motion data. **Set to 2 (two)**
+| 17.19 Tasks | [Privacy/LetAppsAccessTasks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstasks) | Turn off the ability to choose which apps have access to tasks. **Set to 2 (two)**
+| 17.20 App Diagnostics | [Privacy/LetAppsGetDiagnosticInfo](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo) | Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. **Set to 2 (two)**
+| 18. Software Protection Platform | [Licensing/DisallowKMSClientOnlineAVSValidation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-licensing#licensing-disallowkmsclientonlineavsvalidation) | Opt out of sending KMS client activation data to Microsoft automatically. **Set to 1 (one)**
+| 19. Storage Health | [Storage/AllowDiskHealthModelUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-allowdiskhealthmodelupdates) | Allows disk health model updates. **Set to 0 (zero)**
+| 20. Sync your settings | [Experience/AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | Control whether your settings are synchronized. **Set to 0 (zero)**
| 21. Teredo | No MDM needed | Teredo is **Off by default**. Delivery Optimization (DO) can turn on Teredo, but DO itself is turned Off via MDM.
| 22. Wi-Fi Sense | No MDM needed | Wi-Fi Sense is no longer available from Windows 10 version 1803 and newer.
-| 23. Windows Defender | [Defender/AllowCloudProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) | Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)**
-| | [Defender/SubmitSamplesConsent](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) | Stop sending file samples back to Microsoft. **Set to 2 (two)**
-| 23.1 Windows Defender Smartscreen | [Browser/AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Disable Windows Defender Smartscreen. **Set to 0 (zero)**
-| 23.2 Windows Defender Smartscreen EnableAppInstallControl | [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol) | Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)**
-| 24. Windows Spotlight | [Experience/AllowWindowsSpotlight](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight) | Disable Windows Spotlight. **Set to 0 (zero)**
-| 25. Microsoft Store | [ApplicationManagement/DisableStoreOriginatedApps](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps)| Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. **Set to 1 (one)**
-| | [ApplicationManagement/AllowAppStoreAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate)| Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)**
-| 25.1 Apps for websites | [ApplicationDefaults/EnableAppUriHandlers](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers) | This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)**
+| 23. Windows Defender | [Defender/AllowCloudProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) | Disconnect from the Microsoft Antimalware Protection Service. **Set to 0 (zero)**
+| | [Defender/SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) | Stop sending file samples back to Microsoft. **Set to 2 (two)**
+| 23.1 Windows Defender Smartscreen | [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Disable Windows Defender Smartscreen. **Set to 0 (zero)**
+| 23.2 Windows Defender Smartscreen EnableAppInstallControl | [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol) | Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)**
+| 24. Windows Spotlight | [Experience/AllowWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight) | Disable Windows Spotlight. **Set to 0 (zero)**
+| 25. Microsoft Store | [ApplicationManagement/DisableStoreOriginatedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps)| Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. **Set to 1 (one)**
+| | [ApplicationManagement/AllowAppStoreAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate)| Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)**
+| 25.1 Apps for websites | [ApplicationDefaults/EnableAppUriHandlers](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers) | This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)**
| 26. Windows Update Delivery Optimization | | The following Delivery Optimization MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
-| | [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode)| Lets you choose where Delivery Optimization gets or sends updates and apps. **Set to 100 (one hundred)**
-| 27. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates. **Set to 5 (five)**
+| | [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode)| Lets you choose where Delivery Optimization gets or sends updates and apps. **Set to 100 (one hundred)**
+| 27. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates. **Set to 5 (five)**
### Allowed traffic ("Whitelisted traffic") for Microsoft InTune / MDM configurations
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index b8f7179b74..439ba7637b 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -41,7 +41,7 @@ Applying the Windows Restricted Traffic Limited Functionality Baseline is the sa
It is recommended that you restart a device after making configuration changes to it.
Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
-To use Microsoft InTune cloud based device managment for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm).
+To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm).
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
@@ -606,7 +606,7 @@ For a complete list of the Microsoft Edge policies, see [Available policies for
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCSI, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
-In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was [http://www.msftncsi.com]().
+In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was `http://www.msftncsi.com`.
You can turn off NCSI by doing one of the following:
@@ -1465,7 +1465,7 @@ To turn this Off in the UI:
### 18.23 Voice Activation
-In the **Vocie activation** area, you can choose turn Off apps ability to listen for a Voice keyword.
+In the **Voice activation** area, you can choose turn Off apps ability to listen for a Voice keyword.
To turn this Off in the UI:
@@ -1671,7 +1671,7 @@ In Group Policy, configure:
-OR-
-- Create a REG_DWORD registry setting named **EnableSmartScreen** in **HKEY_LOCAL_MACHINE\\Sofware\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**.
+- Create a REG_DWORD registry setting named **EnableSmartScreen** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**.
-and-
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index d148047f46..3fad7e54b2 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -457,6 +457,10 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op
| svchost | HTTPS | *.update.microsoft.com |
| svchost | HTTPS | *.delivery.mp.microsoft.com |
+These are dependent on enabling:
+- [Device authentication](manage-windows-1809-endpoints.md#device-authentication)
+- [Microsoft account](manage-windows-1809-endpoints.md#microsoft-account)
+
The following endpoint is used for content regulation.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
index f9dbed1a8c..d886aa19d1 100644
--- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
@@ -1,295 +1,295 @@
----
-title: Windows 10, version 1709, connection endpoints for non-Enterprise editions
-description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 6/26/2018
-ms.reviewer:
----
-# Windows 10, version 1709, connection endpoints for non-Enterprise editions
-
- **Applies to**
-
-- Windows 10 Home, version 1709
-- Windows 10 Professional, version 1709
-- Windows 10 Education, version 1709
-
-In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1709.
-
-We used the following methodology to derive these network endpoints:
-
-1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
-2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
-3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
-4. Compile reports on traffic going to public IP addresses.
-5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
-
-> [!NOTE]
-> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-
-## Windows 10 Home
-
-| **Destination** | **Protocol** | **Description** |
-| --- | --- | --- |
-| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
-| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
-| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. |
-| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
-| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
-| *.dscd.akamai.net | HTTP | Used to download content. |
-| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
-| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
-| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
-| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
-| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
-| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
-| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
-| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
-| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
-| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. |
-| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
-| cdn.onenote.net | HTTP | Used for OneNote Live Tile. |
-| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portal’s shared infrastructure, including Office. |
-| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. |
-| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
-| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
-| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
-| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
-| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
-| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. |
-| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. |
-| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
-| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
-| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
-| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
-| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
-| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
-| login.live.com | HTTPS | Used to authenticate a device. |
-| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
-| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
-| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. |
-| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. |
-| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. |
-| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. |
-| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
-| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. |
-| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. |
-| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
-| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. |
-| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
-| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
-| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
-| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
-| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. |
-| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
-| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
-| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
-| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. |
-| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
-| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
-
-## Windows 10 Pro
-
-| **Destination** | **Protocol** | **Description** |
-| --- | --- | --- |
-| *.*.akamai.net | HTTP | Used to download content. |
-| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. |
-| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. |
-| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
-| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
-| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
-| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
-| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
-| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
-| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
-| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
-| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
-| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
-| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
-| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
-| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
-| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. |
-| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. |
-| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. |
-| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
-| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
-| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. |
-| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
-| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
-| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
-| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
-| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
-| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
-| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
-| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office. |
-| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
-| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| fs.microsoft.com | HTTPS | Used to download fonts on demand |
-| g.live.com | HTTP | Used by a redirection service to automatically update URLs. |
-| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
-| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
-| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
-| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
-| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
-| login.live.com | HTTPS | Used to authenticate a device. |
-| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
-| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
-| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| oem.twimg.com | HTTP | Used for the Twitter Live Tile. |
-| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
-| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
-| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
-| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
-| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
-| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
-| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
-| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
-| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
-| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
-| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
-| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. |
-| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
-| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. |
-| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
-| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
-
-## Windows 10 Education
-
-| **Destination** | **Protocol** | **Description** |
-| --- | --- | --- |
-| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
-| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
-| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
-| *.dscd.akamai.net | HTTP | Used to download content. |
-| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
-| *.dspw65.akamai.net | HTTP | Used to download content. |
-| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.g.akamai.net | HTTP | Used to download content. |
-| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
-| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. |
-| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates |
-| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
-| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
-| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
-| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
-| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
-| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
-| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
-| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
-| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
-| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
-| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
-| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
-| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
-| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
-| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
-| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office. |
-| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
-| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
-| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. |
-| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
-| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
-| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
-| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
-| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
-| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
-| login.live.com/* | HTTPS | Used to authenticate a device. |
-| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
-| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
-| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. |
-| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
-| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
-| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
-| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
-| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
-| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
-| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
-| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
-
-| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
-| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+---
+title: Windows 10, version 1709, connection endpoints for non-Enterprise editions
+description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
+keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 6/26/2018
+ms.reviewer:
+---
+# Windows 10, version 1709, connection endpoints for non-Enterprise editions
+
+ **Applies to**
+
+- Windows 10 Home, version 1709
+- Windows 10 Professional, version 1709
+- Windows 10 Education, version 1709
+
+In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1709.
+
+We used the following methodology to derive these network endpoints:
+
+1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
+2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
+6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 Home
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. |
+| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| *.dscd.akamai.net | HTTP | Used to download content. |
+| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
+| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
+| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
+| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
+| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
+| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. |
+| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
+| cdn.onenote.net | HTTP | Used for OneNote Live Tile. |
+| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portal’s shared infrastructure, including Office. |
+| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. |
+| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
+| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
+| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
+| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
+| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. |
+| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. |
+| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
+| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
+| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
+| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
+| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
+| login.live.com | HTTPS | Used to authenticate a device. |
+| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
+| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. |
+| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. |
+| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. |
+| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. |
+| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
+| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. |
+| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. |
+| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
+| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. |
+| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
+| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
+| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
+| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. |
+| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
+| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
+| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. |
+| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
+| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+
+## Windows 10 Pro
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.*.akamai.net | HTTP | Used to download content. |
+| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. |
+| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. |
+| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
+| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
+| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. |
+| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. |
+| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. |
+| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
+| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
+| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. |
+| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
+| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
+| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
+| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
+| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
+| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office. |
+| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
+| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| fs.microsoft.com | HTTPS | Used to download fonts on demand |
+| g.live.com | HTTP | Used by a redirection service to automatically update URLs. |
+| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
+| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
+| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
+| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
+| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
+| login.live.com | HTTPS | Used to authenticate a device. |
+| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
+| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| oem.twimg.com | HTTP | Used for the Twitter Live Tile. |
+| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
+| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
+| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
+| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
+| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
+| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
+| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
+| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
+| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
+| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. |
+| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
+| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. |
+| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
+| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+
+## Windows 10 Education
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
+| *.dscd.akamai.net | HTTP | Used to download content. |
+| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.dspw65.akamai.net | HTTP | Used to download content. |
+| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.g.akamai.net | HTTP | Used to download content. |
+| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. |
+| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates |
+| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
+| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
+| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
+| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
+| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
+| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
+| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
+| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
+| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
+| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office. |
+| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
+| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. |
+| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
+| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
+| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
+| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
+| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
+| login.live.com/* | HTTPS | Used to authenticate a device. |
+| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
+| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. |
+| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
+| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
+| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
+| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
+| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
+| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
+
+| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
+| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
diff --git a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md
index 7b3c0d3958..574818973c 100644
--- a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md
@@ -1,165 +1,165 @@
----
-title: Windows 10, version 1803, connection endpoints for non-Enterprise editions
-description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 6/26/2018
-ms.reviewer:
----
-# Windows 10, version 1803, connection endpoints for non-Enterprise editions
-
- **Applies to**
-
-- Windows 10 Home, version 1803
-- Windows 10 Professional, version 1803
-- Windows 10 Education, version 1803
-
-In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803.
-
-We used the following methodology to derive these network endpoints:
-
-1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
-2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
-3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
-4. Compile reports on traffic going to public IP addresses.
-5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
-
-> [!NOTE]
-> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-
-## Windows 10 Family
-
-| **Destination** | **Protocol** | **Description** |
-| --- | --- | --- |
-| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
-| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| *.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ | HTTP | Enables connections to Windows Update. |
-| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| arc.msn.com/v3/Delivery/Placement | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| client-office365-tas.msedge.net* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. |
-| config.edge.skype.com/config/* | HTTPS | Used to retrieve Skype configuration values. |
-| ctldl.windowsupdate.com/msdownload/update* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
-| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. |
-| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). |
-| fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. |
-| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. |
-| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
-| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
-| licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. |
-| location-inference-westus.cloudapp.net | HTTPS | Used for location data. |
-| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application. |
-| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
-| ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. |
-| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
-| oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
-| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry |
-| prod.nexusrules.live.com.akadns.net | HTTPS | Office Telemetry |
-| query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. |
-| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. |
-| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app |
-| sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. |
-| storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
-| storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. |
-| tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. |
-| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
-| us.configsvc1.live.com.akadns.net | HTTPS | Microsoft Office configuration related traffic |
-| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
-| wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com | HTTPS | Azure front end traffic |
-
-
-## Windows 10 Pro
-| **Destination** | **Protocol** | **Description** |
-| --- | --- | --- |
-| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
-| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. |
-| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. |
-| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. |
-| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
-| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| flightingservicewus.cloudapp.net | HTTPS | Insider Program |
-| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
-| location-inference-westus.cloudapp.net | HTTPS | Used for location data. |
-| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
-| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
-| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry |
-| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
-| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
-| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic |
-
-
-## Windows 10 Education
-
-| **Destination** | **Protocol** | **Description** |
-| --- | --- | --- |
-| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
-| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
-| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
-| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. |
-| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
-| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
-| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. |
-| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. |
-| cloudtile.photos.microsoft.com.akadns.net | HTTPS | Photos App in MS Store
-| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values. |
-| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
-| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. |
-| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. |
-| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. |
-| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| flightingservicewus.cloudapp.net | HTTPS | Insider Program |
-| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
-| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
-| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. |
-| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application |
-| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
-| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. |
-| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
-| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
-| onecollector.cloudapp.aria.akadns.net | HTTPS | Office telemetry |
-| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. |
-| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app |
-| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. |
-| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
-| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
-| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
-| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
-| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
-| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic |
-| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+---
+title: Windows 10, version 1803, connection endpoints for non-Enterprise editions
+description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
+keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 6/26/2018
+ms.reviewer:
+---
+# Windows 10, version 1803, connection endpoints for non-Enterprise editions
+
+ **Applies to**
+
+- Windows 10 Home, version 1803
+- Windows 10 Professional, version 1803
+- Windows 10 Education, version 1803
+
+In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803.
+
+We used the following methodology to derive these network endpoints:
+
+1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
+2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
+6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 Family
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
+| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| *.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ | HTTP | Enables connections to Windows Update. |
+| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| arc.msn.com/v3/Delivery/Placement | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| client-office365-tas.msedge.net* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. |
+| config.edge.skype.com/config/* | HTTPS | Used to retrieve Skype configuration values. |
+| ctldl.windowsupdate.com/msdownload/update* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
+| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
+| displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. |
+| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). |
+| fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. |
+| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. |
+| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
+| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
+| licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. |
+| location-inference-westus.cloudapp.net | HTTPS | Used for location data. |
+| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application. |
+| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
+| ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. |
+| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
+| oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
+| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry |
+| prod.nexusrules.live.com.akadns.net | HTTPS | Office Telemetry |
+| query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. |
+| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. |
+| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app |
+| sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. |
+| storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
+| storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. |
+| tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
+| us.configsvc1.live.com.akadns.net | HTTPS | Microsoft Office configuration related traffic |
+| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
+| wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com | HTTPS | Azure front end traffic |
+
+
+## Windows 10 Pro
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
+| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. |
+| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. |
+| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. |
+| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
+| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| flightingservicewus.cloudapp.net | HTTPS | Insider Program |
+| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
+| location-inference-westus.cloudapp.net | HTTPS | Used for location data. |
+| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
+| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
+| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry |
+| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
+| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic |
+
+
+## Windows 10 Education
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
+| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
+| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
+| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. |
+| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
+| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
+| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. |
+| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. |
+| cloudtile.photos.microsoft.com.akadns.net | HTTPS | Photos App in MS Store
+| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values. |
+| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
+| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
+| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. |
+| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. |
+| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. |
+| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| flightingservicewus.cloudapp.net | HTTPS | Insider Program |
+| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
+| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
+| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. |
+| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application |
+| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
+| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. |
+| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
+| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
+| onecollector.cloudapp.aria.akadns.net | HTTPS | Office telemetry |
+| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. |
+| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app |
+| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. |
+| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
+| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
+| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
+| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
+| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic |
+| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md
index a5005057fc..0b5997a3eb 100644
--- a/windows/privacy/windows-personal-data-services-configuration.md
+++ b/windows/privacy/windows-personal-data-services-configuration.md
@@ -1,408 +1,408 @@
----
-title: Windows 10 personal data services configuration
-description: An overview of Windows 10 services configuration settings that are used for personal data privacy protection relevant for regulations, such as the General Data Protection Regulation (GDPR)
-keywords: privacy, GDPR, windows, IT
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 05/11/2018
-ms.reviewer:
----
-# Windows 10 personal data services configuration
-
-Applies to:
-- Windows 10, version 1803
-
-Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization.
-
-IT Professionals that are interested in applying these settings via group policies can find the configuration for download [here](https://go.microsoft.com/fwlink/?linkid=874149).
-
-## Introduction
-
-Microsoft collects data from or generates it through interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, support, and improve Windows 10 services.
-
-Many Windows 10 services are controller services. A user can manage data collection settings, for example by opening *Start > Settings > Privacy* or by visiting the [Microsoft Privacy dashboard](https://account.microsoft.com/privacy). While this relationship between Microsoft and a user is evident in a consumer type scenario, an IT organization can influence that relationship. For example, the IT department has the ability to configure the Windows diagnostic data level across their organization by using Group Policy, registry, or Mobile Device Management (MDM) settings.
-
-Below is a collection of settings related to the Windows 10 personal data services configuration that IT Professionals can use as guidance for influencing Windows diagnostic data collection and personal data protection.
-
-## Windows diagnostic data
-
-Windows 10 collects Windows diagnostic data—such as usage data, performance data, inking, typing, and utterance data—and sends it back to Microsoft. That data is used for keeping the operating system secure and up-to-date, to troubleshoot problems, and to make product improvements. For users who have turned on "Tailored experiences", that data can also be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs.
-
-The following options for configuring Windows diagnostic data are relevant in this context.
-
-### Diagnostic level
-
-This setting determines the amount of Windows diagnostic data sent to Microsoft.
-
->[!NOTE]
->In Windows 10, version 1709, Microsoft introduced a new feature: “Limit Enhanced diagnostic data to the minimum required by Windows Analytics”. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics). For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
->| **Policy Name** | Allow Telemetry |
->| **Default setting** | 2 - Enhanced |
->| **Recommended** | 2 - Enhanced |
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
->| **Policy Name** | Allow Telemetry |
->| **Default setting** | 2 - Enhanced |
->| **Recommended** | 2 - Enhanced |
-
->[!NOTE]
->When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
->| **Value** | AllowTelemetry |
->| **Type** | REG_DWORD |
->| **Setting** | "00000002" |
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKCU\Software\Policies\Microsoft\Windows\DataCollection |
->| **Value** | AllowTelemetry |
->| **Type** | REG_DWORD |
->| **Setting** | "00000002" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **MDM CSP** | System |
->| **Policy** | AllowTelemetry (scope: device and user) |
->| **Default setting** | 2 – Enhanced |
->| **Recommended** | 2 – Allowed |
-
-### Diagnostic opt-in change notifications
-
-This setting determines whether a device shows notifications about Windows diagnostic data levels to people on first logon or when changes occur in the diagnostic configuration.
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
->| **Policy Name** | Configure telemetry opt-in change notifications |
->| **Default setting** | Enabled |
->| **Recommended** | Enabled |
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
->| **Value** | DisableTelemetryOptInChangeNotification |
->| **Type** | REG_DWORD |
->| **Setting** | "00000000" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **MDM CSP** | System |
->| **Policy** | ConfigureTelemetryOptInChangeNotification |
->| **Default setting** | 0 – Enabled |
->| **Recommended** | 0 – Enabled |
-
-### Configure telemetry opt-in setting user interface
-
-This setting determines whether people can change their own Windows diagnostic data level in *Start > Settings > Privacy > Diagnostics & feedback*.
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
->| **Policy Name** | Configure telemetry opt-in setting user interface |
->| **Default setting** | Enabled |
->| **Recommended** | Enabled |
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
->| **Value** | DisableTelemetryOptInSettingsUx |
->| **Type** | REG_DWORD |
->| **Setting** | "00000001" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **MDM CSP** | System |
->| **Policy** | ConfigureTelemetryOptInSettingsUx |
->| **Default setting** | 0 – Enabled |
->| **Recommended** | 0 – Enabled |
-
-## Policies affecting personal data protection managed by the Enterprise IT
-
-There are additional settings usually managed by the Enterprise IT that also affect the protection of personal data.
-
-The following options for configuring these policies are relevant in this context.
-
-### BitLocker
-
-The following settings determine whether fixed and removable drives are protected by the BitLocker Drive Encryption.
-
-#### Fixed Data Drives
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Fixed Data Drives |
->| **Policy Name** | Deny write access to fixed drives not protected by BitLocker |
->| **Default setting** | Not configured |
->| **Recommended** | Enabled |
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE |
->| **Value** | FDVDenyWriteAccess |
->| **Type** | REG_DWORD |
->| **Setting** | "00000001" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **MDM CSP** | BitLocker |
->| **Policy** | FixedDrivesRequireEncryption |
->| **Default setting** | Disabled |
->| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#fixeddrivesrequireencryption)) |
-
-#### Removable Data Drives
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Removable Data Drives |
->| **Policy Name** | Deny write access to removable drives not protected by BitLocker |
->| **Default setting** | Not configured |
->| **Recommended** | Enabled |
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE |
->| **Value** | RDVDenyWriteAccess |
->| **Type** | REG_DWORD |
->| **Setting** | "00000001" |
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\Software\Policies\Microsoft\FVE |
->| **Value** | RDVDenyCrossOrg |
->| **Type** | REG_DWORD |
->| **Setting** | "00000000" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **MDM CSP** | BitLocker |
->| **Policy** | RemovableDrivesRequireEncryption |
->| **Default setting** | Disabled |
->| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#removabledrivesrequireencryption)) |
-
-### Privacy – AdvertisingID
-
-This setting determines if the advertising ID, which preventing apps from using the ID for experiences across apps, is turned off.
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\System\User Profiles |
->| **Policy Name** | Turn off the advertising ID |
->| **Default setting** | Not configured |
->| **Recommended** | Enabled |
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo |
->| **Value** | DisabledByGroupPolicy |
->| **Type** | REG_DWORD |
->| **Setting** | "00000001" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **MDM CSP** | Privacy |
->| **Policy** | DisableAdvertisingId |
->| **Default setting** | 65535 (default) - Not configured |
->| **Recommended** | 1 – Enabled |
-
-### Edge
-
-These settings whether employees send “Do Not Track” from the Microsoft Edge web browser to websites.
-
->[!NOTE]
->Please see [this Microsoft blog post](https://blogs.microsoft.com/on-the-issues/2015/04/03/an-update-on-microsofts-approach-to-do-not-track/) for more details on why the “Do Not Track” is no longer the default setting.
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge |
->| **Policy Name** | Configure Do Not Track |
->| **Default setting** | Disabled |
->| **Recommended** | Disabled |
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Microsoft Edge |
->| **Policy Name** | Configure Do Not Track |
->| **Default setting** | Disabled |
->| **Recommended** | Disabled |
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main |
->| **Value** | DoNotTrack |
->| **Type** | REG_DWORD |
->| **Setting** | "00000000" |
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Registry key** | HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main |
->| **Value** | DoNotTrack |
->| **Type** | REG_DWORD |
->| **Setting** | "00000000" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **MDM CSP** | Browser |
->| **Policy** | AllowDoNotTrack (scope: device + user) |
->| **Default setting** | 0 (default) – Not allowed |
->| **Recommended** | 0 – Not allowed |
-
-### Internet Explorer
-
-These settings whether employees send “Do Not Track” header from the Microsoft Explorer web browser to websites.
-
-#### Group Policy
-
-> [!div class="mx-tableFixed"]
->| | |
->|:-|:-|
->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |
->| **Policy Name** | Always send Do Not Track header |
->| **Default setting** | Disabled |
->| **Recommended** | Disabled |
-
-> [!div class="mx-tableFixed"]
->|||
->|:-|:-|
->| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |
->| **Policy Name** | Always send Do Not Track header |
->| **Default setting** | Disabled |
->| **Recommended** | Disabled |
-
-#### Registry
-
-> [!div class="mx-tableFixed"]
->|||
->|:-|:-|
->| **Registry key** | HKLM\Software\Policies\Microsoft\Internet Explorer\Main |
->| **Value** | DoNotTrack |
->| **Type** | REG_DWORD |
->| **Setting** | "00000000" |
-
-> [!div class="mx-tableFixed"]
->|||
->|:-|:-|
->| **Registry key** | HKCU\Software\Policies\Microsoft\Internet Explorer\Main |
->| **Value** | DoNotTrack |
->| **Type** | REG_DWORD |
->| **Setting** | "00000000" |
-
-#### MDM
-
-> [!div class="mx-tableFixed"]
->|||
->|:-|:-|
->| **MDM CSP** | N/A |
-
-## Additional resources
-
-### FAQs
-
-* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
-* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
-* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
-* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
-
-### Blogs
-
-* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
-
-### Privacy Statement
-
-* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
-
-### Windows Privacy on docs.microsoft.com
-
-* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-* [Manage Windows 10 connection endpoints](manage-windows-endpoints.md)
-* [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data)
-* [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
-
-### Other resources
-
-* [Privacy at Microsoft](https://privacy.microsoft.com/)
+---
+title: Windows 10 personal data services configuration
+description: An overview of Windows 10 services configuration settings that are used for personal data privacy protection relevant for regulations, such as the General Data Protection Regulation (GDPR)
+keywords: privacy, GDPR, windows, IT
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 05/11/2018
+ms.reviewer:
+---
+# Windows 10 personal data services configuration
+
+Applies to:
+- Windows 10, version 1803
+
+Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization.
+
+IT Professionals that are interested in applying these settings via group policies can find the configuration for download [here](https://go.microsoft.com/fwlink/?linkid=874149).
+
+## Introduction
+
+Microsoft collects data from or generates it through interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, support, and improve Windows 10 services.
+
+Many Windows 10 services are controller services. A user can manage data collection settings, for example by opening *Start > Settings > Privacy* or by visiting the [Microsoft Privacy dashboard](https://account.microsoft.com/privacy). While this relationship between Microsoft and a user is evident in a consumer type scenario, an IT organization can influence that relationship. For example, the IT department has the ability to configure the Windows diagnostic data level across their organization by using Group Policy, registry, or Mobile Device Management (MDM) settings.
+
+Below is a collection of settings related to the Windows 10 personal data services configuration that IT Professionals can use as guidance for influencing Windows diagnostic data collection and personal data protection.
+
+## Windows diagnostic data
+
+Windows 10 collects Windows diagnostic data—such as usage data, performance data, inking, typing, and utterance data—and sends it back to Microsoft. That data is used for keeping the operating system secure and up-to-date, to troubleshoot problems, and to make product improvements. For users who have turned on "Tailored experiences", that data can also be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs.
+
+The following options for configuring Windows diagnostic data are relevant in this context.
+
+### Diagnostic level
+
+This setting determines the amount of Windows diagnostic data sent to Microsoft.
+
+>[!NOTE]
+>In Windows 10, version 1709, Microsoft introduced a new feature: “Limit Enhanced diagnostic data to the minimum required by Windows Analytics”. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics). For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
+
+#### Group Policy
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
+>| **Policy Name** | Allow Telemetry |
+>| **Default setting** | 2 - Enhanced |
+>| **Recommended** | 2 - Enhanced |
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
+>| **Policy Name** | Allow Telemetry |
+>| **Default setting** | 2 - Enhanced |
+>| **Recommended** | 2 - Enhanced |
+
+>[!NOTE]
+>When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
+
+#### Registry
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
+>| **Value** | AllowTelemetry |
+>| **Type** | REG_DWORD |
+>| **Setting** | "00000002" |
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Registry key** | HKCU\Software\Policies\Microsoft\Windows\DataCollection |
+>| **Value** | AllowTelemetry |
+>| **Type** | REG_DWORD |
+>| **Setting** | "00000002" |
+
+#### MDM
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **MDM CSP** | System |
+>| **Policy** | AllowTelemetry (scope: device and user) |
+>| **Default setting** | 2 – Enhanced |
+>| **Recommended** | 2 – Allowed |
+
+### Diagnostic opt-in change notifications
+
+This setting determines whether a device shows notifications about Windows diagnostic data levels to people on first logon or when changes occur in the diagnostic configuration.
+
+#### Group Policy
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
+>| **Policy Name** | Configure telemetry opt-in change notifications |
+>| **Default setting** | Enabled |
+>| **Recommended** | Enabled |
+
+#### Registry
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
+>| **Value** | DisableTelemetryOptInChangeNotification |
+>| **Type** | REG_DWORD |
+>| **Setting** | "00000000" |
+
+#### MDM
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **MDM CSP** | System |
+>| **Policy** | ConfigureTelemetryOptInChangeNotification |
+>| **Default setting** | 0 – Enabled |
+>| **Recommended** | 0 – Enabled |
+
+### Configure telemetry opt-in setting user interface
+
+This setting determines whether people can change their own Windows diagnostic data level in *Start > Settings > Privacy > Diagnostics & feedback*.
+
+#### Group Policy
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds |
+>| **Policy Name** | Configure telemetry opt-in setting user interface |
+>| **Default setting** | Enabled |
+>| **Recommended** | Enabled |
+
+#### Registry
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
+>| **Value** | DisableTelemetryOptInSettingsUx |
+>| **Type** | REG_DWORD |
+>| **Setting** | "00000001" |
+
+#### MDM
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **MDM CSP** | System |
+>| **Policy** | ConfigureTelemetryOptInSettingsUx |
+>| **Default setting** | 0 – Enabled |
+>| **Recommended** | 0 – Enabled |
+
+## Policies affecting personal data protection managed by the Enterprise IT
+
+There are additional settings usually managed by the Enterprise IT that also affect the protection of personal data.
+
+The following options for configuring these policies are relevant in this context.
+
+### BitLocker
+
+The following settings determine whether fixed and removable drives are protected by the BitLocker Drive Encryption.
+
+#### Fixed Data Drives
+
+#### Group Policy
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Fixed Data Drives |
+>| **Policy Name** | Deny write access to fixed drives not protected by BitLocker |
+>| **Default setting** | Not configured |
+>| **Recommended** | Enabled |
+
+#### Registry
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE |
+>| **Value** | FDVDenyWriteAccess |
+>| **Type** | REG_DWORD |
+>| **Setting** | "00000001" |
+
+#### MDM
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **MDM CSP** | BitLocker |
+>| **Policy** | FixedDrivesRequireEncryption |
+>| **Default setting** | Disabled |
+>| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#fixeddrivesrequireencryption)) |
+
+#### Removable Data Drives
+
+#### Group Policy
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Removable Data Drives |
+>| **Policy Name** | Deny write access to removable drives not protected by BitLocker |
+>| **Default setting** | Not configured |
+>| **Recommended** | Enabled |
+
+#### Registry
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE |
+>| **Value** | RDVDenyWriteAccess |
+>| **Type** | REG_DWORD |
+>| **Setting** | "00000001" |
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Registry key** | HKLM\Software\Policies\Microsoft\FVE |
+>| **Value** | RDVDenyCrossOrg |
+>| **Type** | REG_DWORD |
+>| **Setting** | "00000000" |
+
+#### MDM
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **MDM CSP** | BitLocker |
+>| **Policy** | RemovableDrivesRequireEncryption |
+>| **Default setting** | Disabled |
+>| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#removabledrivesrequireencryption)) |
+
+### Privacy – AdvertisingID
+
+This setting determines if the advertising ID, which preventing apps from using the ID for experiences across apps, is turned off.
+
+#### Group Policy
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Group Policy** | Computer Configuration\Administrative Templates\System\User Profiles |
+>| **Policy Name** | Turn off the advertising ID |
+>| **Default setting** | Not configured |
+>| **Recommended** | Enabled |
+
+#### Registry
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo |
+>| **Value** | DisabledByGroupPolicy |
+>| **Type** | REG_DWORD |
+>| **Setting** | "00000001" |
+
+#### MDM
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **MDM CSP** | Privacy |
+>| **Policy** | DisableAdvertisingId |
+>| **Default setting** | 65535 (default) - Not configured |
+>| **Recommended** | 1 – Enabled |
+
+### Edge
+
+These settings whether employees send “Do Not Track” from the Microsoft Edge web browser to websites.
+
+>[!NOTE]
+>Please see [this Microsoft blog post](https://blogs.microsoft.com/on-the-issues/2015/04/03/an-update-on-microsofts-approach-to-do-not-track/) for more details on why the “Do Not Track” is no longer the default setting.
+
+#### Group Policy
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge |
+>| **Policy Name** | Configure Do Not Track |
+>| **Default setting** | Disabled |
+>| **Recommended** | Disabled |
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Microsoft Edge |
+>| **Policy Name** | Configure Do Not Track |
+>| **Default setting** | Disabled |
+>| **Recommended** | Disabled |
+
+#### Registry
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Registry key** | HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main |
+>| **Value** | DoNotTrack |
+>| **Type** | REG_DWORD |
+>| **Setting** | "00000000" |
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Registry key** | HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main |
+>| **Value** | DoNotTrack |
+>| **Type** | REG_DWORD |
+>| **Setting** | "00000000" |
+
+#### MDM
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **MDM CSP** | Browser |
+>| **Policy** | AllowDoNotTrack (scope: device + user) |
+>| **Default setting** | 0 (default) – Not allowed |
+>| **Recommended** | 0 – Not allowed |
+
+### Internet Explorer
+
+These settings whether employees send “Do Not Track” header from the Microsoft Explorer web browser to websites.
+
+#### Group Policy
+
+> [!div class="mx-tableFixed"]
+>| | |
+>|:-|:-|
+>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |
+>| **Policy Name** | Always send Do Not Track header |
+>| **Default setting** | Disabled |
+>| **Recommended** | Disabled |
+
+> [!div class="mx-tableFixed"]
+>|||
+>|:-|:-|
+>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |
+>| **Policy Name** | Always send Do Not Track header |
+>| **Default setting** | Disabled |
+>| **Recommended** | Disabled |
+
+#### Registry
+
+> [!div class="mx-tableFixed"]
+>|||
+>|:-|:-|
+>| **Registry key** | HKLM\Software\Policies\Microsoft\Internet Explorer\Main |
+>| **Value** | DoNotTrack |
+>| **Type** | REG_DWORD |
+>| **Setting** | "00000000" |
+
+> [!div class="mx-tableFixed"]
+>|||
+>|:-|:-|
+>| **Registry key** | HKCU\Software\Policies\Microsoft\Internet Explorer\Main |
+>| **Value** | DoNotTrack |
+>| **Type** | REG_DWORD |
+>| **Setting** | "00000000" |
+
+#### MDM
+
+> [!div class="mx-tableFixed"]
+>|||
+>|:-|:-|
+>| **MDM CSP** | N/A |
+
+## Additional resources
+
+### FAQs
+
+* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
+* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
+* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
+* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
+
+### Blogs
+
+* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
+
+### Privacy Statement
+
+* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
+
+### Windows Privacy on docs.microsoft.com
+
+* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+* [Manage Windows 10 connection endpoints](manage-windows-endpoints.md)
+* [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data)
+* [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
+
+### Other resources
+
+* [Privacy at Microsoft](https://privacy.microsoft.com/)
diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml
index a6ec153084..4b9f034e96 100644
--- a/windows/release-information/resolved-issues-windows-10-1607.yml
+++ b/windows/release-information/resolved-issues-windows-10-1607.yml
@@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 14393.3025
June 11, 2019
KB4503267 | Resolved
KB4503294 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 14393.2999
May 23, 2019
KB4499177 | Resolved
KB4503267 | June 11, 2019
10:00 AM PT |
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | OS Build 14393.2848
March 12, 2019
KB4489882 | Resolved
KB4503267 | June 11, 2019
10:00 AM PT |
Update not showing as applicable through WSUS or SCCM or when manually installed
Update not showing as applicable through WSUS or SCCM or when manually installed
See details > | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4498947 | May 14, 2019
10:00 AM PT |
@@ -67,6 +68,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503294.
Back to top | OS Build 14393.3025
June 11, 2019
KB4503267 | Resolved
KB4503294 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503267.
Back to top | OS Build 14393.2999
May 23, 2019
KB4499177 | Resolved
KB4503267 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
diff --git a/windows/release-information/resolved-issues-windows-10-1703.yml b/windows/release-information/resolved-issues-windows-10-1703.yml
index 3ab3f15bbf..d5caa67124 100644
--- a/windows/release-information/resolved-issues-windows-10-1703.yml
+++ b/windows/release-information/resolved-issues-windows-10-1703.yml
@@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 15063.1868
June 11, 2019
KB4503279 | Resolved
KB4503289 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4503279 | June 11, 2019
10:00 AM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 15063.1805
May 14, 2019
KB4499181 | Resolved
KB4505055 | May 19, 2019
02:00 PM PT |
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | OS Build 15063.1784
April 25, 2019
KB4493436 | Resolved
KB4499181 | May 14, 2019
10:00 AM PT |
@@ -62,6 +63,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503289.
Back to top | OS Build 15063.1868
June 11, 2019
KB4503279 | Resolved
KB4503289 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503279.
Back to top | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4503279 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
diff --git a/windows/release-information/resolved-issues-windows-10-1709.yml b/windows/release-information/resolved-issues-windows-10-1709.yml
index 2c1d600e65..0a611e7088 100644
--- a/windows/release-information/resolved-issues-windows-10-1709.yml
+++ b/windows/release-information/resolved-issues-windows-10-1709.yml
@@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 16299.1217
June 11, 2019
KB4503284 | Resolved
KB4503281 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4503284 | June 11, 2019
10:00 AM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 16299.1143
May 14, 2019
KB4498946 | Resolved
KB4505062 | May 19, 2019
02:00 PM PT |
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | OS Build 16299.1127
April 25, 2019
KB4493440 | Resolved
KB4499179 | May 14, 2019
10:00 AM PT |
@@ -64,6 +65,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503281.
Back to top | OS Build 16299.1217
June 11, 2019
KB4503284 | Resolved
KB4503281 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503284.
Back to top | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4503284 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml
index f30b599296..ae7d8ff09a 100644
--- a/windows/release-information/resolved-issues-windows-10-1803.yml
+++ b/windows/release-information/resolved-issues-windows-10-1803.yml
@@ -32,8 +32,8 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 17134.829
June 11, 2019
KB4503286 | Resolved
KB4503288 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4503286 | June 11, 2019
10:00 AM PT |
- Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.
See details > | OS Build 17134.648
March 12, 2019
KB4489868 | Resolved
KB4503286 | June 11, 2019
10:00 AM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 17134.765
May 14, 2019
KB4499167 | Resolved
KB4505064 | May 19, 2019
02:00 PM PT |
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | OS Build 17134.753
April 25, 2019
KB4493437 | Resolved
KB4499167 | May 14, 2019
10:00 AM PT |
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details > | OS Build 17134.753
April 25, 2019
KB4493437 | Resolved
KB4499167 | May 14, 2019
10:00 AM PT |
@@ -65,6 +65,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503288.
Back to top | OS Build 17134.829
June 11, 2019
KB4503286 | Resolved
KB4503288 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503286.
Back to top | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4503286 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
@@ -93,7 +94,6 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- Issue using PXE to start a device from WDSAfter installing KB4489868, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4503286.
Back to top | OS Build 17134.648
March 12, 2019
KB4489868 | Resolved
KB4503286 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT |
Custom URI schemes may not start corresponding applicationAfter installing KB4489868, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493437.
Back to top | OS Build 17134.648
March 12, 2019
KB4489868 | Resolved
KB4493437 | Resolved:
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493464.
Back to top | OS Build 17134.677
March 19, 2019
KB4489894 | Resolved
KB4493464 | Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 19, 2019
10:00 AM PT |
Stop error when attempting to start SSH from WSLAfter applying KB4489868, a stop error occurs when attempting to start the Secure Shell (SSH) client program from Windows Subsystem for Linux (WSL) with agent forwarding enabled using a command line switch (ssh -A) or a configuration setting.
Affected platforms: - Client: Windows 10, version 1803; Windows 10, version 1709
- Server: Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue was resolved in KB4493464.
Back to top | OS Build 17134.648
March 12, 2019
KB4489868 | Resolved
KB4493464 | Resolved:
April 09, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT |
diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
index 1e0221bf45..e0eab68c77 100644
--- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
@@ -32,6 +32,9 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Devices with Realtek Bluetooth radios drivers may not pair or connect as expected
Devices with some Realtek Bluetooth radios drivers, in some circumstances, may have issues pairing or connecting to devices.
See details > | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
KB4501371 | June 18, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 17763.557
June 11, 2019
KB4503327 | Resolved
KB4501371 | June 18, 2019
02:00 PM PT |
+ Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) apps, you may receive an error.
See details > | OS Build 17763.379
March 12, 2019
KB4489899 | Resolved
KB4501371 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 17763.529
May 21, 2019
KB4497934 | Resolved
KB4503327 | June 11, 2019
10:00 AM PT |
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.
See details > | OS Build 17763.379
March 12, 2019
KB4489899 | Resolved
KB4503327 | June 11, 2019
10:00 AM PT |
Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Upgrade block: Microsoft has identified issues with certain new Intel display drivers, which accidentally turn on unsupported features in Windows.
See details > | OS Build 17763.134
November 13, 2018
KB4467708 | Resolved
| May 21, 2019
07:42 AM PT |
@@ -74,6 +77,8 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Devices with Realtek Bluetooth radios drivers may not pair or connect as expected In some circumstances, devices with Realtek Bluetooth radios may have issues pairing or connecting to Bluetooth devices due to a driver issue.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server 2019
Resolution: This issue was resolved in KB4501371.
Back to top | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
KB4501371 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 14, 2019
05:45 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4501371.
Back to top | OS Build 17763.557
June 11, 2019
KB4503327 | Resolved
KB4501371 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503327.
Back to top | OS Build 17763.529
May 21, 2019
KB4497934 | Resolved
KB4503327 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
@@ -83,6 +88,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
+ | Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007 When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\" Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4501371.
Back to top | OS Build 17763.379
March 12, 2019
KB4489899 | Resolved
KB4501371 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
May 02, 2019
04:47 PM PT |
| Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \" out-of-band\" update for Windows 10 ( KB4505056) to resolve this issue.
- UK customers: This update will be applied automatically to resolve this issue. You may be required to restart your device again. If you are affected by this issue, Check for updates to apply the update immediately.
- Customers outside of the UK: This update will not be applied automatically. If you are affected by this issue, we recommend you apply this update by installing KB4505056 from Windows Update and then restarting your device.
To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505056, search for it in the Microsoft Update Catalog.
Back to top | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
KB4505056 | Resolved:
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
| Windows 10, version 1809 update history may show an update installed twice Affected platforms: - Client: Windows 10, version 1809
Cause: In certain situations, installing an update requires multiple download and restart steps. In cases where two intermediate steps of the installation complete successfully, the View your Update history page will report that installation completed successfully twice.
Resolution: No action is required on your part. The update installation may take longer and may require more than one restart, but will install successfully after all intermediate installation steps have completed. We are working on improving this update experience to ensure the Update history correctly reflects the installation of the latest cumulative update (LCU).
Back to top | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
| Resolved:
May 16, 2019
02:37 PM PT
Opened:
May 14, 2019
02:56 PM PT |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | OS Build 17763.475
May 03, 2019
KB4495667 | Resolved
KB4494441 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
index 3f1f8ce7af..2c5038bcff 100644
--- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -32,6 +32,8 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499164 | Resolved
KB4503277 | June 20, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503292 | Resolved
KB4503277 | June 20, 2019
02:00 PM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499164 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493472 | Resolved
| May 14, 2019
01:23 PM PT |
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493472 | Resolved
| May 14, 2019
01:22 PM PT |
@@ -59,6 +61,16 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503277. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499164 | Resolved
KB4503277 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503277. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503292 | Resolved
KB4503277 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
index 71310515c7..45706d7e3c 100644
--- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
@@ -32,6 +32,8 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499151 | Resolved
KB4503283 | June 20, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503276 | Resolved
KB4503283 | June 20, 2019
02:00 PM PT |
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | March 12, 2019
KB4489881 | Resolved
KB4503276 | June 11, 2019
10:00 AM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499151 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | April 25, 2019
KB4493443 | Resolved
KB4499151 | May 14, 2019
10:00 AM PT |
@@ -60,6 +62,16 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503283. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499151 | Resolved
KB4503283 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503283. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503276 | Resolved
KB4503283 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
diff --git a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
index 251a66b50a..9d094123ba 100644
--- a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
+++ b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
@@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503273 | Resolved
KB4503271 | June 20, 2019
02:00 PM PT |
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493471 | Resolved
| May 14, 2019
01:21 PM PT |
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493471 | Resolved
| May 14, 2019
01:19 PM PT |
Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.
See details > | March 12, 2019
KB4489880 | Resolved
KB4499149 | May 14, 2019
10:00 AM PT |
@@ -52,6 +53,15 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503271. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503273 | Resolved
KB4503271 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: April 2019
- items:
- type: markdown
diff --git a/windows/release-information/resolved-issues-windows-server-2012.yml b/windows/release-information/resolved-issues-windows-server-2012.yml
index 144e2d3484..2735e58837 100644
--- a/windows/release-information/resolved-issues-windows-server-2012.yml
+++ b/windows/release-information/resolved-issues-windows-server-2012.yml
@@ -32,6 +32,8 @@ sections:
- type: markdown
text: "
| Summary | Originating update | Status | Date resolved |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499171 | Resolved
KB4503295 | June 21, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503285 | Resolved
KB4503295 | June 20, 2019
02:00 PM PT |
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | March 12, 2019
KB4489891 | Resolved
KB4503285 | June 11, 2019
10:00 AM PT |
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499171 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | April 25, 2019
KB4493462 | Resolved
KB4499171 | May 14, 2019
10:00 AM PT |
@@ -57,6 +59,16 @@ sections:
"
+- title: June 2019
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503295. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499171 | Resolved
KB4503295 | Resolved:
June 21, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503295. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503285 | Resolved
KB4503295 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+
+ "
+
- title: May 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml
index 6a2eec1758..038724ee59 100644
--- a/windows/release-information/status-windows-10-1507.yml
+++ b/windows/release-information/status-windows-10-1507.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,9 +60,8 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 10240.18244
June 11, 2019
KB4503291 | Mitigated
| June 12, 2019
05:43 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 10240.18244
June 11, 2019
KB4503291 | Mitigated
| June 13, 2019
02:21 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 10240.18094
January 08, 2019
KB4480962 | Mitigated
| April 25, 2019
02:00 PM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 10240.18215
May 14, 2019
KB4499154 | Resolved
KB4505051 | May 19, 2019
02:00 PM PT |
"
@@ -78,16 +77,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To workaround this issue, see KB4508640.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 10240.18244
June 11, 2019
KB4503291 | Mitigated
| Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PT |
-
- "
-
-- title: May 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: We have released an \"optional, out-of-band\" update for Windows 10 ( KB4505051) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505051 from Windows Update and then restarting your device.
This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505051, search for it in the Microsoft Update Catalog.
Back to top | OS Build 10240.18215
May 14, 2019
KB4499154 | Resolved
KB4505051 | Resolved:
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To mitigate this issue, see KB4508640.
Next steps: We are working on a resolution and estimate a solution will be available in late June.
Back to top | OS Build 10240.18244
June 11, 2019
KB4503291 | Mitigated
| Last updated:
June 13, 2019
02:21 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
index 9ed4799d06..ec7077699a 100644
--- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
+++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,19 +60,17 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 14393.3025
June 11, 2019
KB4503267 | Mitigated
| June 12, 2019
05:43 PM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 14393.2999
May 23, 2019
KB4499177 | Acknowledged
| June 20, 2019
04:46 PM PT |
Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)
See details > | OS Build 14393.2941
April 25, 2019
KB4493473 | Mitigated
| June 07, 2019
04:25 PM PT |
Devices running Windows Server 2016 with Hyper-V seeing Bitlocker error 0xC0210000
Some devices running Windows Server with Hyper-V enabled may start into Bitlocker recovery with error 0xC0210000
See details > | OS Build 14393.2969
May 14, 2019
KB4494440 | Mitigated
| May 23, 2019
09:57 AM PT |
Cluster service may fail if the minimum password length is set to greater than 14
The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.
See details > | OS Build 14393.2639
November 27, 2018
KB4467684 | Mitigated
| April 25, 2019
02:00 PM PT |
SCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.
See details > | OS Build 14393.2639
November 27, 2018
KB4467684 | Mitigated
| April 25, 2019
02:00 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 14393.2724
January 08, 2019
KB4480961 | Mitigated
| April 25, 2019
02:00 PM PT |
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
See details > | OS Build 14393.2608
November 13, 2018
KB4467691 | Mitigated
| February 19, 2019
10:00 AM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 14393.3025
June 11, 2019
KB4503267 | Resolved
KB4503294 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 14393.2999
May 23, 2019
KB4499177 | Resolved
KB4503267 | June 11, 2019
10:00 AM PT |
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | OS Build 14393.2848
March 12, 2019
KB4489882 | Resolved
KB4503267 | June 11, 2019
10:00 AM PT |
Update not showing as applicable through WSUS or SCCM or when manually installed
Update not showing as applicable through WSUS or SCCM or when manually installed
See details > | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4498947 | May 14, 2019
10:00 AM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4505052 | May 19, 2019
02:00 PM PT |
- Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | OS Build 14393.2941
April 25, 2019
KB4493473 | Resolved
KB4494440 | May 14, 2019
10:00 AM PT |
- Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details > | OS Build 14393.2941
April 25, 2019
KB4493473 | Resolved
KB4494440 | May 14, 2019
10:00 AM PT |
"
@@ -88,8 +86,9 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To workaround this issue, see KB4508640.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 14393.3025
June 11, 2019
KB4503267 | Mitigated
| Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499177.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
Back to top | OS Build 14393.2999
May 23, 2019
KB4499177 | Acknowledged
| Last updated:
June 20, 2019
04:46 PM PT
Opened:
June 20, 2019
04:46 PM PT |
Some applications may fail to run as expected on clients of AD FS 2016Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of KB4493473 on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.
Affected platforms: - Server: Windows Server 2016
Workaround: You can use the Allow-From value of the header if the IFRAME is only accessing pages from a single-origin URL. On the affected server, open a PowerShell window as an administrator and run the following command: set-AdfsResponseHeaders -SetHeaderName X-Frame-Options -SetHeaderValue \"allow-from https://example.com\"
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 14393.2941
April 25, 2019
KB4493473 | Mitigated
| Last updated:
June 07, 2019
04:25 PM PT
Opened:
June 04, 2019
05:55 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503294.
Back to top | OS Build 14393.3025
June 11, 2019
KB4503267 | Resolved
KB4503294 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503267.
Back to top | OS Build 14393.2999
May 23, 2019
KB4499177 | Resolved
KB4503267 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
@@ -101,17 +100,6 @@ sections:
| Details | Originating update | Status | History |
Devices running Windows Server 2016 with Hyper-V seeing Bitlocker error 0xC0210000Some devices running Windows Server 2016 with Hyper-V enabled may enter Bitlocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.
Note Windows 10, version 1607 may also be affected when Bitlocker and Hyper-V are both enabled.
Affected platforms: - Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2016
Workaround: If your device is already in this state, you can successfully start Windows after suspending Bitlocker from the Windows Recovery Environment (WinRE) using the following steps: - Retrieve the 48 digit Bitlocker recovery password for the OS volume from your organization's portal or from wherever the key was stored when Bitlocker was first enabled.
- From the recovery screen, press the enter key and enter the recovery password when prompted.
- If your device starts in the Windows Recovery Environment and asks for recovery key again, select Skip the drive to continue to WinRE.
- select Advanced options then Troubleshoot then Advanced options then Command Prompt.
- Unlock OS drive using the command: Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group>
- Suspend Bitlocker using the command: Manage-bde -protectors -disable c:
- Exit the command window using the command: exit
- Select Continue from recovery environment.
- The device should now start Windows.
- Once started, launch an Administrator Command Prompt and resume the Bitlocker to ensure the system remains protected, using the command: Manage-bde -protectors -enable c:
Note The workaround needs to be followed on every system restart unless Bitlocker is suspended before restarting.
To prevent this issue, execute the following command to temporarily suspend Bitlocker just before restarting the system: Manage-bde -protectors -disable c: -rc 1 Note This command will suspend Bitlocker for 1 restart of the device (-rc 1 option only works inside OS and does not work from recovery environment).
Next steps: Microsoft is presently investigating this issue and will provide an update when available.
Back to top | OS Build 14393.2969
May 14, 2019
KB4494440 | Mitigated
| Last updated:
May 23, 2019
09:57 AM PT
Opened:
May 21, 2019
08:50 AM PT |
Update not showing as applicable through WSUS or SCCM or when manually installedKB4494440 or later updates may not show as applicable through WSUS or SCCM to the affected platforms. When manually installing the standalone update from Microsoft Update Catalog, it may fail to install with the error, \"The update is not applicable to your computer.\"
Affected platforms: - Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2016
Resolution: The servicing stack update (SSU) ( KB4498947) must be installed before installing the latest cumulative update (LCU). The LCU will not be reported as applicable until the SSU is installed. For more information, see Servicing stack updates.
Back to top | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4498947 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 24, 2019
04:20 PM PT |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: We have released an \"optional, out-of-band\" update for Windows 10 ( KB4505052) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505052 from Windows Update and then restarting your device.
This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505052, search for it in the Microsoft Update Catalog.
Back to top | OS Build 14393.2969
May 14, 2019
KB4494440 | Resolved
KB4505052 | Resolved:
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
- | Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | OS Build 14393.2941
April 25, 2019
KB4493473 | Resolved
KB4494440 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
-
- "
-
-- title: April 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- Zone transfers over TCP may failZone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail after installing KB4493473. Affected platforms: - Client: Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4494440.
Back to top | OS Build 14393.2941
April 25, 2019
KB4493473 | Resolved
KB4494440 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
April 25, 2019
02:00 PM PT |
"
diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml
index c30a03c5ce..5ec2421765 100644
--- a/windows/release-information/status-windows-10-1703.yml
+++ b/windows/release-information/status-windows-10-1703.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,11 +60,10 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 15063.1868
June 11, 2019
KB4503279 | Mitigated
| June 12, 2019
05:43 PM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 15063.1839
May 28, 2019
KB4499162 | Acknowledged
| June 20, 2019
04:46 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 15063.1563
January 08, 2019
KB4480973 | Mitigated
| April 25, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 15063.1868
June 11, 2019
KB4503279 | Resolved
KB4503289 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4503279 | June 11, 2019
10:00 AM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 15063.1805
May 14, 2019
KB4499181 | Resolved
KB4505055 | May 19, 2019
02:00 PM PT |
- Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | OS Build 15063.1784
April 25, 2019
KB4493436 | Resolved
KB4499181 | May 14, 2019
10:00 AM PT |
"
@@ -80,21 +79,12 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To workaround this issue, see KB4508640.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 15063.1868
June 11, 2019
KB4503279 | Mitigated
| Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499162.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
Back to top | OS Build 15063.1839
May 28, 2019
KB4499162 | Acknowledged
| Last updated:
June 20, 2019
04:46 PM PT
Opened:
June 20, 2019
04:46 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503289.
Back to top | OS Build 15063.1868
June 11, 2019
KB4503279 | Resolved
KB4503289 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503279.
Back to top | OS Build 15063.1839
May 28, 2019
KB4499162 | Resolved
KB4503279 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
-- title: May 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: We have released an \"optional, out-of-band\" update for Windows 10 ( KB4505055) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505055 from Windows Update and then restarting your device.
This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505055, search for it in the Microsoft Update Catalog.
Back to top | OS Build 15063.1805
May 14, 2019
KB4499181 | Resolved
KB4505055 | Resolved:
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
- | Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | OS Build 15063.1784
April 25, 2019
KB4493436 | Resolved
KB4499181 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
-
- "
-
- title: January 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml
index d6799cbaca..f4b8bfb9f2 100644
--- a/windows/release-information/status-windows-10-1709.yml
+++ b/windows/release-information/status-windows-10-1709.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,12 +60,10 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 16299.1217
June 11, 2019
KB4503284 | Mitigated
| June 12, 2019
05:43 PM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 16299.1182
May 28, 2019
KB4499147 | Acknowledged
| June 20, 2019
04:46 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 16299.904
January 08, 2019
KB4480978 | Mitigated
| April 25, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 16299.1217
June 11, 2019
KB4503284 | Resolved
KB4503281 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4503284 | June 11, 2019
10:00 AM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 16299.1143
May 14, 2019
KB4498946 | Resolved
KB4505062 | May 19, 2019
02:00 PM PT |
- Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | OS Build 16299.1127
April 25, 2019
KB4493440 | Resolved
KB4499179 | May 14, 2019
10:00 AM PT |
- Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details > | OS Build 16299.1127
April 25, 2019
KB4493440 | Resolved
KB4499179 | May 14, 2019
10:00 AM PT |
"
@@ -81,30 +79,12 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To workaround this issue, see KB4508640.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 16299.1217
June 11, 2019
KB4503284 | Mitigated
| Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499147.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
Back to top | OS Build 16299.1182
May 28, 2019
KB4499147 | Acknowledged
| Last updated:
June 20, 2019
04:46 PM PT
Opened:
June 20, 2019
04:46 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503281.
Back to top | OS Build 16299.1217
June 11, 2019
KB4503284 | Resolved
KB4503281 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503284.
Back to top | OS Build 16299.1182
May 28, 2019
KB4499147 | Resolved
KB4503284 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
-- title: May 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \" out-of-band\" update for Windows 10 ( KB4505062) to resolve this issue.
- UK customers: This update will be applied automatically to resolve this issue. You may be required to restart your device again. If you are affected by this issue, Check for updates to apply the update immediately.
- Customers outside of the UK: This update will not be applied automatically. If you are affected by this issue, we recommend you apply this update by installing KB4505062 from Windows Update and then restarting your device.
To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505062, search for it in the Microsoft Update Catalog.
Back to top | OS Build 16299.1143
May 14, 2019
KB4498946 | Resolved
KB4505062 | Resolved:
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
- | Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | OS Build 16299.1127
April 25, 2019
KB4493440 | Resolved
KB4499179 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
-
- "
-
-- title: April 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- Zone transfers over TCP may failZone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail after installing KB4493440. Affected platforms: - Client: Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4499179.
Back to top | OS Build 16299.1127
April 25, 2019
KB4493440 | Resolved
KB4499179 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
April 25, 2019
02:00 PM PT |
-
- "
-
- title: January 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml
index 1f4862558b..d65714ef59 100644
--- a/windows/release-information/status-windows-10-1803.yml
+++ b/windows/release-information/status-windows-10-1803.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,13 +60,11 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 17134.829
June 11, 2019
KB4503286 | Mitigated
| June 12, 2019
05:43 PM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 17134.799
May 21, 2019
KB4499183 | Acknowledged
| June 20, 2019
04:46 PM PT |
+ Startup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.
See details > | OS Build 17134.829
June 11, 2019
KB4503286 | Mitigated
| June 14, 2019
04:41 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 17134.523
January 08, 2019
KB4480966 | Mitigated
| April 25, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 17134.829
June 11, 2019
KB4503286 | Resolved
KB4503288 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4503286 | June 11, 2019
10:00 AM PT |
- Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.
See details > | OS Build 17134.648
March 12, 2019
KB4489868 | Resolved
KB4503286 | June 11, 2019
10:00 AM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 17134.765
May 14, 2019
KB4499167 | Resolved
KB4505064 | May 19, 2019
02:00 PM PT |
- Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | OS Build 17134.753
April 25, 2019
KB4493437 | Resolved
KB4499167 | May 14, 2019
10:00 AM PT |
- Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details > | OS Build 17134.753
April 25, 2019
KB4493437 | Resolved
KB4499167 | May 14, 2019
10:00 AM PT |
"
@@ -82,39 +80,13 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To workaround this issue, see KB4508640.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17134.829
June 11, 2019
KB4503286 | Mitigated
| Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499183.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
Back to top | OS Build 17134.799
May 21, 2019
KB4499183 | Acknowledged
| Last updated:
June 20, 2019
04:46 PM PT
Opened:
June 20, 2019
04:46 PM PT |
+ | Startup to a black screen after installing updates We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803
- Server: Windows Server 2019
Workaround: To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17134.829
June 11, 2019
KB4503286 | Mitigated
| Last updated:
June 14, 2019
04:41 PM PT
Opened:
June 14, 2019
04:41 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503288.
Back to top | OS Build 17134.829
June 11, 2019
KB4503286 | Resolved
KB4503288 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503286.
Back to top | OS Build 17134.799
May 21, 2019
KB4499183 | Resolved
KB4503286 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
-- title: May 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \" out-of-band\" update for Windows 10 ( KB4505064) to resolve this issue.
- UK customers: This update will be applied automatically to resolve this issue. You may be required to restart your device again. If you are affected by this issue, Check for updates to apply the update immediately.
- Customers outside of the UK: This update will not be applied automatically. If you are affected by this issue, we recommend you apply this update by installing KB4505064 from Windows Update and then restarting your device.
To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505064, search for it in the Microsoft Update Catalog.
Back to top | OS Build 17134.765
May 14, 2019
KB4499167 | Resolved
KB4505064 | Resolved:
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
- | Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | OS Build 17134.753
April 25, 2019
KB4493437 | Resolved
KB4499167 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
-
- "
-
-- title: April 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- Zone transfers over TCP may failZone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail after installing KB4493437. Affected platforms: - Client: Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4499167.
Back to top | OS Build 17134.753
April 25, 2019
KB4493437 | Resolved
KB4499167 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
April 25, 2019
02:00 PM PT |
-
- "
-
-- title: March 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- Issue using PXE to start a device from WDSAfter installing KB4489868, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4503286.
Back to top | OS Build 17134.648
March 12, 2019
KB4489868 | Resolved
KB4503286 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT |
-
- "
-
- title: January 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
index af3528cf49..fa30c7a779 100644
--- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
@@ -34,17 +34,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -65,17 +65,15 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 17763.557
June 11, 2019
KB4503327 | Mitigated
| June 12, 2019
05:43 PM PT |
+ Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details > | OS Build 17763.529
May 21, 2019
KB4497934 | Acknowledged
| June 20, 2019
04:46 PM PT |
+ Startup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.
See details > | OS Build 17763.557
June 11, 2019
KB4503327 | Mitigated
| June 14, 2019
04:41 PM PT |
Devices with some Asian language packs installed may receive an error
After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F
See details > | OS Build 17763.437
April 09, 2019
KB4493509 | Mitigated
| May 03, 2019
10:59 AM PT |
- Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive an error.
See details > | OS Build 17763.379
March 12, 2019
KB4489899 | Mitigated
| May 02, 2019
04:47 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details > | OS Build 17763.253
January 08, 2019
KB4480116 | Mitigated
| April 09, 2019
10:00 AM PT |
+ Devices with Realtek Bluetooth radios drivers may not pair or connect as expected
Devices with some Realtek Bluetooth radios drivers, in some circumstances, may have issues pairing or connecting to devices.
See details > | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
KB4501371 | June 18, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 17763.557
June 11, 2019
KB4503327 | Resolved
KB4501371 | June 18, 2019
02:00 PM PT |
+ Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) apps, you may receive an error.
See details > | OS Build 17763.379
March 12, 2019
KB4489899 | Resolved
KB4501371 | June 18, 2019
02:00 PM PT |
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details > | OS Build 17763.529
May 21, 2019
KB4497934 | Resolved
KB4503327 | June 11, 2019
10:00 AM PT |
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.
See details > | OS Build 17763.379
March 12, 2019
KB4489899 | Resolved
KB4503327 | June 11, 2019
10:00 AM PT |
- Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Upgrade block: Microsoft has identified issues with certain new Intel display drivers, which accidentally turn on unsupported features in Windows.
See details > | OS Build 17763.134
November 13, 2018
KB4467708 | Resolved
| May 21, 2019
07:42 AM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
KB4505056 | May 19, 2019
02:00 PM PT |
- Windows 10, version 1809 update history may show an update installed twice
Some customers are reporting that KB4494441 installed twice on their device
See details > | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
| May 16, 2019
02:37 PM PT |
- Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | OS Build 17763.475
May 03, 2019
KB4495667 | Resolved
KB4494441 | May 14, 2019
10:00 AM PT |
- Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details > | OS Build 17763.475
May 03, 2019
KB4495667 | Resolved
KB4494441 | May 14, 2019
10:00 AM PT |
"
@@ -91,7 +89,10 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To workaround this issue, see KB4508640.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.557
June 11, 2019
KB4503327 | Mitigated
| Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+ Difficulty connecting to some iSCSI-based SANsDevices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4497934.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server 2019; Windows Server 2016
Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
Back to top | OS Build 17763.529
May 21, 2019
KB4497934 | Acknowledged
| Last updated:
June 20, 2019
04:46 PM PT
Opened:
June 20, 2019
04:46 PM PT |
+ | Startup to a black screen after installing updates We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803
- Server: Windows Server 2019
Workaround: To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.557
June 11, 2019
KB4503327 | Mitigated
| Last updated:
June 14, 2019
04:41 PM PT
Opened:
June 14, 2019
04:41 PM PT |
+ | Devices with Realtek Bluetooth radios drivers may not pair or connect as expected In some circumstances, devices with Realtek Bluetooth radios may have issues pairing or connecting to Bluetooth devices due to a driver issue.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server 2019
Resolution: This issue was resolved in KB4501371.
Back to top | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
KB4501371 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 14, 2019
05:45 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4501371.
Back to top | OS Build 17763.557
June 11, 2019
KB4503327 | Resolved
KB4501371 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
| Opening Internet Explorer 11 may fail Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4503327.
Back to top | OS Build 17763.529
May 21, 2019
KB4497934 | Resolved
KB4503327 | Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT |
"
@@ -102,11 +103,7 @@ sections:
text: "
| Details | Originating update | Status | History |
Devices with some Asian language packs installed may receive an errorAfter installing the April 2019 Cumulative Update ( KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Workaround: - Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
- Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows: - Go to Settings app -> Recovery.
- Click on Get Started under \"Reset this PC\" recovery option.
- Select \"Keep my Files\".
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.437
April 09, 2019
KB4493509 | Mitigated
| Last updated:
May 03, 2019
10:59 AM PT
Opened:
May 02, 2019
04:36 PM PT |
- | Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007 When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\" Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Workaround: You can use another browser, such as Internet Explorer to print your documents. Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.379
March 12, 2019
KB4489899 | Mitigated
| Last updated:
May 02, 2019
04:47 PM PT
Opened:
May 02, 2019
04:47 PM PT |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \" out-of-band\" update for Windows 10 ( KB4505056) to resolve this issue.
- UK customers: This update will be applied automatically to resolve this issue. You may be required to restart your device again. If you are affected by this issue, Check for updates to apply the update immediately.
- Customers outside of the UK: This update will not be applied automatically. If you are affected by this issue, we recommend you apply this update by installing KB4505056 from Windows Update and then restarting your device.
To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505056, search for it in the Microsoft Update Catalog.
Back to top | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
KB4505056 | Resolved:
May 19, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
- | Windows 10, version 1809 update history may show an update installed twice Affected platforms: - Client: Windows 10, version 1809
Cause: In certain situations, installing an update requires multiple download and restart steps. In cases where two intermediate steps of the installation complete successfully, the View your Update history page will report that installation completed successfully twice.
Resolution: No action is required on your part. The update installation may take longer and may require more than one restart, but will install successfully after all intermediate installation steps have completed. We are working on improving this update experience to ensure the Update history correctly reflects the installation of the latest cumulative update (LCU).
Back to top | OS Build 17763.503
May 14, 2019
KB4494441 | Resolved
| Resolved:
May 16, 2019
02:37 PM PT
Opened:
May 14, 2019
02:56 PM PT |
- | Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | OS Build 17763.475
May 03, 2019
KB4495667 | Resolved
KB4494441 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
- Zone transfers over TCP may failZone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail after installing KB4495667. Affected platforms: - Client: Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4494441.
Back to top | OS Build 17763.475
May 03, 2019
KB4495667 | Resolved
KB4494441 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 14, 2019
01:19 PM PT |
+ | Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007 When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\" Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4501371.
Back to top | OS Build 17763.379
March 12, 2019
KB4489899 | Resolved
KB4501371 | Resolved:
June 18, 2019
02:00 PM PT
Opened:
May 02, 2019
04:47 PM PT |
"
@@ -127,12 +124,3 @@ sections:
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following: - Perform the operation from a process that has administrator privilege.
- Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 17763.253
January 08, 2019
KB4480116 | Mitigated
| Last updated:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT |
"
-
-- title: November 2018
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- | Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort Upgrade block: Microsoft has identified issues with certain new Intel display drivers. Intel inadvertently released versions of its display driver (versions 24.20.100.6344, 24.20.100.6345) to OEMs that accidentally turned on unsupported features in Windows. As a result, after updating to Windows 10, version 1809, audio playback from a monitor or television connected to a PC via HDMI, USB-C, or a DisplayPort may not function correctly on devices with these drivers. Note: This Intel display driver issue is different from the Intel Smart Sound Technology driver (version 09.21.00.3755) audio issue previously documented.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
- Server: Windows Server, version 1809; Windows Server 2019
Next steps: Intel has released updated drivers to OEM device manufacturers. OEMs need to make the updated driver available via Windows Update. For more information, see the Intel Customer Support article.
Resolution: Microsoft has removed the safeguard hold.
Back to top | OS Build 17763.134
November 13, 2018
KB4467708 | Resolved
| Resolved:
May 21, 2019
07:42 AM PT
Opened:
November 13, 2018
10:00 AM PT |
-
- "
diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml
index 713ffe86b5..b4cca0b008 100644
--- a/windows/release-information/status-windows-10-1903.yml
+++ b/windows/release-information/status-windows-10-1903.yml
@@ -21,8 +21,9 @@ sections:
Find information on known issues for Windows 10, version 1903 and Windows Server, version 1903. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-Current status as of June 11, 2019:
- Windows 10, version 1903 is available for any user who manually selects “Check for updates” via Windows Update for all devices that do not have a safeguard hold. If you are not offered the update, please check below for any known issues that may affect your device. The recommended servicing status is Semi-Annual Channel. The June monthly update is now available for all versions of Windows 10. Microsoft strongly recommends you keep your Windows devices, regardless of which version of Windows they are running, up to date with the latest monthly updates. Monthly updates are critical to device security and ecosystem health, and help mitigate the evolving threat landscape. Note Follow @WindowsUpdate to find out when new content is published to the release information dashboard. | Current status as of June 18, 2019:
+ Windows 10, version 1903 is available for any user who manually selects “Check for updates” via Windows Update for all devices that do not have a safeguard hold. If you are not offered the update, please check below for any known issues that may affect your device. The recommended servicing status is Semi-Annual Channel. We are now beginning to build and train the machine learning (ML) based rollout process to update devices running the April 2018 Update, and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates and improvements. Note Follow @WindowsUpdate to find out when new content is published to the release information dashboard. |
"
@@ -34,17 +35,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -69,7 +70,7 @@ sections:
Loss of functionality in Dynabook Smartphone Link app
After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.
See details > | OS Build 18362.116
May 20, 2019
KB4505057 | Investigating
| May 24, 2019
03:10 PM PT |
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Investigating
| May 21, 2019
04:47 PM PT |
Audio not working with Dolby Atmos headphones and home theater
Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Investigating
| May 21, 2019
07:17 AM PT |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 18362.175
June 11, 2019
KB4503293 | Mitigated
| June 12, 2019
05:43 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | OS Build 18362.175
June 11, 2019
KB4503293 | Mitigated
| June 13, 2019
02:21 PM PT |
Error attempting to update with external USB device or memory card attached
PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| June 11, 2019
12:34 PM PT |
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| May 24, 2019
11:02 AM PT |
Unable to discover or connect to Bluetooth devices
Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers.
See details > | OS Build 18362.116
May 21, 2019
KB4505057 | Mitigated
| May 21, 2019
04:48 PM PT |
@@ -95,7 +96,7 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To workaround this issue, see KB4508640.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | OS Build 18362.175
June 11, 2019
KB4503293 | Mitigated
| Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To mitigate this issue, see KB4508640.
Next steps: We are working on a resolution and estimate a solution will be available in late June.
Back to top | OS Build 18362.175
June 11, 2019
KB4503293 | Mitigated
| Last updated:
June 13, 2019
02:21 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
index b9c2807c45..02209f2340 100644
--- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,14 +60,9 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503292 | Mitigated
| June 12, 2019
05:43 PM PT |
- IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working
See details > | May 14, 2019
KB4499164 | Mitigated
| June 07, 2019
02:57 PM PT |
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details > | April 09, 2019
KB4493472 | Mitigated
| April 25, 2019
02:00 PM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499164 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
- System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493472 | Resolved
| May 14, 2019
01:23 PM PT |
- System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493472 | Resolved
| May 14, 2019
01:22 PM PT |
- System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493472 | Resolved
| May 14, 2019
01:21 PM PT |
- Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.
See details > | March 12, 2019
KB4489878 | Resolved
KB4499164 | May 14, 2019
10:00 AM PT |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499164 | Resolved
KB4503277 | June 20, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503292 | Resolved
KB4503277 | June 20, 2019
02:00 PM PT |
"
@@ -83,17 +78,8 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To workaround this issue, see KB4508640.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | June 11, 2019
KB4503292 | Mitigated
| Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PT |
- | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Workaround: To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.
Next steps: We are working on a resolution and estimate a solution will be available in mid-July.
Back to top | May 14, 2019
KB4499164 | Mitigated
| Last updated:
June 07, 2019
02:57 PM PT
Opened:
June 07, 2019
02:57 PM PT |
-
- "
-
-- title: May 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \"optional\" update for Internet Explorer 11 ( KB4505050) to resolve this issue. We recommend you apply this update by installing KB4505050 from Windows Update and then restarting your device.
Back to top | May 14, 2019
KB4499164 | Resolved
KB4505050 | Resolved:
May 18, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503277. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499164 | Resolved
KB4503277 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503277. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503292 | Resolved
KB4503277 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
@@ -103,17 +89,5 @@ sections:
text: "
| Details | Originating update | Status | History |
| System may be unresponsive after restart with certain McAfee antivirus products Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: Guidance for McAfee customers can be found in the following McAfee support articles: Next steps: We are presently investigating this issue with McAfee. We will provide an update once we have more information.
Back to top | April 09, 2019
KB4493472 | Mitigated
| Last updated:
April 25, 2019
02:00 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System may be unresponsive after restart if ArcaBit antivirus software installedMicrosoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.
Back to top | April 09, 2019
KB4493472 | Resolved
| Resolved:
May 14, 2019
01:23 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System unresponsive after restart if Sophos Endpoint Protection installedMicrosoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493472.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.
Back to top | April 09, 2019
KB4493472 | Resolved
| Resolved:
May 14, 2019
01:22 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System may be unresponsive after restart if Avira antivirus software installedMicrosoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.
Back to top | April 09, 2019
KB4493472 | Resolved
| Resolved:
May 14, 2019
01:21 PM PT
Opened:
April 09, 2019
10:00 AM PT |
-
- "
-
-- title: March 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- Authentication may fail for services after the Kerberos ticket expiresAfter installing KB4489878, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.
Affected platforms: - Client: Windows 7 SP1
- Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4499164.
Back to top | March 12, 2019
KB4489878 | Resolved
KB4499164 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT |
"
diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
index 8aa99cced1..0c01e06684 100644
--- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,17 +60,12 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503276 | Mitigated
| June 12, 2019
05:43 PM PT |
- IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working
See details > | May 14, 2019
KB4499151 | Mitigated
| June 07, 2019
02:57 PM PT |
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
See details > | April 25, 2019
KB4493443 | Mitigated
| May 15, 2019
05:53 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
See details > | January 08, 2019
KB4480963 | Mitigated
| April 25, 2019
02:00 PM PT |
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details > | April 09, 2019
KB4493446 | Mitigated
| April 18, 2019
05:00 PM PT |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499151 | Resolved
KB4503283 | June 20, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503276 | Resolved
KB4503283 | June 20, 2019
02:00 PM PT |
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | March 12, 2019
KB4489881 | Resolved
KB4503276 | June 11, 2019
10:00 AM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499151 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
- Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | April 25, 2019
KB4493443 | Resolved
KB4499151 | May 14, 2019
10:00 AM PT |
- System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493446 | Resolved
| May 14, 2019
01:22 PM PT |
- System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493446 | Resolved
| May 14, 2019
01:22 PM PT |
- System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493446 | Resolved
| May 14, 2019
01:21 PM PT |
"
@@ -86,8 +81,8 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To workaround this issue, see KB4508640.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | June 11, 2019
KB4503276 | Mitigated
| Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PT |
- | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Workaround: To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.
Next steps: We are working on a resolution and estimate a solution will be available in mid-July.
Back to top | May 14, 2019
KB4499151 | Mitigated
| Last updated:
June 07, 2019
02:57 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503283. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499151 | Resolved
KB4503283 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503283. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503276 | Resolved
KB4503283 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
@@ -97,8 +92,6 @@ sections:
text: "
| Details | Originating update | Status | History |
| Japanese IME doesn't show the new Japanese Era name as a text input option If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
Affected platforms: - Client: Windows 8.1
- Server: Windows Server 2012 R2; Windows Server 2012
Workaround: If you see any of the previous dictionary updates listed below, uninstall it from Programs and features > Uninstall or change a program. New words that were in previous dictionary updates are also in this update. - Update for Japanese Microsoft IME Standard Dictionary (15.0.2013)
- Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.2013)
- Update for Japanese Microsoft IME Standard Dictionary (15.0.1215)
- Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1215)
- Update for Japanese Microsoft IME Standard Dictionary (15.0.1080)
- Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1080)
Back to top | April 25, 2019
KB4493443 | Mitigated
| Last updated:
May 15, 2019
05:53 PM PT
Opened:
May 15, 2019
05:53 PM PT |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \"optional\" update for Internet Explorer 11 ( KB4505050) to resolve this issue. We recommend you apply this update by installing KB4505050 from Windows Update and then restarting your device.
Back to top | May 14, 2019
KB4499151 | Resolved
KB4505050 | Resolved:
May 18, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
- | Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | April 25, 2019
KB4493443 | Resolved
KB4499151 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
"
@@ -108,9 +101,6 @@ sections:
text: "
| Details | Originating update | Status | History |
| System may be unresponsive after restart with certain McAfee antivirus products Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: Guidance for McAfee customers can be found in the following McAfee support articles: Next steps: We are presently investigating this issue with McAfee. We will provide an update once we have more information.
Back to top | April 09, 2019
KB4493446 | Mitigated
| Last updated:
April 18, 2019
05:00 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System may be unresponsive after restart if ArcaBit antivirus software installedMicrosoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.
Back to top | April 09, 2019
KB4493446 | Resolved
| Resolved:
May 14, 2019
01:22 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System unresponsive after restart if Sophos Endpoint Protection installedMicrosoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493446.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.
Back to top | April 09, 2019
KB4493446 | Resolved
| Resolved:
May 14, 2019
01:22 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System may be unresponsive after restart if Avira antivirus software installedMicrosoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.
Back to top | April 09, 2019
KB4493446 | Resolved
| Resolved:
May 14, 2019
01:21 PM PT
Opened:
April 09, 2019
10:00 AM PT |
"
diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml
index 712250b6be..4d86a87e46 100644
--- a/windows/release-information/status-windows-server-2008-sp2.yml
+++ b/windows/release-information/status-windows-server-2008-sp2.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,10 +60,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503273 | Mitigated
| June 12, 2019
05:43 PM PT |
- System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493471 | Resolved
| May 14, 2019
01:21 PM PT |
- System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493471 | Resolved
| May 14, 2019
01:19 PM PT |
- Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.
See details > | March 12, 2019
KB4489880 | Resolved
KB4499149 | May 14, 2019
10:00 AM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503273 | Resolved
KB4503271 | June 20, 2019
02:00 PM PT |
"
@@ -79,25 +76,6 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To workaround this issue, see KB4508640.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | June 11, 2019
KB4503273 | Mitigated
| Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PT |
-
- "
-
-- title: April 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- System unresponsive after restart if Sophos Endpoint Protection installedMicrosoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493471.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.
Back to top | April 09, 2019
KB4493471 | Resolved
| Resolved:
May 14, 2019
01:21 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System may be unresponsive after restart if Avira antivirus software installedMicrosoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493471.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.
Back to top | April 09, 2019
KB4493471 | Resolved
| Resolved:
May 14, 2019
01:19 PM PT
Opened:
April 09, 2019
10:00 AM PT |
-
- "
-
-- title: March 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- Authentication may fail for services after the Kerberos ticket expiresAfter installing KB4489880, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.
Affected platforms: - Client: Windows 7 SP1
- Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4499149.
Back to top | March 12, 2019
KB4489880 | Resolved
KB4499149 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503271. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503273 | Resolved
KB4503271 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml
index 9136d15fb3..45c7ef8b45 100644
--- a/windows/release-information/status-windows-server-2012.yml
+++ b/windows/release-information/status-windows-server-2012.yml
@@ -29,17 +29,17 @@ sections:
columns: 3
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -60,15 +60,12 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
- Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503285 | Mitigated
| June 12, 2019
05:43 PM PT |
- IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working
See details > | May 14, 2019
KB4499171 | Mitigated
| June 07, 2019
02:57 PM PT |
+ Some devices and generation 2 Hyper-V VMs may have issues installing updates
Some devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing some updates when Secure Boot is enabled.
See details > | June 11, 2019
KB4503285 | Mitigated
| June 19, 2019
04:57 PM PT |
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
See details > | April 25, 2019
KB4493462 | Mitigated
| May 15, 2019
05:53 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
See details > | January 08, 2019
KB4480975 | Mitigated
| April 25, 2019
02:00 PM PT |
+ IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details > | May 14, 2019
KB4499171 | Resolved
KB4503295 | June 21, 2019
02:00 PM PT |
+ Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details > | June 11, 2019
KB4503285 | Resolved
KB4503295 | June 20, 2019
02:00 PM PT |
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details > | March 12, 2019
KB4489891 | Resolved
KB4503285 | June 11, 2019
10:00 AM PT |
- Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details > | May 14, 2019
KB4499171 | Resolved
KB4505050 | May 18, 2019
02:00 PM PT |
- Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details > | April 25, 2019
KB4493462 | Resolved
KB4499171 | May 14, 2019
10:00 AM PT |
- System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details > | April 09, 2019
KB4493451 | Resolved
| May 14, 2019
01:21 PM PT |
- System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details > | April 09, 2019
KB4493451 | Resolved
| May 14, 2019
01:19 PM PT |
"
@@ -84,8 +81,9 @@ sections:
- type: markdown
text: "
| Details | Originating update | Status | History |
- | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the error using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To workaround this issue, see KB4508640.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | June 11, 2019
KB4503285 | Mitigated
| Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PT |
- | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Workaround: To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.
Next steps: We are working on a resolution and estimate a solution will be available in mid-July.
Back to top | May 14, 2019
KB4499171 | Mitigated
| Last updated:
June 07, 2019
02:57 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ Some devices and generation 2 Hyper-V VMs may have issues installing updatesSome devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing KB4503285 or later updates when Secure Boot is enabled.
Affected platforms: - Server: Windows Server 2012
Workaround: Disabling Secure Boot should allow the update to install as expected. You can enable Secure Boot again after installation is complete.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Back to top | June 11, 2019
KB4503285 | Mitigated
| Last updated:
June 19, 2019
04:57 PM PT
Opened:
June 19, 2019
04:57 PM PT |
+ | IE11 may stop working when loading or interacting with Power BI reports Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Affected platforms: - Client: Windows 7 SP1; Windows 8.1
- Server: Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Resolution: This issue was resolved in Preview Rollup KB4503295. If you are using the Internet Explorer cumulative updates, this issue was resolved in KB4508646.
Back to top | May 14, 2019
KB4499171 | Resolved
KB4503295 | Resolved:
June 21, 2019
02:00 PM PT
Opened:
June 07, 2019
02:57 PM PT |
+ | Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4503295. If you are using Security Only updates, see KB4508640 for resolving KB for your platform.
Back to top | June 11, 2019
KB4503285 | Resolved
KB4503295 | Resolved:
June 20, 2019
02:00 PM PT
Opened:
June 12, 2019
11:11 AM PT |
"
@@ -95,18 +93,6 @@ sections:
text: "
| Details | Originating update | Status | History |
| Japanese IME doesn't show the new Japanese Era name as a text input option If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
Affected platforms: - Client: Windows 8.1
- Server: Windows Server 2012 R2; Windows Server 2012
Workaround: If you see any of the previous dictionary updates listed below, uninstall it from Programs and features > Uninstall or change a program. New words that were in previous dictionary updates are also in this update. - Update for Japanese Microsoft IME Standard Dictionary (15.0.2013)
- Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.2013)
- Update for Japanese Microsoft IME Standard Dictionary (15.0.1215)
- Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1215)
- Update for Japanese Microsoft IME Standard Dictionary (15.0.1080)
- Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1080)
Back to top | April 25, 2019
KB4493462 | Mitigated
| Last updated:
May 15, 2019
05:53 PM PT
Opened:
May 15, 2019
05:53 PM PT |
- | Unable to access some gov.uk websites After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms: - Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolved: We have released an \"optional\" update for Internet Explorer 11 ( KB4505050) to resolve this issue. We recommend you apply this update by installing KB4505050 from Windows Update and then restarting your device.
Back to top | May 14, 2019
KB4499171 | Resolved
KB4505050 | Resolved:
May 18, 2019
02:00 PM PT
Opened:
May 16, 2019
01:57 PM PT |
- | Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.
Affected platforms: - Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue has been resolved.
Back to top | April 25, 2019
KB4493462 | Resolved
KB4499171 | Resolved:
May 14, 2019
10:00 AM PT
Opened:
May 10, 2019
10:35 AM PT |
-
- "
-
-- title: April 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- System unresponsive after restart if Sophos Endpoint Protection installedMicrosoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493451.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.
Back to top | April 09, 2019
KB4493451 | Resolved
| Resolved:
May 14, 2019
01:21 PM PT
Opened:
April 09, 2019
10:00 AM PT |
- System may be unresponsive after restart if Avira antivirus software installedMicrosoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493451.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.
Back to top | April 09, 2019
KB4493451 | Resolved
| Resolved:
May 14, 2019
01:19 PM PT
Opened:
April 09, 2019
10:00 AM PT |
"
diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml
index 9619ecc9de..08b34fe4ba 100644
--- a/windows/release-information/windows-message-center.yml
+++ b/windows/release-information/windows-message-center.yml
@@ -23,17 +23,17 @@ sections:
columns: 2
items:
- - href: https://blogs.windows.com/windowsexperience/
+ - href: https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97
html: Get the update >
image:
src: https://docs.microsoft.com/media/common/i_deploy.svg
title: Windows 10, version 1903 rollout begins
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064
html: Read about the latest enhancements >
image:
src: https://docs.microsoft.com/media/common/i_whats-new.svg
title: What’s new in Windows Update for Business
- - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/bg-p/Windows10Blog
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024
html: Get an overview >
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
@@ -50,9 +50,9 @@ sections:
text: "
| Message | Date |
- Windows 10, version 1903 rollout begins
The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback. | May 21, 2019
10:00 AM PT |
- What’s new in Windows Update for Business
We are enhancing and expanding the capabilities of Windows Update for Business to make the move to the cloud even easier. From simplified branch readiness options to better control over deadlines and reboots, read about the enhancements to Windows Update for Business as a part of Windows 10, version 1903. | May 21, 2019
10:00 AM PT |
- What’s new for businesses and IT pros in Windows 10
Explore the newest capabilities for businesses and IT in the latest feature update in the areas of intelligent security, simplified updates, flexible management, and enhanced productivity. | May 21, 2019
10:00 AM PT |
+ Windows 10, version 1903 rollout begins
The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback. | May 21, 2019
10:00 AM PT |
+ What’s new in Windows Update for Business
We are enhancing and expanding the capabilities of Windows Update for Business to make the move to the cloud even easier. From simplified branch readiness options to better control over deadlines and reboots, read about the enhancements to Windows Update for Business as a part of Windows 10, version 1903. | May 21, 2019
10:00 AM PT |
+ What’s new for businesses and IT pros in Windows 10
Explore the newest capabilities for businesses and IT in the latest feature update in the areas of intelligent security, simplified updates, flexible management, and enhanced productivity. | May 21, 2019
10:00 AM PT |
Reminder: Install the latest SSU for a smoother update experience
We strongly recommend that you install the latest servicing stack update (SSU) before installing any Windows update; especially as an SSU may be a prerequisite for some updates. If you have difficulty installing Windows updates, verify that you have installed the latest SSU package for your version of Windows and then try installing the update again. Links to the latest SSU are always provided in the “How to get this update” section of each update KB article (e.g., KB4494441). For more information about SSUs, see our Servicing stack updates guidance. | May 14, 2019
10:00 AM PT |
Take action: Update Remote Desktop Services on older versions of Windows
Today, we released fixes for a critical wormable, remote code execution vulnerability ( CVE-2019-0708) in Remote Desktop Services—formerly known as Terminal Services. This vulnerability affects Windows 7, Windows Server 2008 R2, and earlier versions of Windows nearing end of support. It does not affect Windows 8, Windows Server 2012, or newer operating systems. While we have not observed attacks exploiting this vulnerability, affected systems should be patched with priority. Here is what you need to know:
Call to action:
@@ -107,7 +107,7 @@ If you are still unable to connect to Windows Update services due to this proble
Driver quality in the Windows ecosystem
Ensuring Windows 10 works great with all the devices and accessories our customers use is a top priority. We work closely with this broad mix of partners to test new drivers, monitor health characteristics over time, and make Windows and our ecosystem more resilient architecturally. Our goal is to ensure that all the updates and drivers we deliver to non-Insider populations are validated and at production quality (including monthly optional releases) before pushing drivers broadly to all. Explore the driver distribution chain and learn how we measure driver quality and prevent conflicts. | December 19, 2018
10:04 AM PT |
Introducing the Modern Desktop podcast series
In this new podcast series, we'll explore the good, the bad, and, yes, the ugly of servicing and delivery for Windows 10 and Office 365 ProPlus. We'll talk about modern desktop management through Enterprise Mobility, security, and cloud-attached and co-managed environments. Listen to the first episode, in which we discuss monthly quality updates fpr Windows 10, the Microsoft 365 Stay Current pilot program, and interview a real customer to see how they ingest monthly updates in their organization. | December 18, 2018
01:00 PM PT |
Measuring Delivery Optimization and its impact to your network
If you've familiarized yourself with the configuration options for Delivery Optimization in Windows 10, and have started to configure the settings you feel will be the best fit for your organization’s network topology, now is the time to see how well those settings are working. This article provides tips on how evaluate performance at the device level or organization level. | December 13, 2018
03:48 PM PT |
- Windows monthly security and quality updates overview
Today’s global cybersecurity threats are both dynamic and sophisticated, and new vulnerabilities are discovered almost every day. We focus on protecting customers from these security threats by providing security updates on a timely basis and with high quality. Find out how how we deliver these critical updates on a massive scale as a key component of our ongoing Windows as a service effort. | December 10, 2018
10:00 AM PT |
+ Windows monthly security and quality updates overview
Today’s global cybersecurity threats are both dynamic and sophisticated, and new vulnerabilities are discovered almost every day. We focus on protecting customers from these security threats by providing security updates on a timely basis and with high quality. Find out how we deliver these critical updates on a massive scale as a key component of our ongoing Windows as a service effort. | December 10, 2018
10:00 AM PT |
LTSC: What is it, and when should it be used?
With the Semi-Annual Channel, devices receive two feature updates per year, and benefit from the best performance, user experience, security, and stability. This servicing option continues to be our recommendation for managing Windows 10 updates; however, we acknowledge that certain devices and use cases (e.g. medical systems and industrial process controllers) dictate that functionality and features don’t change over time. Find out how we designed the Long-Term Servicing Channel (LTSC) with these types of use cases in mind, and what is offered through the LTSC. | November 29, 2018
07:02 PM PT |
Plan for change: Local Experience Packs: What are they and when should you use them?
When we released Windows 10, version 1803, we introduced Local Experience Packs (LXPs), which are modern language packs delivered through the Microsoft Store or Microsoft Store for Business. Learn about the biggest advantage to LXPs, and the retirement of legacy language packs (lp.cab) for all Language Interface Packs (LIP). | November 14, 2018
11:10 AM PT |
Windows 10 Quality approach for a complex ecosystem
While our measurements of quality show improving trends on aggregate for each successive Windows 10 release, if a single customer experiences an issue with any of our updates, we take it seriously. In this blog post, Windows CVP Mike Fortin shares an overview of how we work to continuously improve the quality of Windows and our Windows as a service approach. This blog will be the first in a series of more in-depth explanations of the work we do to deliver quality in our Windows releases. | November 13, 2018
10:00 AM PT |
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 65e1e3a384..4981294bac 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -2883,7 +2883,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
Well-Known SID/RID |
-S-1-5-21-<domain>-553 |
+S-1-5-32-<domain>-576 |
Type |
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 1bd0ee3c7b..364908841f 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -515,7 +515,7 @@ The following table shows the Group Policy settings that are used to deny networ
2. Double-click **Deny log on through Remote Desktop Services**.
- 3. Click **Add User or Group**, type type **Local account and member of Administrators group**, and > **OK**.
+ 3. Click **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**.
8. Link the GPO to the first **Workstations** OU as follows:
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 93d0011f35..c67ea0ab51 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -334,7 +334,7 @@ write-host "There are no issuance policies which are not mapped to groups"
Save the script file as set-IssuancePolicyToGroupLink.ps1.
-``` syntax
+```powershell
#######################################
## Parameters to be defined ##
## by the user ##
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 15e3791181..6b0c32bc57 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -1,6 +1,6 @@
---
-title: Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments
-description: Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments
+title: Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments
+description: Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: w10
ms.mktglfcycl: deploy
@@ -16,34 +16,44 @@ localizationpriority: medium
ms.date: 08/20/2018
ms.reviewer:
---
-# Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments
+# Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments
**Applies to**
- Windows 10, version 1702 or later
+- Windows Server, versions 2016 and 2019
- Hybrid or On-Premises deployment
- Key trust
+> [!NOTE]
+>There was an issue with key trust on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044).
+
## How many is adequate
-How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 includes the KDC AS Requests performance counter. You can use these counters to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication--it remains unchanged.
+
+How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2019 includes the KDC AS Requests performance counter. You can use this counter to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication - it remains unchanged.
-Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 domain controller.
+
+Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2019 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2019 domain controller.
-Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario:
+
+Determining an adequate number of Windows Server 2019 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2019) to a deployment of existing domain controllers (Windows Server 2008R2, Windows Server 2012R2 or Windows Server 2016) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario:
+
Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following:
-The environment changes. The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following:
+
+The environment changes. The first change includes DC1 upgraded to Windows Server 2019 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following:
-The Windows Server 2016 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2- 10 only support password and certificate trust authentication; only a Windows Server 2016 domain controller supports authentication public key trust authentication. The Windows Server 2016 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will be bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 domain controller is added, but without deploying Windows Hello for Business to anymore clients?
+The Windows Server 2019 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2 - 10 only support password and certificate trust authentication; only a Windows Server 2019 domain controller supports public key trust authentication. The Windows Server 2019 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will bear more of the authentication load, and easily become overloaded. What if another Windows Server 2019 domain controller is added, but without deploying Windows Hello for Business to any more clients?
+
-Upgrading another Windows Server 2016 domain controller distributes the public key trust authentication across two domain controllers--each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2016 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016, but the number of WHFB clients remains the same.
+Upgrading another Windows Server 2019 domain controller distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2019, but the number of WHFB clients remains the same.
@@ -51,7 +61,7 @@ Domain controllers 1 through 5 now share the public key trust authentication loa
-You'll notice the distribution did not change. Each Windows Server 2016 domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentication decreased across the older domain controllers.
+You'll notice the distribution did not change. Each Windows Server 2019 domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume of 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentications decreased across the older domain controllers.
There are several conclusions here:
* Upgrading domain controllers changes the distribution of new authentication, but doesn't change the distribution of older authentication.
@@ -62,6 +72,8 @@ There are several conclusions here:
The preceding was an example to show why it's unrealistic to have a "one-size-fits-all" number to describe what "an adequate amount" means. In the real world, authentication is not evenly distributed across domain controllers.
+
+
## Determining total AS Request load
Each organization needs to have a baseline of the AS request load that occurs in their environment. Windows Server provides the KDC AS Requests performance counter that helps you determine this.
@@ -83,13 +95,15 @@ Add the number of authentications for each domain controller for the median time
Review the distribution of authentication. Hopefully, none of these are above 70 percent. It's always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller are to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business.
## Monitoring Authentication
-Using the same methods previously described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. This gives you a baseline for your environment from which you can form a statement such as
+
+Using the same methods described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2019. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. It gives you a baseline for your environment to where you can form a statement such as:
+
```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."```
Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment.
-Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 domain controllers. If there is only one Windows Server 2016 domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible.
+Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2019 domain controllers. If there is only one Windows Server 2019 domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible.
Increasing the number of domain controllers distributes the volume of authentication, but doesn't change it. Therefore, as you add more domain controllers, the burden of authentication, for which each domain controller is responsible, decreases. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 0492d0e9fc..a3ff61d617 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -85,7 +85,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
| B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application, which represents the end of user key registration. |
-| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys. |
+| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys. |
| E | The registration authority validates the public key in the certificate request matches a registered key for the user.
If the public key in the certificate is not found in the list of registered public keys, certificate enrollment is deferred until Phase F completes. The application is informed of the deferment and exits to the user's desktop. The automatic certificate enrollment client triggers the Azure AD Web Account Manager plug-in to retry the certificate enrollment at 24, 85, 145, 205, 265, and 480 minutes after phase C successfully completes. The user must remain signed in for automatic certificate enrollment to trigger certificate enrollment. If the user signs out, automatic certificate enrollment is triggered approximately 30 minutes after the user's next sign in.
After validating the public key, the registration authority signs the certificate request using its enrollment agent certificate. |
| G | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application. |
| H | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning. |
@@ -105,7 +105,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
| B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration. |
-| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys. |
+| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys. |
| E | The registration authority validates the public key in the certificate request matches a registered key for the user.
If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.
After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate. |
| F | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application. |
| G | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning. |
@@ -124,7 +124,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services (or a third party MFA service) provides the second factor of authentication.
The on-premises STS server issues a enterprise token on successful MFA. The application sends the token to Azure Active Directory.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
| B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration. |
-| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys. |
+| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys. |
| E | The registration authority validates the public key in the certificate request matches a registered key for the user.
If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.
After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate. |
| F | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application. |
| G | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning. |
@@ -152,7 +152,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA server (or a third party MFA service) provides the second factor of authentication.
The on-premises STS server issues a enterprise DRS token on successful MFA.|
| B| After receiving a EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
-|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.|
+|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys.|
|E | The registration authority validates the public key in the certificate request matches a registered key for the user.
After validating the public key, the registration authority signs the certificate request using its enrollment agent certificate.|
|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
|G | The application receives the newly issued certificate and installs it into the Personal store of the user. This signals the end of provisioning.|
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 4dc8b49caf..8a74c77ed5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -29,6 +29,9 @@ Your environment is federated and you are ready to configure device registration
> [!IMPORTANT]
> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.
+>[!TIP]
+>Refer to the [Tutorial: Configure hybrid Azure Active Directory join for federated domains](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-federated-domains) to learn more about setting up Azure Active Directory Connect for a simplified join flow for Azure AD device registration.
+
Use this three-phased approach for configuring device registration.
1. [Configure devices to register in Azure](#configure-azure-for-device-registration)
2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization)
@@ -42,6 +45,9 @@ Use this three-phased approach for configuring device registration.
>
> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/azure/active-directory/device-management-introduction)
+>[!IMPORTANT]
+> To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594).
+
## Configure Azure for Device Registration
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
@@ -66,7 +72,7 @@ To locate the schema master role holder, open and command prompt and type:
-The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role.
+The command should return the name of the domain controller where you need to run adprep.exe. Update the schema locally on the domain controller hosting the Schema master role.
#### Updating the Schema
@@ -130,7 +136,6 @@ If your AD FS farm is not already configured for Device Authentication (you can
The above PSH creates the following objects:
-
- RegisteredDevices container under the AD domain partition
- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration
@@ -278,7 +283,8 @@ The definition helps you to verify whether the values are present or if you need
**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.
- @RuleName = "Issue account type with the value User when its not a computer"
+ @RuleName = "Issue account type with the value User when it is not a computer"
+
NOT EXISTS(
[
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
@@ -473,6 +479,7 @@ The following script helps you with the creation of the issuance transform rules
Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString
+
#### Remarks
- This script appends the rules to the existing rules. Do not run the script twice because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again.
@@ -512,7 +519,6 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
> [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
-
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index d3ab610a58..da3bf064e5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -36,7 +36,7 @@ Sign-in the AD FS server with *Domain Admin* equivalent credentials.
2. Type the following command
```PowerShell
- Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication
+ Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true
```
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 1573d9e947..2a75a61791 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -66,7 +66,7 @@ The minimum required enterprise certificate authority that can be used with Wind
* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name).
* The certificate Key Usage section must contain Digital Signature and Key Encipherment.
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
-* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1).
+* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), Smart Card Logon (1.3.6.1.4.1.311.20.2.2), and KDC Authentication (1.3.6.1.5.2.3.5)
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
* The certificate template must have an extension that has the BMP data value "DomainController".
* The domain controller certificate must be installed in the local computer's certificate store.
@@ -100,7 +100,7 @@ Organizations using older directory synchronization technology, such as DirSync
## Federation with Azure
-You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2.
+You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/whatis-phs) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2.
### Section Review
diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md
index b9cdc2e5ae..0cfc09e68c 100644
--- a/windows/security/identity-protection/hello-for-business/reset-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md
@@ -24,7 +24,7 @@ ms.reviewer:
>This operation will wipe everything from your security key and reset it to factory defaults. **All data and credentials will be cleared.**
-A [Microsoft-compatible security key](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key) can be reset via Settings app ( Settings > Accounts > Sign-in options > Security key ).
+A [Microsoft-compatible security key](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key) can be reset via Settings app ( Settings > Accounts > Sign-in options > Security key ).
Follow the instructions in the Settings app and look for specific instructions based on your security key manufacturer below:
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 10a0b0a26c..33bbc7b730 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -82,7 +82,7 @@ Credential providers must be registered on a computer running Windows, and they
## Smart card subsystem architecture
-Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](https://www.pcscworkgroup.com/). Each smart card must have a Credential Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware.
+Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](https://www.pcscworkgroup.com/). Each smart card must have a Cryptographic Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware.
### Base CSP and smart card minidriver architecture
@@ -334,7 +334,7 @@ The following properties are supported in versions of Windows designated in the
### Implications for CSPs in Windows
-Credential Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach is not recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES.
+Cryptographic Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach is not recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES.
If a smart card is registered by a CSP and a smart card minidriver, the one that was installed most recently will be used to communicate with the smart card.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 2a808c73fa..e3226ec136 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -1713,7 +1713,7 @@ In **Configure user storage of BitLocker recovery information**, select whether
Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you cannot specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
-In **Save BitLocker recovery information to Active Directory Doman Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS.
+In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS.
Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
For more information about the BitLocker repair tool, see [Repair-bde](https://technet.microsoft.com/library/ff829851.aspx).
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index a5e58c1e6b..8dd40cf580 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -101,7 +101,7 @@ To install the role using Windows PowerShell, use the following command:
Install-WindowsFeature WDS-Deployment
```
-You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Doman Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
+You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
### Confirm the WDS Service is running
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index fb326e7977..b89ced627d 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -22,6 +22,10 @@ The ideal for BitLocker management is to eliminate the need for IT admins to set
Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers.
+
+>[!IMPORTANT]
+> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities will be offered from [SCCM in on-prem scenarios](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/viewing-mbam-25-reports-for-the-configuration-manager-integration-topology) in the future.
+
## Managing domain-joined computers and moving to cloud
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
@@ -132,8 +136,10 @@ PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpace
+
+
-**Powershell**
+# **PowerShell**
[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell)
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index 1478ec896f..c3f0286d24 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -89,11 +89,11 @@ Some things that you can check on the device are:
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
- [Details on the TPM standard](https://www.microsoft.com/en-us/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM)
-- [TPM Base Services Portal](https://docs.microsoft.com/en-us/windows/desktop/TBS/tpm-base-services-portal)
-- [TPM Base Services API](https://docs.microsoft.com/en-us/windows/desktop/api/_tbs/)
+- [TPM Base Services Portal](https://docs.microsoft.com/windows/desktop/TBS/tpm-base-services-portal)
+- [TPM Base Services API](https://docs.microsoft.com/windows/desktop/api/_tbs/)
- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
-- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/en-us/blog/device-provisioning-identity-attestation-with-tpm/)
-- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/en-us/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/)
+- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/)
+- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/)
- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx)
- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx)
diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
index d251a04493..dff04d8807 100644
--- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -165,7 +165,7 @@ Use Windows Event Forwarding to collect and aggregate your WIP audit events. You
2. In the console tree under **Application and Services Logs\Microsoft\Windows**, click **EDP-Audit-Regular** and **EDP-Audit-TCB**.
## Collect WIP audit logs using Azure Monitor
-You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.](https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs)
+You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs)
**To view the WIP events in Azure Monitor**
1. Use an existing or create a new Log Analytics workspace.
@@ -179,7 +179,7 @@ You can collect audit logs using Azure Monitor. See [Windows event log data sour
>[!NOTE]
>If using Windows Events Logs, the event log names can be found under Properties of the event in the Events folder (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB).
-3. Download Microsoft [Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation).
+3. Download Microsoft [Monitoring Agent](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation).
4. To get MSI for Intune installation as stated in the Azure Monitor article, extract: MMASetup-.exe /c /t:
Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index fef2b942c2..47cc545f94 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -565,7 +565,7 @@ After you create and deploy your WIP policy to your employees, Windows begins to
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings.
-
+
**Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index c65af63ce9..736efd6668 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -1,88 +1,88 @@
----
-title:
-# Fine-tune Windows Information Policy (WIP) with WIP Learning
-description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
-ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
-ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning
-ms.prod: w10
-ms.mktglfcycl:
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: dulcemontemayor
-ms.author: dolmont
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 02/26/2019
----
-
-# Fine-tune Windows Information Protection (WIP) with WIP Learning
-**Applies to:**
-
-- Windows 10, version 1703 and later
-- Windows 10 Mobile, version 1703 and later
-
-With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune.
-
-The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
-
-In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list.
-
-## Access the WIP Learning reports
-
-1. Open the [Azure portal](http://portal.azure.com/).
-
-1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**.
-
-1. Click **Intune** > **Client apps** > **App protection status** > **Reports**.
-
- 
-
-1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**.
-
- 
-
-Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies.
-
-## Use the WIP section of Device Health
-
-You can use Device Health to adjust your WIP protection policy. See [Using Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-using#windows-information-protection) to learn more.
-
-If you want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
-
-Once you have WIP policies in place, by using the WIP section of Device Health, you can:
-
-- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
-- Tune WIP rules by confirming that certain apps are allowed or denied by current policy.
-
-## Use Device Health and Intune to adjust WIP protection policy
-
-The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
-
-1. In **Device Health** click the app you want to add to your policy and copy the publisher information.
-
-2. In Intune, click **App protection policies** and then choose the app policy you want to add an application to.
-
-3. Click **Protected apps**, and then click **Add Apps**.
-
-4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).
-
- 
-
-5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above.
-
- 
-
-6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**).
-
-7. Copy the name of the executable (for example, snippingtool.exe) and paste it in **FILE** (required).
-
-8. Type the version number of the app into **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
-
-When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+---
+title:
+# Fine-tune Windows Information Policy (WIP) with WIP Learning
+description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
+ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
+ms.reviewer:
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: dulcemontemayor
+ms.author: dolmont
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 02/26/2019
+---
+
+# Fine-tune Windows Information Protection (WIP) with WIP Learning
+**Applies to:**
+
+- Windows 10, version 1703 and later
+- Windows 10 Mobile, version 1703 and later
+
+With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune.
+
+The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
+
+In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list.
+
+## Access the WIP Learning reports
+
+1. Open the [Azure portal](http://portal.azure.com/).
+
+1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**.
+
+1. Click **Intune** > **Client apps** > **App protection status** > **Reports**.
+
+ 
+
+1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**.
+
+ 
+
+Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies.
+
+## Use the WIP section of Device Health
+
+You can use Device Health to adjust your WIP protection policy. See [Using Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-using#windows-information-protection) to learn more.
+
+If you want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
+
+Once you have WIP policies in place, by using the WIP section of Device Health, you can:
+
+- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
+- Tune WIP rules by confirming that certain apps are allowed or denied by current policy.
+
+## Use Device Health and Intune to adjust WIP protection policy
+
+The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
+
+1. In **Device Health** click the app you want to add to your policy and copy the publisher information.
+
+2. In Intune, click **App protection policies** and then choose the app policy you want to add an application to.
+
+3. Click **Protected apps**, and then click **Add Apps**.
+
+4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).
+
+ 
+
+5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above.
+
+ 
+
+6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**).
+
+7. Copy the name of the executable (for example, snippingtool.exe) and paste it in **FILE** (required).
+
+8. Type the version number of the app into **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
+
+When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 19cc428023..3946fe4807 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -849,8 +849,8 @@
####### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md)
####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md)
###### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
-###### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md)
-###### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md)
+###### [Registry (Global Object Access Auditing)](auditing/registry-global-object-access-auditing.md)
+###### [File System (Global Object Access Auditing)](auditing/file-system-global-object-access-auditing.md)
diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md
index 72efcaeaae..d454c05905 100644
--- a/windows/security/threat-protection/auditing/event-4697.md
+++ b/windows/security/threat-protection/auditing/event-4697.md
@@ -114,11 +114,11 @@ This event generates when new service was installed in the system.
| 0x2 | File System Driver | A file system driver, which is also a Kernel device driver. |
| 0x8 | Recognizer Driver | A file system driver used during startup to determine the file systems present on the system. |
| 0x10 | Win32 Own Process | A Win32 program that can be started by the Service Controller and that obeys the service control protocol. This type of Win32 service runs in a process by itself (this is the most common). |
-| 0x20 | Win32 Share Process | A Win32 service that can share a process with other Win32 services.
(see: |
-| 0x110 | Interactive Own Process | A service that should be run as a standalone process and can communicate with the desktop.
(see: ) |
+| 0x20 | Win32 Share Process | A Win32 service that can share a process with other Win32 services.
(see: |
+| 0x110 | Interactive Own Process | A service that should be run as a standalone process and can communicate with the desktop.
(see: ) |
| 0x120 | Interactive Share Process | A service that can share address space with other services of the same type and can communicate with the desktop. |
-- **Service Start Type** \[Type = HexInt32\]: The service start type can have one of the following values (see: :
+- **Service Start Type** \[Type = HexInt32\]: The service start type can have one of the following values (see: :
| Value | Service Type | Description |
|-------|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md
index 55bc44dda3..9722578bab 100644
--- a/windows/security/threat-protection/auditing/event-5065.md
+++ b/windows/security/threat-protection/auditing/event-5065.md
@@ -20,7 +20,7 @@ ms.author: dansimp
- Windows Server 2016
-This event generates in [BCryptConfigureContext](https://msdn.microsoft.com/es-es/vstudio/aa375379)() function. This is a Cryptographic Next Generation (CNG) function.
+This event generates in [BCryptConfigureContext](https://msdn.microsoft.com/vstudio/aa375379)() function. This is a Cryptographic Next Generation (CNG) function.
This event generates when configuration information was changed for existing CNG context.
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
index 1ea71b62ad..910939ae7e 100644
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -161,7 +161,7 @@ For example, this custom profile allows installation and usage of USB devices wi
-Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
+Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
For a SyncML example that allows installation of specific device IDs, see [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceids). To allow specific device classes, see [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdevicesetupclasses).
Allowing installation of specific devices requires also enabling [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings).
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 39593c240a..ac3e78109d 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -1,172 +1,172 @@
----
-title: FIPS 140 Validation
-description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140.
-ms.prod: w10
-audience: ITPro
-author: dulcemontemayor
-ms.author: dolmont
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/03/2018
-ms.reviewer:
----
-
-
-# FIPS 140 Validation
-
-On this page
-
- - [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo)
- - [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd)
- - [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd)
- - [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve)
- - [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac)
- - [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac)
- - [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac)
- - [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg)
-
-Updated: March 2018
-
-
-
-## Introduction
-
-This document provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard, *Federal Information Processing Standard (FIPS) 140 – Security Requirements for Cryptographic Modules* \[FIPS 140\].
-
-### Audience
-
-This document is primarily focused on providing information for three parties:
-
-[Procurement Officer](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Responsible for verifying that Microsoft products (or even third-party applications) are either FIPS 140 validated or utilize a Microsoft FIPS 140 validated cryptographic module.
-
-[System Integrator](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Responsible for ensuring that Microsoft Products are configured properly to use only FIPS 140 validated cryptographic modules.
-
-[Software Developer](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Responsible for building software products that utilize Microsoft FIPS 140 validated cryptographic modules.
-
-### Document Map
-
-This document is broken into seven major sections:
-
-[FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_overview) – Provides an overview of the FIPS 140 standard as well as provides some historical information about the standard.
-
-[Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Provides information on how Microsoft products are FIPS 140 validated.
-
-[Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Describes how to configure and verify that Microsoft Products are being used in a manner consistent with the product’s FIPS 140 Security Policy.
-
-[Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Identifies how developers can leverage the Microsoft FIPS 140 validated cryptographic modules.
-
-[FAQ](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_faq) – Frequently Asked Questions.
-
-[Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) – Explains Microsoft cryptographic architecture and identifies specific modules that are FIPS 140 validated.
-
-[Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#_cryptographic_algorithms) – Lists the cryptographic algorithm, modes, states, key sizes, Windows versions, and corresponding cryptographic algorithm validation certificates.
-
-## FIPS 140 Overview
-
-### FIPS 140 Standard
-
-FIPS 140 is a US government and Canadian government standard that defines a minimum set of the security requirements for products that implement cryptography. This standard is designed for cryptographic modules that are used to secure sensitive but unclassified information. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the US National Institute of Standards and Technology (NIST) and the Communications Security Establishment of Canada (CSEC).
-
-The current standard defines four-levels of increasing security, 1 through 4. Most software products (including all Microsoft products) are tested against the Level 1 security requirements.
-
-### Applicability of the FIPS standard
-
-Within the US Federal government, the FIPS 140 standard applies to any security system (whether hardware, firmware, software, or a combination thereof) to be used by agencies for protecting sensitive but unclassified information. Some agencies have expanded its use by requiring that the modules to be procured for secret systems also meet the FIPS 140 requirements.
-
-The FIPS 140 standard has also been used by different standards bodies, specification groups, nations, and private institutions as a requirement or guideline for those products (e.g. – Digital Cinema Systems Specification).
-
-### History of 140-1
-
-FIPS 140-1 is the original working version of the standard made official on January 11, 1994. The standard remained in effect until FIPS 140-2 became mandatory for new products on May 25, 2002.
-
-### FIPS 140-2
-
-FIPS 140-2 is currently the active version of the standard.
-
-### Microsoft FIPS Support Policy
-
-Microsoft actively maintains FIPS 140 validation for its cryptographic modules.
-
-### FIPS Mode of Operation
-
-The common term “FIPS mode” is used in this document and Security Policy documents. When a cryptographic module contains both FIPS-approved and non-FIPS approved security methods, it must have a "FIPS mode of operation" to ensure only FIPS-approved security methods may be used. When a module is in "FIPS mode", a non-FIPS approved method cannot be used instead of a FIPS-approved method.
-
-## Microsoft Product Validation (Information for Procurement Officers and Auditors)
-
-This section provides information for Procurement Officers and Auditors who are responsible for ensuring that Microsoft products with FIPS 140 validated cryptographic modules are used in their organization. The goal of this section is to provide an overview of the Microsoft developed products and modules and explain how the validated cryptographic modules are used.
-
-### Microsoft Product Relationship with CNG and CAPI libraries
-
-Rather than validate individual components and products, Microsoft chooses to validate only the underlying cryptographic modules. Subsequently, many Windows components and Microsoft products are built to rely on the Cryptographic API: Next Generation (CNG) and legacy Cryptographic API (CAPI) FIPS 140 validated cryptographic modules. Windows components and Microsoft products use the documented application programming interfaces (APIs) for each of the modules to access various cryptographic services.
-
-The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic modules:
-
- - Schannel Security Package
- - Remote Desktop Protocol (RDP) Client
- - Encrypting File System (EFS)
- - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
- - BitLocker® Drive Full-volume Encryption
- - IPsec Settings of Windows Firewall
-
-## Information for System Integrators
-
-This section provides information for System Integrators and Auditors who are responsible for deploying Microsoft products in a manner consistent with the product’s FIPS 140 Security Policy.
-
-There are two steps to ensure that Microsoft products operate in FIPS mode:
-
-1. Selecting/Installing FIPS 140 validated cryptographic modules
-2. Setting FIPS local/group security policy flag.
-
-### Step 1 – Selecting/Installing FIPS 140 Validated Cryptographic Modules
-
-Systems Integrators must ensure that all cryptographic modules installed are, in fact, FIPS 140 validated. This can be accomplished by cross-checking the version number of the installed module with the list of validated binaries. The list of validated CAPI binaries is identified in the [CAPI Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_capi_validated_cryptographic) section below and the list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section below. There are similar sections for all other validated cryptographic modules.
-
-The version number of the installed binary is found by right-clicking the module file and clicking on the Version or Details tab. Cryptographic modules are stored in the "windows\\system32" or "windows\\system32\\drivers" directory.
-
-### Step 2 – Setting FIPS Local/Group Security Policy Flag
-
-The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, which is used by many Microsoft products to determine whether to operate in a FIPS-approved mode. When this policy is set, the validated cryptographic modules in Windows will also operate in a FIPS-approved mode.
-
-**Note** – There is no enforcement of the FIPS policy by the operating system or the validated cryptographic modules. Instead, each individual application must check this flag and enforce the Security Policy of the validated cryptographic modules.
-
-#### Instructions on Setting the FIPS Local/Group Security Policy Flag
-
-While there are alternative methods for setting the FIPS local/group security policy flag, the following method is included as a guide to users with Administrative privileges. This description is for the Local Security Policy, but the Group Security Policy may be set in a similar manner.
-
-1. Open the 'Run' menu by pressing the combination 'Windows Key + R'.
-2. Type 'secpol.msc' and press 'Enter' or click the 'Ok' button.
-3. In the Local Security Policy management console window that opens, use the left tab to navigate to the Local Policies -\> Security Options.
-4. Scroll down the right pane and double-click 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'.
-5. In the properties window, select the 'Enabled' option and click the 'Apply' button.
-
-#### Microsoft Components and Products That Utilize FIPS Local/Group Security Policy
-
-The following list details some of the Microsoft components that use the cryptographic functionality implemented by either CNG or legacy CAPI. When the FIPS Local/Group Security Policy is set, the following components will enforce the validated module Security Policy.
-
- - Schannel Security Package
- - Remote Desktop Protocol (RDP) Client
- - Encrypting File System (EFS)
- - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
- - BitLocker® Drive Full-volume Encryption
- - IPsec Settings of Windows Firewall
-
-#### Effects of Setting FIPS Local/Group Security Policy Flag
-
-When setting the FIPS local/group security policy flag, the behavior of several Microsoft components and products are affected. The most noticeable difference will be that the components enforcing this setting will only use those algorithms approved or allowed in FIPS mode. The specific changes to the products listed above are:
-
+---
+title: FIPS 140 Validation
+description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140.
+ms.prod: w10
+audience: ITPro
+author: dulcemontemayor
+ms.author: dolmont
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 04/03/2018
+ms.reviewer:
+---
+
+
+# FIPS 140 Validation
+
+On this page
+
+ - [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo)
+ - [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd)
+ - [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd)
+ - [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve)
+ - [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac)
+ - [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac)
+ - [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac)
+ - [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg)
+
+Updated: March 2018
+
+
+
+## Introduction
+
+This document provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard, *Federal Information Processing Standard (FIPS) 140 – Security Requirements for Cryptographic Modules* \[FIPS 140\].
+
+### Audience
+
+This document is primarily focused on providing information for three parties:
+
+[Procurement Officer](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Responsible for verifying that Microsoft products (or even third-party applications) are either FIPS 140 validated or utilize a Microsoft FIPS 140 validated cryptographic module.
+
+[System Integrator](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Responsible for ensuring that Microsoft Products are configured properly to use only FIPS 140 validated cryptographic modules.
+
+[Software Developer](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Responsible for building software products that utilize Microsoft FIPS 140 validated cryptographic modules.
+
+### Document Map
+
+This document is broken into seven major sections:
+
+[FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_overview) – Provides an overview of the FIPS 140 standard as well as provides some historical information about the standard.
+
+[Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Provides information on how Microsoft products are FIPS 140 validated.
+
+[Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Describes how to configure and verify that Microsoft Products are being used in a manner consistent with the product’s FIPS 140 Security Policy.
+
+[Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Identifies how developers can leverage the Microsoft FIPS 140 validated cryptographic modules.
+
+[FAQ](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_faq) – Frequently Asked Questions.
+
+[Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) – Explains Microsoft cryptographic architecture and identifies specific modules that are FIPS 140 validated.
+
+[Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#_cryptographic_algorithms) – Lists the cryptographic algorithm, modes, states, key sizes, Windows versions, and corresponding cryptographic algorithm validation certificates.
+
+## FIPS 140 Overview
+
+### FIPS 140 Standard
+
+FIPS 140 is a US government and Canadian government standard that defines a minimum set of the security requirements for products that implement cryptography. This standard is designed for cryptographic modules that are used to secure sensitive but unclassified information. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the US National Institute of Standards and Technology (NIST) and the Communications Security Establishment of Canada (CSEC).
+
+The current standard defines four-levels of increasing security, 1 through 4. Most software products (including all Microsoft products) are tested against the Level 1 security requirements.
+
+### Applicability of the FIPS standard
+
+Within the US Federal government, the FIPS 140 standard applies to any security system (whether hardware, firmware, software, or a combination thereof) to be used by agencies for protecting sensitive but unclassified information. Some agencies have expanded its use by requiring that the modules to be procured for secret systems also meet the FIPS 140 requirements.
+
+The FIPS 140 standard has also been used by different standards bodies, specification groups, nations, and private institutions as a requirement or guideline for those products (e.g. – Digital Cinema Systems Specification).
+
+### History of 140-1
+
+FIPS 140-1 is the original working version of the standard made official on January 11, 1994. The standard remained in effect until FIPS 140-2 became mandatory for new products on May 25, 2002.
+
+### FIPS 140-2
+
+FIPS 140-2 is currently the active version of the standard.
+
+### Microsoft FIPS Support Policy
+
+Microsoft actively maintains FIPS 140 validation for its cryptographic modules.
+
+### FIPS Mode of Operation
+
+The common term “FIPS mode” is used in this document and Security Policy documents. When a cryptographic module contains both FIPS-approved and non-FIPS approved security methods, it must have a "FIPS mode of operation" to ensure only FIPS-approved security methods may be used. When a module is in "FIPS mode", a non-FIPS approved method cannot be used instead of a FIPS-approved method.
+
+## Microsoft Product Validation (Information for Procurement Officers and Auditors)
+
+This section provides information for Procurement Officers and Auditors who are responsible for ensuring that Microsoft products with FIPS 140 validated cryptographic modules are used in their organization. The goal of this section is to provide an overview of the Microsoft developed products and modules and explain how the validated cryptographic modules are used.
+
+### Microsoft Product Relationship with CNG and CAPI libraries
+
+Rather than validate individual components and products, Microsoft chooses to validate only the underlying cryptographic modules. Subsequently, many Windows components and Microsoft products are built to rely on the Cryptographic API: Next Generation (CNG) and legacy Cryptographic API (CAPI) FIPS 140 validated cryptographic modules. Windows components and Microsoft products use the documented application programming interfaces (APIs) for each of the modules to access various cryptographic services.
+
+The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic modules:
+
+ - Schannel Security Package
+ - Remote Desktop Protocol (RDP) Client
+ - Encrypting File System (EFS)
+ - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
+ - BitLocker® Drive Full-volume Encryption
+ - IPsec Settings of Windows Firewall
+
+## Information for System Integrators
+
+This section provides information for System Integrators and Auditors who are responsible for deploying Microsoft products in a manner consistent with the product’s FIPS 140 Security Policy.
+
+There are two steps to ensure that Microsoft products operate in FIPS mode:
+
+1. Selecting/Installing FIPS 140 validated cryptographic modules
+2. Setting FIPS local/group security policy flag.
+
+### Step 1 – Selecting/Installing FIPS 140 Validated Cryptographic Modules
+
+Systems Integrators must ensure that all cryptographic modules installed are, in fact, FIPS 140 validated. This can be accomplished by cross-checking the version number of the installed module with the list of validated binaries. The list of validated CAPI binaries is identified in the [CAPI Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_capi_validated_cryptographic) section below and the list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section below. There are similar sections for all other validated cryptographic modules.
+
+The version number of the installed binary is found by right-clicking the module file and clicking on the Version or Details tab. Cryptographic modules are stored in the "windows\\system32" or "windows\\system32\\drivers" directory.
+
+### Step 2 – Setting FIPS Local/Group Security Policy Flag
+
+The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, which is used by many Microsoft products to determine whether to operate in a FIPS-approved mode. When this policy is set, the validated cryptographic modules in Windows will also operate in a FIPS-approved mode.
+
+**Note** – There is no enforcement of the FIPS policy by the operating system or the validated cryptographic modules. Instead, each individual application must check this flag and enforce the Security Policy of the validated cryptographic modules.
+
+#### Instructions on Setting the FIPS Local/Group Security Policy Flag
+
+While there are alternative methods for setting the FIPS local/group security policy flag, the following method is included as a guide to users with Administrative privileges. This description is for the Local Security Policy, but the Group Security Policy may be set in a similar manner.
+
+1. Open the 'Run' menu by pressing the combination 'Windows Key + R'.
+2. Type 'secpol.msc' and press 'Enter' or click the 'Ok' button.
+3. In the Local Security Policy management console window that opens, use the left tab to navigate to the Local Policies -\> Security Options.
+4. Scroll down the right pane and double-click 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'.
+5. In the properties window, select the 'Enabled' option and click the 'Apply' button.
+
+#### Microsoft Components and Products That Utilize FIPS Local/Group Security Policy
+
+The following list details some of the Microsoft components that use the cryptographic functionality implemented by either CNG or legacy CAPI. When the FIPS Local/Group Security Policy is set, the following components will enforce the validated module Security Policy.
+
+ - Schannel Security Package
+ - Remote Desktop Protocol (RDP) Client
+ - Encrypting File System (EFS)
+ - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
+ - BitLocker® Drive Full-volume Encryption
+ - IPsec Settings of Windows Firewall
+
+#### Effects of Setting FIPS Local/Group Security Policy Flag
+
+When setting the FIPS local/group security policy flag, the behavior of several Microsoft components and products are affected. The most noticeable difference will be that the components enforcing this setting will only use those algorithms approved or allowed in FIPS mode. The specific changes to the products listed above are:
+
- Schannel Security Package forced to negotiate sessions using TLS. The following supported Cipher Suites are disabled:
-
+
- - TLS\_RSA\_WITH\_RC4\_128\_SHA
- TLS\_RSA\_WITH\_RC4\_128\_MD5
- SSL\_CK\_RC4\_128\_WITH\_MD5
- SSL\_CK\_DES\_192\_EDE3\_CBC\_WITH\_MD5
- TLS\_RSA\_WITH\_NULL\_MD5
- TLS\_RSA\_WITH\_NULL\_SHA
-
+
- The set of cryptographic algorithms that a Remote Desktop Protocol (RDP) server will use is scoped to:
-
+
- - CALG\_RSA\_KEYX - RSA public key exchange algorithm
- CALG\_3DES - Triple DES encryption algorithm
- CALG\_AES\_128 - 128 bit AES
@@ -175,6916 +175,6916 @@ When setting the FIPS local/group security policy flag, the behavior of several
- CALG\_SHA\_256 - 256 bit SHA hashing algorithm
- CALG\_SHA\_384 - 384 bit SHA hashing algorithm
- CALG\_SHA\_512 - 512 bit SHA hashing algorithm
-
+
- Any Microsoft .NET Framework applications, such as Microsoft ASP.NET or Windows Communication Foundation (WCF), only allow algorithm implementations that are validated to FIPS 140, meaning only classes that end in "CryptoServiceProvider" or "Cng" can be used. Any attempt to create an instance of other cryptographic algorithm classes or create instances that use non-allowed algorithms will cause an InvalidOperationException exception.
-
+
- Verification of ClickOnce applications fails unless the client computer has .NET Framework 2.0 SP1 or later service pack installed or .NET Framework 3.5 or later installed.
-
+
- On Windows Vista and Windows Server 2008 and later, BitLocker Drive Encryption switches from AES-128 using the elephant diffuser to using the approved AES-256 encryption. Recovery passwords are not created or backed up. Instead, backup a recovery key on a local drive or on a network share. To use the recovery key, put the key on a USB device and plug the device into the computer.
-
-Please be aware that selection of FIPS mode can limit product functionality (See ).
-
-## Information for Software Developers
-
-This section is targeted at developers who wish to build their own applications using the FIPS 140 validated cryptographic modules.
-
-Each of the validated cryptographic modules defines a series of rules that must be followed. The security rules for each validated cryptographic module are specified in the Security Policy document. Links to each of the Security Policy documents is provided in the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section below. Generally, the restriction in Microsoft validated cryptographic modules is limiting the use of cryptography to only FIPS Approved cryptographic algorithms, modes, and key sizes.
-
-### Using Microsoft Cryptographic Modules in a FIPS mode of operation
-
-No matter whether developing with native languages or using .NET, it is important to first check whether the CNG modules for the target system are FIPS validated. The list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section.
-
-When developing using CNG directly, it is the responsibility of the developer to follow the security rules outlined in the FIPS 140 Security Policy for each module. The security policy for each module is provided on the CMVP website. Links to each of the Security Policy documents is provided in the tables below. It is important to remember that setting the FIPS local/group security policy Flag (discussed above) does not affect the behavior of the modules when used for developing custom applications.
-
-If you are developing your application using .NET instead of using the native libraries, then setting the FIPS local policy flag will generate an exception when an improper .NET class is used for cryptography (i.e. the cryptographic classes whose names end in "Managed"). The names of these allowed classes end with "Cng", which use the CNG binaries or "CryptoServiceProvider", which use the legacy CAPI binaries.
-
-### Key Strengths and Validity Periods
-
-NIST Special Publication 800-131A Revision 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, dated November 2015, \[[SP 800-131A](http://dx.doi.org/10.6028/nist.sp.800-131ar1)\], offers guidance for moving to stronger cryptographic keys and algorithms. This does not replace NIST SP 800-57, Recommendation for Key Management Part 1: General, \[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\], but gives more specific guidance. One of the most important topics discussed in these publications deals with the key strengths of FIPS Approved algorithms and their validity periods. When developing applications that use FIPS Approved algorithms, it is also extremely important to select appropriate key sizes based on the security lifetimes recommended by NIST.
-
-## FIPS 140 FAQ
-
-The following are answers to commonly asked questions for the FIPS 140-2 validation of Microsoft products.
-
-1. How does FIPS 140 relate to the Common Criteria?
- **Answer:** These are two separate security standards with different, but complementary, purposes. FIPS 140 is a standard designed specifically for validating product modules that implement cryptography. On the other hand, Common Criteria is designed to help evaluate security functions in IT products.
- In many cases, Common Criteria evaluations will rely on FIPS 140 validations to provide assurance that cryptographic functionality is implemented properly.
-2. How does FIPS 140 relate to Suite B?
- **Answer:** Suite B is simply a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information.
- The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140 standard.
-3. There are so many modules listed on the NIST website for each release, how are they related and how do I tell which one applies to me?
- **Answer:** Microsoft strives to validate all releases of its cryptographic modules. Each module provides a different set of cryptographic algorithms. If you are required to use only FIPS validated cryptographic modules, you simply need to verify that the version being used appears on the validation list.
- Please see the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140)section for a complete list of Microsoft validated modules.
-4. My application links against crypt32.dll, cryptsp.dll, advapi32.dll, bcrypt.dll, bcryptprimitives.dll, or ncrypt.dll. What do I need to do to assure I’m using FIPS 140 validated cryptographic modules?
- **Answer:** crypt32.dll, cryptsp.dll, advapi32.dll, and ncrypt.dll are intermediary libraries that will offload all cryptographic operations to the FIPS validated cryptographic modules. Bcrypt.dll itself is a validated cryptographic module for Windows Vista and Windows Server 2008. For Windows 7 and Windows Server 2008 R2 and later, bcryptprimitives.dll is the validated module, but bcrypt.dll remains as one of the libraries to link against.
- You must first verify that the underlying CNG cryptographic module is validated. Once verified, you'll need to confirm that you're using the module correctly in FIPS mode (See [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) section for details).
-5. What does "When operated in FIPS mode" mean on certificates?
- **Answer:** This caveat identifies that a required configuration and security rules must be followed in order to use the cryptographic module in a manner consistent with its FIPS 140 Security Policy. The security rules are defined in the Security Policy for the module and usually revolve around using only FIPS Approved cryptographic algorithms and key sizes. Please see the Security Policy for the specific security rules for each cryptographic module (See [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section for links to each policy).
-6. Which FIPS validated module is called when Windows 7 or Windows 8 is configured to use the FIPS setting in the wireless configuration?
- **Answer:** CNG is used. This setting tells the wireless driver to call FIPS 140-2 validated cryptographic modules instead of using the driver’s own cryptography, if any.
-7. Is BitLocker to Go FIPS 140-2 validated?
- **Answer:** There are two separate parts for BitLocker to Go. One part is simply a native feature of BitLocker and as such, it uses FIPS 140-2 validated cryptographic modules. The other part is the BitLocker to Go Reader application for down-level support of older operating systems such as Windows XP and Windows Vista. The Reader application does not use FIPS 140-2 validated cryptographic modules.
-8. Are applications FIPS 140-2 validated?
- **Answer:** Microsoft only has low-level cryptographic modules in Windows FIPS 140-2 validated, not high-level applications. A better question is whether a certain application calls a FIPS 140-2 validated cryptographic module in the underlying Windows OS. That question needs to be directed to the company/product group that created the application of interest.
-9. How can Systems Center Operations Manager 2012 be configured to use FIPS 140-2 validated cryptographic modules?
- **Answer:** See [http://technet.microsoft.com/library/hh914094.aspx](https://technet.microsoft.com/library/hh914094.aspx)
-
-## Microsoft FIPS 140 Validated Cryptographic Modules
-
-### Modules By Operating System
-
-The following tables identify the Cryptographic Modules for an operating system.
-
-#### Windows
-
-##### Windows 10 Creators Update (Version 1703)
-
-Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
-
-
-
-
-\[1\] Applies only to Home, Pro, Enterprise, Education and S
-
-\[2\] Applies only to Pro, Enterprise, Education, S, Mobile and Surface Hub
-
-\[3\] Applies only to Pro, Enterprise Education and S
-
-##### Windows 10 Anniversary Update (Version 1607)
-
-Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
-10.0.14393 |
-#2937 |
-FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886) |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-10.0.14393 |
-#2936 |
-FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887) |
-
-
-| Boot Manager |
-10.0.14393 |
-#2931 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)
-Other algorithms: MD5; PBKDF (non-compliant); VMK KDF |
-
-
-| BitLocker® Windows OS Loader (winload) |
-10.0.14393 |
-#2932 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: NDRNG; MD5 |
-
-
-| BitLocker® Windows Resume (winresume)[1] |
-10.0.14393 |
-#2933 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (dumpfve.sys)[2] |
-10.0.14393 |
-#2934 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064) |
-
-
-| Code Integrity (ci.dll) |
-10.0.14393 |
-#2935 |
-FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: AES (non-compliant); MD5
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888) |
-
-
-| Secure Kernel Code Integrity (skci.dll)[3] |
-10.0.14393 |
-#2938 |
-FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
-
-Other algorithms: MD5
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888) |
-
-
-
-
-
-\[1\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
-
-\[2\] Applies only to Pro, Enterprise, Enterprise LTSB and Mobile
-
-\[3\] Applies only to Pro, Enterprise and Enterprise LTSB
-
-##### Windows 10 November 2015 Update (Version 1511)
-
-Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
-10.0.10586 |
-#2606 |
-FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664) |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-10.0.10586 |
-#2605 |
-FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663) |
-
-
-| Boot Manager[4] |
-10.0.10586 |
-#2700 |
-FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
-
-
-| BitLocker® Windows OS Loader (winload)[5] |
-10.0.10586 |
-#2701 |
-FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
-
-Other algorithms: MD5; NDRNG |
-
-
-| BitLocker® Windows Resume (winresume)[6] |
-10.0.10586 |
-#2702 |
-FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (dumpfve.sys)[7] |
-10.0.10586 |
-#2703 |
-FIPS Approved algorithms: AES (Certs. #3653) |
-
-
-| Code Integrity (ci.dll) |
-10.0.10586 |
-#2604 |
-FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
-
-Other algorithms: AES (non-compliant); MD5
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665) |
-
-
-| Secure Kernel Code Integrity (skci.dll)[8] |
-10.0.10586 |
-#2607 |
-FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
-
-Other algorithms: MD5
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665) |
-
-
-
-
-
-\[4\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
-
-\[5\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
-
-\[6\] Applies only to Home, Pro and Enterprise
-
-\[7\] Applies only to Pro, Enterprise, Mobile and Surface Hub
-
-\[8\] Applies only to Enterprise and Enterprise LTSB
-
-##### Windows 10 (Version 1507)
-
-Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
-10.0.10240 |
-#2606 |
-FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575) |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-10.0.10240 |
-#2605 |
-FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576) |
-
-
-| Boot Manager[9] |
-10.0.10240 |
-#2600 |
-FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
-
-
-| BitLocker® Windows OS Loader (winload)[10] |
-10.0.10240 |
-#2601 |
-FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
-
-Other algorithms: MD5; NDRNG |
-
-
-| BitLocker® Windows Resume (winresume)[11] |
-10.0.10240 |
-#2602 |
-FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (dumpfve.sys)[12] |
-10.0.10240 |
-#2603 |
-FIPS Approved algorithms: AES (Certs. #3497 and #3498) |
-
-
-| Code Integrity (ci.dll) |
-10.0.10240 |
-#2604 |
-FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
-
-Other algorithms: AES (non-compliant); MD5
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572) |
-
-
-| Secure Kernel Code Integrity (skci.dll)[13] |
-10.0.10240 |
-#2607 |
-FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
-
-Other algorithms: MD5
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572) |
-
-
-
-
-
-\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
-
-\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
-
-\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
-
-\[12\] Applies only to Pro, Enterprise and Enterprise LTSB
-
-\[13\] Applies only to Enterprise and Enterprise LTSB
-
-##### Windows 8.1
-
-Validated Editions: RT, Pro, Enterprise, Phone, Embedded
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
-6.3.9600 6.3.9600.17031 |
-#2357 |
-FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323) |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-6.3.9600 6.3.9600.17042 |
-#2356 |
-FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289) |
-
-
-| Boot Manager |
-6.3.9600 6.3.9600.17031 |
-#2351 |
-FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
-
-
-| BitLocker® Windows OS Loader (winload) |
-6.3.9600 6.3.9600.17031 |
-#2352 |
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
-
-Other algorithms: MD5; NDRNG |
-
-
-| BitLocker® Windows Resume (winresume)[14] |
-6.3.9600 6.3.9600.17031 |
-#2353 |
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (dumpfve.sys) |
-6.3.9600 6.3.9600.17031 |
-#2354 |
-FIPS Approved algorithms: AES (Cert. #2832)
-
-Other algorithms: N/A |
-
-
-| Code Integrity (ci.dll) |
-6.3.9600 6.3.9600.17031 |
-#2355#2355 |
-FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
-
-Other algorithms: MD5
-Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289) |
-
-
-
-
-
-\[14\] Applies only to Pro, Enterprise, and Embedded 8.
-
-##### Windows 8
-
-Validated Editions: RT, Home, Pro, Enterprise, Phone
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
-6.2.9200 |
-#1892 |
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert. ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
-
- |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-6.2.9200 |
-#1891 |
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RNG (Cert. ); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) |
-
-
-| Boot Manager |
-6.2.9200 |
-#1895 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Windows OS Loader (WINLOAD) |
-6.2.9200 |
-#1896 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG |
-
-
-| BitLocker® Windows Resume (WINRESUME)[15] |
-6.2.9200 |
-#1898 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (DUMPFVE.SYS) |
-6.2.9200 |
-#1899 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198)
-
-Other algorithms: N/A |
-
-
-| Code Integrity (CI.DLL) |
-6.2.9200 |
-#1897 |
-FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5 |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) |
-6.2.9200 |
-#1893 |
-FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert. ); Triple-DES MAC (Triple-DES Cert. , vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. , key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-| Enhanced Cryptographic Provider (RSAENH.DLL) |
-6.2.9200 |
-#1894 |
-FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
-
-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-
-
-
-\[15\] Applies only to Home and Pro
-
-**Windows 7**
-
-Validated Editions: Windows 7, Windows 7 SP1
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
-6.1.7600.16385
-6.1.7601.17514 |
-1329 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-6.1.7600.16385
-6.1.7600.16915
-6.1.7600.21092
-6.1.7601.17514
-6.1.7601.17725
-6.1.7601.17919
-6.1.7601.21861
-6.1.7601.22076 |
-1328 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 |
-
-
-| Boot Manager |
-6.1.7600.16385
-6.1.7601.17514 |
-1319 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
-
-Other algorithms: MD5#1168 and ); HMAC (Cert. ); RSA (Cert. ); SHS (Cert. )
-
-Other algorithms: MD5 |
-
-
-| Winload OS Loader (winload.exe) |
-6.1.7600.16385
-6.1.7600.16757
-6.1.7600.20897
-6.1.7600.20916
-6.1.7601.17514
-6.1.7601.17556
-6.1.7601.21655
-6.1.7601.21675 |
-1326 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
-
-Other algorithms: MD5 |
-
-
-| BitLocker™ Drive Encryption |
-6.1.7600.16385
-6.1.7600.16429
-6.1.7600.16757
-6.1.7600.20536
-6.1.7600.20873
-6.1.7600.20897
-6.1.7600.20916
-6.1.7601.17514
-6.1.7601.17556
-6.1.7601.21634
-6.1.7601.21655
-6.1.7601.21675 |
-1332 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
-
-Other algorithms: Elephant Diffuser |
-
-
-| Code Integrity (CI.DLL) |
-6.1.7600.16385
-6.1.7600.17122
-6.1.7600.21320
-6.1.7601.17514
-6.1.7601.17950
-6.1.7601.22108 |
-1327 |
-FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
-
-Other algorithms: MD5 |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) |
-6.1.7600.16385
-(no change in SP1) |
-1331 |
-FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4 |
-
-
-| Enhanced Cryptographic Provider (RSAENH.DLL) |
-6.1.7600.16385
-(no change in SP1) |
-1330 |
-FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-
-
-
-##### Windows Vista SP1
-
-Validated Editions: Ultimate Edition
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Boot Manager (bootmgr) |
-6.0.6001.18000 and 6.0.6002.18005 |
-978 |
-FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753) |
-
-
-| Winload OS Loader (winload.exe) |
-6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596 |
-979 |
-FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
-
-Other algorithms: MD5 |
-
-
-| Code Integrity (ci.dll) |
-6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005 |
-980 |
-FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
-
-Other algorithms: MD5 |
-
-
-| Kernel Mode Security Support Provider Interface (ksecdd.sys) |
-6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.22869 |
-1000 |
-FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and ); ECDSA (Cert. ); HMAC (Cert. ); RNG (Cert. and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-| Cryptographic Primitives Library (bcrypt.dll) |
-6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.22872 |
-1001 |
-FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength) |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005 |
-1002 |
-FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 |
-1003 |
-FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 |
-
-
-
-
-
-##### Windows Vista
-
-Validated Editions: Ultimate Edition
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-6.0.6000.16386 |
-893 |
-FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-6.0.6000.16386 |
-894 |
-FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 |
-
-
-| BitLocker™ Drive Encryption |
-6.0.6000.16386 |
-947 |
-FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
-
-Other algorithms: Elephant Diffuser |
-
-
-| Kernel Mode Security Support Provider Interface (ksecdd.sys) |
-6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067 |
-891 |
-FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
-
-Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5 |
-
-
-
-
-
-##### Windows XP SP3
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Kernel Mode Cryptographic Module (FIPS.SYS) |
-5.1.2600.5512 |
-997 |
-FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)
-Other algorithms: DES; MD5; HMAC MD5 |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-5.1.2600.5507 |
-990 |
-FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)
-Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4 |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-5.1.2600.5507 |
-989 |
-FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)
-Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits) |
-
-
-
-
-
-##### Windows XP SP2
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| DSS/Diffie-Hellman Enhanced Cryptographic Provider |
-5.1.2600.2133 |
-240 |
-FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)
-Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement) |
-
-
-| Microsoft Enhanced Cryptographic Provider |
-5.1.2600.2161 |
-238 |
-FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)
-Other algorithms: DES (Cert. #156); RC2; RC4; MD5 |
-
-
-
-
-
-##### Windows XP SP1
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Microsoft Enhanced Cryptographic Provider |
-5.1.2600.1029 |
-238 |
-FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)
-Other algorithms: DES (Cert. #156); RC2; RC4; MD5 |
-
-
-
-
-
-##### Windows XP
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Kernel Mode Cryptographic Module |
-5.1.2600.0 |
-241 |
-FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)
-Other algorithms: DES (Cert. #89) |
-
-
-
-
-
-##### Windows 2000 SP3
-
-
-
-
-##### Windows 2000 SP2
-
-
-
-
-##### Windows 2000 SP1
-
-
-
-
-##### Windows 2000
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider |
-5.0.2150.1 |
-76 |
-FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)
-Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) |
-
-
-
-
-
-##### Windows 95 and Windows 98
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider |
-5.0.1877.6 and 5.0.1877.7 |
-75 |
-FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)
-Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) |
-
-
-
-
-
-##### Windows NT 4.0
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Base Cryptographic Provider |
-5.0.1877.6 and 5.0.1877.7 |
-68 |
-FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
-
-Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) |
-
-
-
-
-
-#### Windows Server
-
-##### Windows Server 2016
-
-Validated Editions: Standard, Datacenter, Storage Server
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
-10.0.14393 |
-2937 |
-FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt) |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-10.0.14393 |
-2936 |
-FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt) |
-
-
-| Boot Manager |
-10.0.14393 |
-2931 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)
-Other algorithms: MD5; PBKDF (non-compliant); VMK KDF |
-
-
-| BitLocker® Windows OS Loader (winload) |
-10.0.14393 |
-2932 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: NDRNG; MD5 |
-
-
-| BitLocker® Windows Resume (winresume) |
-10.0.14393 |
-2933 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (dumpfve.sys) |
-10.0.14393 |
-2934 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064) |
-
-
-| Code Integrity (ci.dll) |
-10.0.14393 |
-2935 |
-FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: AES (non-compliant); MD5 |
-
-
-| Secure Kernel Code Integrity (skci.dll) |
-10.0.14393 |
-2938 |
-FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
-
-Other algorithms: MD5 |
-
-
-
-
-
-##### Windows Server 2012 R2
-
-Validated Editions: Server, Storage Server,
-
-**StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2**
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
-6.3.9600 6.3.9600.17031 |
-2357 |
-FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-6.3.9600 6.3.9600.17042 |
-2356 |
-FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) |
-
-
-| Boot Manager |
-6.3.9600 6.3.9600.17031 |
-2351 |
-FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
-
-
-| BitLocker® Windows OS Loader (winload) |
-6.3.9600 6.3.9600.17031 |
-2352 |
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
-
-Other algorithms: MD5; NDRNG |
-
-
-| BitLocker® Windows Resume (winresume)[16] |
-6.3.9600 6.3.9600.17031 |
-2353 |
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (dumpfve.sys)[17] |
-6.3.9600 6.3.9600.17031 |
-2354 |
-FIPS Approved algorithms: AES (Cert. #2832)
-
-Other algorithms: N/A |
-
-
-| Code Integrity (ci.dll) |
-6.3.9600 6.3.9600.17031 |
-2355 |
-FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
-
-Other algorithms: MD5 |
-
-
-
-
-
-\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
-
-\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
-
-**Windows Server 2012**
-
-Validated Editions: Server, Storage Server
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
-6.2.9200 |
-1892 |
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert. ); HMAC (Cert. #); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-6.2.9200 |
-1891 |
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) |
-
-
-| Boot Manager |
-6.2.9200 |
-1895 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Windows OS Loader (WINLOAD) |
-6.2.9200 |
-1896 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG |
-
-
-| BitLocker® Windows Resume (WINRESUME) |
-6.2.9200 |
-1898 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (DUMPFVE.SYS) |
-6.2.9200 |
-1899 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198)
-
-Other algorithms: N/A |
-
-
-| Code Integrity (CI.DLL) |
-6.2.9200 |
-1897 |
-FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5 |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) |
-6.2.9200 |
-1893 |
-FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-| Enhanced Cryptographic Provider (RSAENH.DLL) |
-6.2.9200 |
-1894 |
-FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
-
-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-
-
-
-##### Windows Server 2008 R2
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Boot Manager (bootmgr) |
-6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.17514 |
-1321 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
-
-Other algorithms: MD5 |
-
-
-| Winload OS Loader (winload.exe) |
-6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675 |
-1333 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
-
-Other algorithms: MD5 |
-
-
-| Code Integrity (ci.dll) |
-6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.22108 |
-1334 |
-FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
-
-Other algorithms: MD5 |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076 |
-1335 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
--Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 |
-
-
-| Cryptographic Primitives Library (bcryptprimitives.dll) |
-66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.17514 |
-1336 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4 |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-6.1.7600.16385 |
-1337 |
-FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-6.1.7600.16385 |
-1338 |
-FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4 |
-
-
-| BitLocker™ Drive Encryption |
-6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675 |
-1339 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
-
-Other algorithms: Elephant Diffuser |
-
-
-
-
-
-##### Windows Server 2008
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Boot Manager (bootmgr) |
-6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.22497 |
-1004 |
-FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
-
-Other algorithms: N/A |
-
-
-| Winload OS Loader (winload.exe) |
-6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596 |
-1005 |
-FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
-
-Other algorithms: MD5 |
-
-
-| Code Integrity (ci.dll) |
-6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 |
-1006 |
-FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
-
-Other algorithms: MD5 |
-
-
-| Kernel Mode Security Support Provider Interface (ksecdd.sys) |
-6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.22869 |
-1007 |
-FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
-
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert. ); RNG (Cert. and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-| Cryptographic Primitives Library (bcrypt.dll) |
-6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.22872 |
-1008 |
-FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
-
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength) |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 |
-1009 |
-FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
-
--Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005 |
-1010 |
-FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-
-
-
-##### Windows Server 2003 SP2
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-5.2.3790.3959 |
-875 |
-FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)
-Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4 |
-
-
-| Kernel Mode Cryptographic Module (FIPS.SYS) |
-5.2.3790.3959 |
-869 |
-FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)
-Other algorithms: DES; HMAC-MD5 |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-5.2.3790.3959 |
-868 |
-FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)
-Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-
-
-
-##### Windows Server 2003 SP1
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Kernel Mode Cryptographic Module (FIPS.SYS) |
-5.2.3790.1830 [SP1] |
-405 |
-FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])
-Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)
-[1] x86
-[2] SP1 x86, x64, IA64 |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-5.2.3790.1830 [Service Pack 1]) |
-382 |
-FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])
-Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5
-[1] x86
-[2] SP1 x86, x64, IA64 |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-5.2.3790.1830 [Service Pack 1] |
-381 |
-FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)
-Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40
-[1] x86
-[2] SP1 x86, x64, IA64 |
-
-
-
-
-
-##### Windows Server 2003
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Kernel Mode Cryptographic Module (FIPS.SYS) |
-5.2.3790.0 |
-405 |
-FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])
-Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)
-[1] x86
-[2] SP1 x86, x64, IA64 |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-5.2.3790.0 |
-382 |
-FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])
-Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5
-[1] x86
-[2] SP1 x86, x64, IA64 |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-5.2.3790.0 |
-381 |
-FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)
-Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40
-[1] x86
-[2] SP1 x86, x64, IA64 |
-
-
-
-
-
-#### Other Products
-
-##### Windows Embedded Compact 7 and Windows Embedded Compact 8
-
-
-
-
-
-##### Windows CE 6.0 and Windows Embedded Compact 7
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Enhanced Cryptographic Provider |
-6.00.1937 [1] and 7.00.1687 [2] |
-825 |
-FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])
-Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES |
-
-
-
-
-
-##### Outlook Cryptographic Provider
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Outlook Cryptographic Provider (EXCHCSP) |
-SR-1A (3821)SR-1A (3821) |
-110 |
-FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)
-Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5 |
-
-
-
-
-
-
-### Cryptographic Algorithms
-
-The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate.
-
-### Advanced Encryption Standard (AES)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- AES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CFB128:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CTR:
-
-- Counter Source: Internal
-- Key Lengths: 128, 192, 256 (bits)
- - AES-OFB:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- |
-Microsoft Surface Hub Virtual TPM Implementations #4904
-Version 10.0.15063.674 |
-
-
-
-- AES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CFB128:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CTR:
-
-- Counter Source: Internal
-- Key Lengths: 128, 192, 256 (bits)
- - AES-OFB:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903
-Version 10.0.16299 |
-
-
-
-- AES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CCM:
-
-- Key Lengths: 128, 192, 256 (bits)
-- Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
-- IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
-- Plain Text Length: 0-32
-- AAD Length: 0-65536
- - AES-CFB128:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CFB8:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CMAC:
-
-- Generation:
-
-- AES-128:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-192:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-256:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - Verification:
-
-- AES-128:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-192:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-256:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-CTR:
-
-- Counter Source: Internal
-- Key Lengths: 128, 192, 256 (bits)
- - AES-ECB:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-GCM:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
-- Tag Lengths: 96, 104, 112, 120, 128 (bits)
-- Plain Text Lengths: 0, 8, 1016, 1024 (bits)
-- AAD Lengths: 0, 8, 1016, 1024 (bits)
-- 96 bit IV supported
- - AES-XTS:
-
-- Key Size: 128:
-
-- Modes: Decrypt, Encrypt
-- Block Sizes: Full
- - Key Size: 256:
-
-- Modes: Decrypt, Encrypt
-- Block Sizes: Full
- |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #4902
-Version 10.0.15063.674 |
-
-
-
-- AES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CCM:
-
-- Key Lengths: 128, 192, 256 (bits)
-- Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
-- IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
-- Plain Text Length: 0-32
-- AAD Length: 0-65536
- - AES-CFB128:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CFB8:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CMAC:
-
-- Generation:
-
-- AES-128:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-192:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-256:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - Verification:
-
-- AES-128:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-192:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-256:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-CTR:
-
-- Counter Source: Internal
-- Key Lengths: 128, 192, 256 (bits)
- - AES-ECB:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-GCM:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
-- Tag Lengths: 96, 104, 112, 120, 128 (bits)
-- Plain Text Lengths: 0, 8, 1016, 1024 (bits)
-- AAD Lengths: 0, 8, 1016, 1024 (bits)
-- 96 bit IV supported
- - AES-XTS:
-
-- Key Size: 128:
-
-- Modes: Decrypt, Encrypt
-- Block Sizes: Full
- - Key Size: 256:
-
-- Modes: Decrypt, Encrypt
-- Block Sizes: Full
- |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4901
-Version 10.0.15254 |
-
-
-
-- AES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CCM:
-
-- Key Lengths: 128, 192, 256 (bits)
-- Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
-- IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
-- Plain Text Length: 0-32
-- AAD Length: 0-65536
- - AES-CFB128:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CFB8:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CMAC:
-
-- Generation:
-
-- AES-128:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-192:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-256:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - Verification:
-
-- AES-128:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-192:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-256:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-CTR:
-
-- Counter Source: Internal
-- Key Lengths: 128, 192, 256 (bits)
- - AES-ECB:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-GCM:
-
-- Modes: Decrypt, Encrypt
-- IV Generation: External
-- Key Lengths: 128, 192, 256 (bits)
-- Tag Lengths: 96, 104, 112, 120, 128 (bits)
-- Plain Text Lengths: 0, 8, 1016, 1024 (bits)
-- AAD Lengths: 0, 8, 1016, 1024 (bits)
-- 96 bit IV supported
- - AES-XTS:
-
-- Key Size: 128:
-
-- Modes: Decrypt, Encrypt
-- Block Sizes: Full
- - Key Size: 256:
-
-- Modes: Decrypt, Encrypt
-- Block Sizes: Full
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897
-Version 10.0.16299 |
-
-
-AES-KW:
-
-- Modes: Decrypt, Encrypt
-- CIPHK transformation direction: Forward
-- Key Lengths: 128, 192, 256 (bits)
-- Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
-
-AES Val#4902 |
-Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900
-Version 10.0.15063.674 |
-
-
-AES-KW:
-
-- Modes: Decrypt, Encrypt
-- CIPHK transformation direction: Forward
-- Key Lengths: 128, 192, 256 (bits)
-- Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
-
-AES Val#4901 |
-Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899
-Version 10.0.15254 |
-
-
-AES-KW:
-
-- Modes: Decrypt, Encrypt
-- CIPHK transformation direction: Forward
-- Key Lengths: 128, 192, 256 (bits)
-- Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
-
-AES Val#4897 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898
-Version 10.0.16299 |
-
-
-AES-CCM:
-
-- Key Lengths: 256 (bits)
-- Tag Lengths: 128 (bits)
-- IV Lengths: 96 (bits)
-- Plain Text Length: 0-32
-- AAD Length: 0-65536
-
-AES Val#4902 |
-Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896
-Version 10.0.15063.674 |
-
-
-AES-CCM:
-
-- Key Lengths: 256 (bits)
-- Tag Lengths: 128 (bits)
-- IV Lengths: 96 (bits)
-- Plain Text Length: 0-32
-- AAD Length: 0-65536
-
-AES Val#4901 |
-Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895
-Version 10.0.15254 |
-
-
-AES-CCM:
-
-- Key Lengths: 256 (bits)
-- Tag Lengths: 128 (bits)
-- IV Lengths: 96 (bits)
-- Plain Text Length: 0-32
-- AAD Length: 0-65536
-
-AES Val#4897 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894
-Version 10.0.16299 |
-
-
-CBC ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-OFB ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627
-Version 10.0.15063 |
-
-
-KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
-AES Val#4624 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626
-Version 10.0.15063 |
-
-
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
-AES Val#4624
- |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625
-Version 10.0.15063 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported
-GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624
-Version 10.0.15063 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 ); |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434
-Version 7.00.2872 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 ); |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433
-Version 8.00.6246 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431
-Version 7.00.2872 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430
-Version 8.00.6246 |
-
-
-CBC ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-OFB ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074
-Version 10.0.14393 |
-
-
-ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
-GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064
-Version 10.0.14393 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
- |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
-Version 10.0.14393 |
-
-
-KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )
-AES Val#4064 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062
-Version 10.0.14393 |
-
-
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
-AES Val#4064 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061
-Version 10.0.14393 |
-
-
-KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
-AES Val#3629 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652
-Version 10.0.10586 |
-
-
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
-AES Val#3629 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653
-Version 10.0.10586 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
- |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
-Version 10.0.10586 |
-
-
-ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
-GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
-
-
-Version 10.0.10586 |
-
-
-KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
-AES Val#3497 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507
-Version 10.0.10240 |
-
-
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
-AES Val#3497 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498
-Version 10.0.10240 |
-
-
-ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
-GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
-Version 10.0.10240 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
- |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
-Version 10.0.10240 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
- |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853
-Version 6.3.9600 |
-
-
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
-AES Val#2832 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848
-Version 6.3.9600 |
-
-
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported ;
-OtherIVLen_Supported
-GMAC_Supported |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832
-Version 6.3.9600 |
-
-
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-AES Val#2197
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
-AES Val#2197
-GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
-GMAC_Supported |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216 |
-
-
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
-AES Val#2196 |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
- |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196 |
-
-
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-AES Val#1168 |
-Windows Server 2008 R2 and SP1 CNG algorithms #1187
-Windows 7 Ultimate and SP1 CNG algorithms #1178 |
-
-
-CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
-AES Val#1168 |
-Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
- |
-Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 |
-
-
-GCM
-GMAC |
-Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed |
-
-
-| CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
-Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760 |
-
-
-| CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) |
-Windows Server 2008 CNG algorithms #757
-Windows Vista Ultimate SP1 CNG algorithms #756 |
-
-
-CBC ( e/d; 128 , 256 );
-CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
-Windows Vista Ultimate BitLocker Drive Encryption #715
-Windows Vista Ultimate BitLocker Drive Encryption #424 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 ); |
-Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739
-Windows Vista Symmetric Algorithm Implementation #553 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
-Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 ); |
-Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818
-Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781
-Windows 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #548
-Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #516
-Windows CE and Windows Mobile 6, 6.1, and 6.5 Enhanced Cryptographic Provider (RSAENH) #507
-Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #290
-Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider (RSAENH) #224
-Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #80
-Windows XP, SP1, and SP2 Enhanced Cryptographic Provider (RSAENH) #33 |
-
-
-
-
-
-Deterministic Random Bit Generator (DRBG)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- Counter:
-
-- Modes: AES-256
-- Derivation Function States: Derivation Function not used
-- Prediction Resistance Modes: Not Enabled
-
-Prerequisite: AES #4904 |
-Microsoft Surface Hub Virtual TPM Implementations #1734
-Version 10.0.15063.674 |
-
-
-
-- Counter:
-
-- Modes: AES-256
-- Derivation Function States: Derivation Function not used
-- Prediction Resistance Modes: Not Enabled
-
-Prerequisite: AES #4903 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733
-Version 10.0.16299 |
-
-
-
-- Counter:
-
-- Modes: AES-256
-- Derivation Function States: Derivation Function used
-- Prediction Resistance Modes: Not Enabled
-
-Prerequisite: AES #4902 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #1732
-Version 10.0.15063.674 |
-
-
-
-- Counter:
-
-- Modes: AES-256
-- Derivation Function States: Derivation Function used
-- Prediction Resistance Modes: Not Enabled
-
-Prerequisite: AES #4901 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1731
-Version 10.0.15254 |
-
-
-
-- Counter:
-
-- Modes: AES-256
-- Derivation Function States: Derivation Function used
-- Prediction Resistance Modes: Not Enabled
-
-Prerequisite: AES #4897 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730
-Version 10.0.16299 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ] |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556
-Version 10.0.15063 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ] |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555
-Version 10.0.15063 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ] |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433
-Version 7.00.2872 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ] |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432
-Version 8.00.6246 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ] |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430
-Version 7.00.2872 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ] |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429
-Version 8.00.6246 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ] |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222
-Version 10.0.14393 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ] |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217
-Version 10.0.14393 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ] |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955
-Version 10.0.10586 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ] |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868
-Version 10.0.10240 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ] |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489
-Version 6.3.9600 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] |
-Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] |
-Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23 |
-
-
-| DRBG (SP 800–90) |
-Windows Vista Ultimate SP1, vendor-affirmed |
-
-
-
-
-
-#### Digital Signature Algorithm (DSA)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- DSA:
-
-- 186-4:
-
-- PQGGen:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - PQGVer:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - SigGen:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - SigVer:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - KeyPair:
-
-- L = 2048, N = 256
-- L = 3072, N = 256
-
-Prerequisite: SHS #4011, DRBG #1732 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #1303
-Version 10.0.15063.674 |
-
-
-
-- DSA:
-
-- 186-4:
-
-- PQGGen:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - PQGVer:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - SigGen:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - SigVer:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - KeyPair:
-
--
--
-- L = 2048, N = 256
-- L = 3072, N = 256
-
-Prerequisite: SHS #4010, DRBG #1731 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1302
-Version 10.0.15254 |
-
-
-
-- DSA:
-
-- 186-4:
-
-- PQGGen:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - PQGVer:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - SigGen:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - SigVer:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - KeyPair:
-
-- L = 2048, N = 256
-- L = 3072, N = 256
-
-Prerequisite: SHS #4009, DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301
-Version 10.0.16299 |
-
-
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SHS: Val#3790
-DRBG: Val# 1555 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223
-Version 10.0.15063 |
-
-
-FIPS186-4:
-PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SHS: Val# 3649 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188
-Version 7.00.2872 |
-
-
-FIPS186-4:
-PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SHS: Val#3648 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187
-Version 8.00.6246 |
-
-
-FIPS186-4:
-PQG(gen)PARMS TESTED: [
-(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256)
-SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SHS: Val# 3347
-DRBG: Val# 1217 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098
-Version 10.0.14393 |
-
-
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
-KeyPairGen: [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SHS: Val# 3047
-DRBG: Val# 955 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024
-Version 10.0.10586 |
-
-
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SHS: Val# 2886
-DRBG: Val# 868 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983
-Version 10.0.10240 |
-
-
-FIPS186-4:
-PQG(gen)PARMS TESTED: [
-(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256)
-SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SHS: Val# 2373
-DRBG: Val# 489 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855
-Version 6.3.9600 |
-
-
-FIPS186-2:
-PQG(ver) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: #1903
-DRBG: #258
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SHS: #1903
-DRBG: #258
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687. |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687 |
-
-
-FIPS186-2:
-PQG(ver) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: #1902
-DRBG: #258
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686. |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 1773
-DRBG: Val# 193
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645. |
-Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 1081
-DRBG: Val# 23
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386. |
-Windows Server 2008 R2 and SP1 CNG algorithms #391
-Windows 7 Ultimate and SP1 CNG algorithms #386 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 1081
-RNG: Val# 649
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385. |
-Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390
-Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 753
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283. |
-Windows Server 2008 CNG algorithms #284
-Windows Vista Ultimate SP1 CNG algorithms #283 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 753
-RNG: Val# 435
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281. |
-Windows Server 2008 Enhanced DSS (DSSENH) #282
-Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 618
-RNG: Val# 321
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226. |
-Windows Vista CNG algorithms #227
-Windows Vista Enhanced DSS (DSSENH) #226 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 784
-RNG: Val# 448
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292. |
-Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 783
-RNG: Val# 447
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291. |
-Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291 |
-
-
-FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: Val# 611
-RNG: Val# 314 |
-Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221 |
-
-
-FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: Val# 385 |
-Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146 |
-
-
-FIPS186-2:
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: Val# 181
-
- |
-Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95 |
-
-
-FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SHS: SHA-1 (BYTE)
-SIG(ver) MOD(1024);
-SHS: SHA-1 (BYTE) |
-Windows 2000 DSSENH.DLL #29
-Windows 2000 DSSBASE.DLL #28
-Windows NT 4 SP6 DSSENH.DLL #26
-Windows NT 4 SP6 DSSBASE.DLL #25 |
-
-
-FIPS186-2: PRIME;
-FIPS186-2:
-KEYGEN(Y):
-SHS: SHA-1 (BYTE)
-SIG(gen):
-SIG(ver) MOD(1024);
-SHS: SHA-1 (BYTE) |
-Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17 |
-
-
-
-
-
-#### Elliptic Curve Digital Signature Algorithm (ECDSA)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384, P-521
-- Generation Methods: Extra Random Bits
- - Public Key Validation:
-
-- Curves: P-256, P-384, P-521
- - Signature Generation:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
- - Signature Verification:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: SHS #2373, DRBG #489 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263
-Version 6.3.9600 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384
-- Generation Methods: Testing Candidates
-
-Prerequisite: SHS #4011, DRBG #1734 |
-Microsoft Surface Hub Virtual TPM Implementations #1253
-Version 10.0.15063.674 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384
-- Generation Methods: Testing Candidates
-
-Prerequisite: SHS #4009, DRBG #1733 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252
-Version 10.0.16299 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384, P-521
-- Generation Methods: Extra Random Bits
- - Public Key Validation:
-
-- Curves: P-256, P-384, P-521
- - Signature Generation:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
- - Signature Verification:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: SHS #4011, DRBG #1732 |
-Microsoft Surface Hub MsBignum Cryptographic Implementations #1251
-Version 10.0.15063.674 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384, P-521
-- Generation Methods: Extra Random Bits
- - Public Key Validation:
-
-- Curves: P-256, P-384, P-521
- - Signature Generation:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
- - Signature Verification:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: SHS #4011, DRBG #1732 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #1250
-Version 10.0.15063.674 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384, P-521
-- Generation Methods: Extra Random Bits
- - Public Key Validation:
-
-- Curves: P-256, P-384, P-521
- - Signature Generation:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
- - Signature Verification:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: SHS #4010, DRBG #1731 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1249
-Version 10.0.15254 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384, P-521
-- Generation Methods: Extra Random Bits
- - Public Key Validation:
-
-- Curves: P-256, P-384, P-521
- - Signature Generation:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
- - Signature Verification:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: SHS #4010, DRBG #1731 |
-Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1248
-Version 10.0.15254 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384, P-521
-- Generation Methods: Extra Random Bits
- - Public Key Validation:
-
-- Curves: P-256, P-384, P-521
- - Signature Generation:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
- - Signature Verification:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: SHS #4009, DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247
-Version 10.0.16299 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384, P-521
-- Generation Methods: Extra Random Bits
- - Public Key Validation:
-
-- Curves: P-256, P-384, P-521
- - Signature Generation:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
- - Signature Verification:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: SHS #4009, DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246
-Version 10.0.16299 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 TestingCandidates )
-SHS: Val#3790
-DRBG: Val# 1555 |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136
-Version 10.0.15063 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#3790
-DRBG: Val# 1555 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135
-Version 10.0.15063 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#3790
-DRBG: Val# 1555 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133
-Version 10.0.15063 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
-SHS:Val# 3649
-DRBG:Val# 1430 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073
-Version 7.00.2872 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
-SHS:Val#3648
-DRBG:Val# 1429 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072
-Version 8.00.6246 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 TestingCandidates )
-PKV: CURVES( P-256 P-384 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )
-SHS: Val# 3347
-DRBG: Val# 1222 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920
-Version 10.0.14393 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val# 3347
-DRBG: Val# 1217 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911
-Version 10.0.14393 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val# 3047
-DRBG: Val# 955 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760
-Version 10.0.10586 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val# 2886
-DRBG: Val# 868 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706
-Version 10.0.10240 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#2373
-DRBG: Val# 489 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505
-Version 6.3.9600 |
-
-
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: #1903
-DRBG: #258
-SIG(ver):CURVES( P-256 P-384 P-521 )
-SHS: #1903
-DRBG: #258
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: #1903
-DRBG: #258
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341. |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341 |
-
-
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#1773
-DRBG: Val# 193
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#1773
-DRBG: Val# 193
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#1773
-DRBG: Val# 193
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295. |
-Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295 |
-
-
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#1081
-DRBG: Val# 23
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#1081
-DRBG: Val# 23
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141. |
-Windows Server 2008 R2 and SP1 CNG algorithms #142
-Windows 7 Ultimate and SP1 CNG algorithms #141 |
-
-
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#753
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#753
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82. |
-Windows Server 2008 CNG algorithms #83
-Windows Vista Ultimate SP1 CNG algorithms #82 |
-
-
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#618
-RNG: Val# 321
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#618
-RNG: Val# 321
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60. |
-Windows Vista CNG algorithms #60 |
-
-
-
-
-
-#### Keyed-Hash Message Authentication Code (HMAC)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- HMAC-SHA-1:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-256:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-384:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
-
-Prerequisite: SHS #4011 |
-Microsoft Surface Hub Virtual TPM Implementations #3271
-Version 10.0.15063.674 |
-
-
-
-- HMAC-SHA-1:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-256:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-384:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
-
-Prerequisite: SHS #4009 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270
-Version 10.0.16299 |
-
-
-
-- HMAC-SHA-1:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-256:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-384:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-512:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
-
-Prerequisite: SHS #4011 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #3269
-Version 10.0.15063.674 |
-
-
-
-- HMAC-SHA-1:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-256:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-384:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-512:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
-
-Prerequisite: SHS #4010 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #3268
-Version 10.0.15254 |
-
-
-
-- HMAC-SHA-1:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-256:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-384:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-512:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
-
-Prerequisite: SHS #4009 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267
-Version 10.0.16299 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062
-Version 10.0.15063 |
-
-
-HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061
-Version 10.0.15063 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652 |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946
-Version 7.00.2872 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651 |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945
-Version 8.00.6246 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943
-Version 7.00.2872 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942
-Version 8.00.6246 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
-SHS Val# 3347
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
-SHS Val# 3347
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
-SHS Val# 3347 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661
-Version 10.0.14393 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651
-Version 10.0.14393 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
-SHS Val# 3047
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
-SHS Val# 3047
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
-SHS Val# 3047
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
-SHS Val# 3047 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381
-Version 10.0.10586 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
-SHSVal# 2886
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
-SHSVal# 2886
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
- SHSVal# 2886
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
-SHSVal# 2886 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233
-Version 10.0.10240 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
-SHS Val#2373
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
-SHS Val#2373
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
-SHS Val#2373
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
-SHS Val#2373 |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773
-Version 6.3.9600 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764 |
-Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122
-Version 5.2.29344 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902
-HMAC-SHA256 ( Key Size Ranges Tested: KS#1902 |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902 |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
-SHS#1903
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
-SHS#1903
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
-SHS#1903
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
-SHS#1903 |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
-Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773 |
-Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774 |
-Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081 |
-Windows Server 2008 R2 and SP1 CNG algorithms #686
-Windows 7 and SP1 CNG algorithms #677
-Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687
-Windows 7 Enhanced Cryptographic Provider (RSAENH) #673 |
-
-
-HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081 |
-Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816 |
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753 |
-Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753 |
-Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408
-Windows Vista Enhanced Cryptographic Provider (RSAENH) #407 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
-Windows Vista Enhanced Cryptographic Provider (RSAENH) #297 |
-
-
-| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785 |
-Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429
-Windows XP, vendor-affirmed |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783 |
-Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613 |
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289 |
-
-
-| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610 |
-Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753 |
-Windows Server 2008 CNG algorithms #413
-Windows Vista Ultimate SP1 CNG algorithms #412 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737 |
-Windows Vista Ultimate BitLocker Drive Encryption #386 |
-
-
-HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
-Windows Vista CNG algorithms #298 |
-
-
-HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589 |
-Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267 |
-
-
-HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578 |
-Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495 |
-Windows Vista BitLocker Drive Encryption #199 |
-
-
-| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364 |
-Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99
-Windows XP, vendor-affirmed |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305 |
-Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31 |
-
-
-
-
-
-#### Key Agreement Scheme (KAS)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- KAS ECC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
-- Schemes:
-
-- Full Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- KDFs: Concatenation
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
-
-Prerequisite: SHS #4011, ECDSA #1253, DRBG #1734 |
-Microsoft Surface Hub Virtual TPM Implementations #150
-Version 10.0.15063.674 |
-
-
-
-- KAS ECC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
-- Schemes:
-
-- Full Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- KDFs: Concatenation
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
-
-Prerequisite: SHS #4009, ECDSA #1252, DRBG #1733 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149
-Version 10.0.16299 |
-
-
-
-- KAS ECC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
-- Schemes:
-
-- Ephemeral Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- KDFs: Concatenation
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
- - One Pass DH:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
- - Static Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
-
-Prerequisite: SHS #4011, ECDSA #1250, DRBG #1732
-
-- KAS FFC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
-- Schemes:
-
-- dhEphem:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
- - dhOneFlow:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
- - dhStatic:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
-
-Prerequisite: SHS #4011, DSA #1303, DRBG #1732 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #148
-Version 10.0.15063.674 |
-
-
-
-- KAS ECC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
-- Schemes:
-
-- Ephemeral Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- KDFs: Concatenation
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
- - One Pass DH:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
- - Static Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
-
-Prerequisite: SHS #4010, ECDSA #1249, DRBG #1731
-
-- KAS FFC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
-- Schemes:
-
-- dhEphem:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
- - dhOneFlow:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
- - dhStatic:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
-
-Prerequisite: SHS #4010, DSA #1302, DRBG #1731 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #147
-Version 10.0.15254 |
-
-
-
-- KAS ECC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
-- Schemes:
-
-- Ephemeral Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- KDFs: Concatenation
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
- - One Pass DH:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
- - Static Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
-
-Prerequisite: SHS #4009, ECDSA #1246, DRBG #1730
-
-- KAS FFC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
-- Schemes:
-
-- dhEphem:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
- - dhOneFlow:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
- - dhStatic:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
-
-Prerequisite: SHS #4009, DSA #1301, DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146
-Version 10.0.16299 |
-
-
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
-SHS Val#3790
-DSA Val#1135
-DRBG Val#1556 |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128
-Version 10.0.15063 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val#3790
-DSA Val#1223
-DRBG Val#1555
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-
-SHS Val#3790
-ECDSA Val#1133
-DRBG Val#1555 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127
-Version 10.0.15063 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val# 3649
-DSA Val#1188
-DRBG Val#1430
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ] |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115
-Version 7.00.2872 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhHybridOneFlow ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val#3648
-DSA Val#1187
-DRBG Val#1429
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-
-SHS Val#3648
-ECDSA Val#1072
-DRBG Val#1429 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114
-Version 8.00.6246 |
-
-
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration )
-SCHEMES [ FullUnified ( No_KC < KARole(s): Initiator / Responder > < KDF: CONCAT > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
-SHS Val# 3347 ECDSA Val#920 DRBG Val#1222 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93
-Version 10.0.14393 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation )
-SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic (No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val# 3347 DSA Val#1098 DRBG Val#1217
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92
-Version 10.0.14393 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val# 3047 DSA Val#1024 DRBG Val#955
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-SHS Val# 3047 ECDSA Val#760 DRBG Val#955 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72
-Version 10.0.10586 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val# 2886 DSA Val#983 DRBG Val#868
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-SHS Val# 2886 ECDSA Val#706 DRBG Val#868 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64
-Version 10.0.10240 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val#2373 DSA Val#855 DRBG Val#489
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-SHS Val#2373 ECDSA Val#505 DRBG Val#489 |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47
-Version 6.3.9600 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS #1903 DSA Val#687 DRBG #258
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-
-SHS #1903 ECDSA Val#341 DRBG #258 |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36 |
-
-
-KAS (SP 800–56A)
-key agreement
-key establishment methodology provides 80 to 256 bits of encryption strength |
-Windows 7 and SP1, vendor-affirmed
-Windows Server 2008 R2 and SP1, vendor-affirmed |
-
-
-
-
-
-SP 800-108 Key-Based Key Derivation Functions (KBKDF)
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- Counter:
-
-- MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
-
-MAC prerequisite: HMAC #3271
-
-
-- Counter Location: Before Fixed Data
-- R Length: 32 (bits)
-- SPs used to generate K: SP 800-56A, SP 800-90A
-
- K prerequisite: DRBG #1734, KAS #150 |
-Microsoft Surface Hub Virtual TPM Implementations #161
-Version 10.0.15063.674 |
-
-
-
-- Counter:
-
-- MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
-
-MAC prerequisite: HMAC #3270
-
-
-- Counter Location: Before Fixed Data
-- R Length: 32 (bits)
-- SPs used to generate K: SP 800-56A, SP 800-90A
-
- K prerequisite: DRBG #1733, KAS #149 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160
-Version 10.0.16299 |
-
-
-
-- Counter:
-
-- MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
-
-MAC prerequisite: AES #4902, HMAC #3269
-
-
-- Counter Location: Before Fixed Data
-- R Length: 32 (bits)
-- SPs used to generate K: SP 800-56A, SP 800-90A
-- K prerequisite: KAS #148
-
- |
-Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #159
-Version 10.0.15063.674 |
-
-
-
-- Counter:
-
-- MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
-
-MAC prerequisite: AES #4901, HMAC #3268
-
-
-- Counter Location: Before Fixed Data
-- R Length: 32 (bits)
-- SPs used to generate K: SP 800-56A, SP 800-90A
-
- K prerequisite: KAS #147 |
-Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #158
-Version 10.0.15254 |
-
-
-
-- Counter:
-
-- MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
-
-MAC prerequisite: AES #4897, HMAC #3267
-
-
-- Counter Location: Before Fixed Data
-- R Length: 32 (bits)
-- SPs used to generate K: SP 800-56A, SP 800-90A
-
- K prerequisite: KAS #146 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157
-Version 10.0.16299 |
-
-
-CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-
-KAS Val#128
-DRBG Val#1556
-MAC Val#3062 |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141
-Version 10.0.15063 |
-
-
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-
-KAS Val#127
-AES Val#4624
-DRBG Val#1555
-MAC Val#3061 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140
-Version 10.0.15063 |
-
-
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-KAS Val#93 DRBG Val#1222 MAC Val#2661 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102
-Version 10.0.14393 |
-
-
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101
-Version 10.0.14393 |
-
-
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72
-Version 10.0.10586 |
-
-
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66
-Version 10.0.10240 |
-
-
-CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-DRBG Val#489 MAC Val#1773 |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30
-Version 6.3.9600 |
-
-
-CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-DRBG #258 HMAC Val#1345 |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3 |
-
-
-
-
-
-Random Number Generator (RNG)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-FIPS 186-2 General Purpose
-[ (x-Original); (SHA-1) ] |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110 |
-
-
-FIPS 186-2
-[ (x-Original); (SHA-1) ] |
-Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060
-Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292
-Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286
-Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66 |
-
-
-FIPS 186-2
-[ (x-Change Notice); (SHA-1) ]
-FIPS 186-2 General Purpose
-[ (x-Change Notice); (SHA-1) ] |
-Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649
-Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435
-Windows Vista RNG implementation #321 |
-
-
-FIPS 186-2 General Purpose
-[ (x-Change Notice); (SHA-1) ] |
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470
-Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449
-Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #316
-Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313 |
-
-
-FIPS 186-2
-[ (x-Change Notice); (SHA-1) ] |
-Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448
-Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314 |
-
-
-
-
-
-#### RSA
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-RSA:
-
-- 186-4:
-
-- Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
- - Signature Verification PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-
-Prerequisite: SHS #4011, DRBG #1734 |
-Microsoft Surface Hub Virtual TPM Implementations #2677
-Version 10.0.15063.674 |
-
-
-RSA:
-
-- 186-4:
-
-- Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 240 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
- - Signature Verification PSS:
-
-- Mod 1024:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
- - Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-
-Prerequisite: SHS #4009, DRBG #1733 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676
-Version 10.0.16299 |
-
-
-RSA:
-
-- 186-4:
-
-- Key Generation:
-- Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-
-Prerequisite: SHS #4011, DRBG #1732 |
-Microsoft Surface Hub RSA32 Algorithm Implementations #2675
-Version 10.0.15063.674 |
-
-
-RSA:
-
-- 186-4:
-
-- Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-
-Prerequisite: SHS #4009, DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674
-Version 10.0.16299 |
-
-
-RSA:
-
-- 186-4:
-
-- Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-
-Prerequisite: SHS #4010, DRBG #1731 |
-Windows 10 Mobile (version 1709) RSA32 Algorithm Implementations #2673
-Version 10.0.15254 |
-
-
-RSA:
-
-- 186-4:
-
-- Key Generation:
-
-- Public Key Exponent: Fixed (10001)
-- Provable Primes with Conditions:
-
-- Mod lengths: 2048, 3072 (bits)
-- Primality Tests: C.3
- - Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Verification PSS:
-
-- Mod 1024:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 496 (bits)
- - Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
-
-Prerequisite: SHS #4011, DRBG #1732 |
-Microsoft Surface Hub MsBignum Cryptographic Implementations #2672
-Version 10.0.15063.674 |
-
-
-RSA:
-
-- 186-4:
-
-- Key Generation:
-
-- Probable Random Primes:
-
-- Mod lengths: 2048, 3072 (bits)
-- Primality Tests: C.2
- - Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Verification PSS:
-
-- Mod 1024:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 496 (bits)
- - Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
-
-Prerequisite: SHS #4011, DRBG #1732 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #2671
-Version 10.0.15063.674 |
-
-
-RSA:
-
-- 186-4:
-
-- Key Generation:
-
-- Probable Random Primes:
-
-- Mod lengths: 2048, 3072 (bits)
-- Primality Tests: C.2
- - Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Verification PSS:
-
-- Mod 1024:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 496 (bits)
- - Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
-
-Prerequisite: SHS #4010, DRBG #1731 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2670
-Version 10.0.15254 |
-
-
-RSA:
-
-- 186-4:
-
-- Key Generation:
-
-- Public Key Exponent: Fixed (10001)
-- Provable Primes with Conditions:
-
-- Mod lengths: 2048, 3072 (bits)
-- Primality Tests: C.3
- - Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Verification PSS:
-
-- Mod 1024:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 496 (bits)
- - Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
-
-Prerequisite: SHS #4010, DRBG #1731 |
-Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #2669
-Version 10.0.15254 |
-
-
-
-- 186-4:
-
-- Key Generation:
-
-- Public Key Exponent: Fixed (10001)
-- Provable Primes with Conditions:
-
-- Mod lengths: 2048, 3072 (bits)
-- Primality Tests: C.3
- - Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Verification PSS:
-
-- Mod 1024:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 496 (bits)
- - Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
-
-Prerequisite: SHS #4009, DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668
-Version 10.0.16299 |
-
-
-
-- 186-4:
-
-- Key Generation:
-
-- Probable Random Primes:
-
-- Mod lengths: 2048, 3072 (bits)
-- Primality Tests: C.2
- - Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Verification PSS:
-
-- Mod 1024:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 496 (bits)
- - Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
-
-Prerequisite: SHS #4009, DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667
-Version 10.0.16299 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
-SHA Val#3790 |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524
-Version 10.0.15063 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3790 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523
-Version 10.0.15063 |
-
-
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val#3790
-DRBG: Val# 1555 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522
-Version 10.0.15063 |
-
-
-FIPS186-4:
-186-4KEY(gen):
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val#3790 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521
-Version 10.0.15063 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
-FIPS186-4:
-ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
-SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3652 |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415
-Version 7.00.2872 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
-FIPS186-4:
-ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
-SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3651 |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414
-Version 8.00.6246 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val# 3649
-DRBG: Val# 1430 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412
-Version 7.00.2872 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3648
-DRBG: Val# 1429 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411
-Version 8.00.6246 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
-SHA Val# 3347 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206
-Version 10.0.14393 |
-
-
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-SHA Val# 3347 DRBG: Val# 1217 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195
-Version 10.0.14393 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3346 |
-soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194
-Version 10.0.14393 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val# 3347 DRBG: Val# 1217 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193
-Version 10.0.14393 |
-
-
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val# 3347 DRBG: Val# 1217 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192
-Version 10.0.14393 |
-
-
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-SHA Val# 3047 DRBG: Val# 955 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889
-Version 10.0.10586 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3048 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871
-Version 10.0.10586 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val# 3047 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888
-Version 10.0.10586 |
-
-
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val# 3047 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887
-Version 10.0.10586 |
-
-
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-SHA Val# 2886 DRBG: Val# 868 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798
-Version 10.0.10240 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#2871 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784
-Version 10.0.10240 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#2871 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783
-Version 10.0.10240 |
-
-
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val# 2886 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802
-Version 10.0.10240 |
-
-
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-SHA Val#2373 DRBG: Val# 489 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487
-Version 6.3.9600 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#2373 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494
-Version 6.3.9600 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#2373 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493
-Version 6.3.9600 |
-
-
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val#2373 |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519
-Version 6.3.9600 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
-SHA #1903
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134. |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134 |
-
-
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-SHA #1903 DRBG: #258 |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132. |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052. |
-Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051. |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568. |
-Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560. |
-Windows Server 2008 R2 and SP1 CNG algorithms #567
-Windows 7 and SP1 CNG algorithms #560 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559. |
-Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557. |
-Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395. |
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371. |
-Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357. |
-Windows Server 2008 CNG algorithms #358
-Windows Vista SP1 CNG algorithms #357 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354. |
-Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355
-Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353. |
-Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258. |
-Windows Vista RSA key generation implementation #258 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257. |
-Windows Vista CNG algorithms #257 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255. |
-Windows Vista Enhanced Cryptographic Provider (RSAENH) #255 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245. |
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230. |
-Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222. |
-Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]:
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81. |
-Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52. |
-Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52 |
-
-
-FIPS186-2:
-– PKCS#1 v1.5, signature generation and verification
-– Mod sizes: 1024, 1536, 2048, 3072, 4096
-– SHS: SHA–1/256/384/512 |
-Windows XP, vendor-affirmed
-Windows 2000, vendor-affirmed |
-
-
-
-
-
-#### Secure Hash Standard (SHS)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- SHA-1:
-
-- Supports Empty Message
- - SHA-256:
-
-- Supports Empty Message
- - SHA-384:
-
-- Supports Empty Message
- - SHA-512:
-
-- Supports Empty Message
- |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #4011
-Version 10.0.15063.674 |
-
-
-
-- SHA-1:
-
-- Supports Empty Message
- - SHA-256:
-
-- Supports Empty Message
- - SHA-384:
-
-- Supports Empty Message
- - SHA-512:
-
-- Supports Empty Message
- |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4010
-Version 10.0.15254 |
-
-
-
-- SHA-1:
-
-- Supports Empty Message
- - SHA-256:
-
-- Supports Empty Message
- - SHA-384:
-
-- Supports Empty Message
- - SHA-512:
-
-- Supports Empty Message
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009
-Version 10.0.16299 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790
-Version 10.0.15063 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652
-Version 7.00.2872 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651
-Version 8.00.6246 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649
-Version 7.00.2872 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648
-Version 8.00.6246 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
-Version 10.0.14393 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
-Version 10.0.14393 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
-Version 10.0.10586 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
-Version 10.0.10586 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
-Version 10.0.10240 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
-Version 10.0.10240 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
-Version 6.3.9600 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
-Version 6.3.9600 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)
-Implementation does not support zero-length (null) messages. |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774
-Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows 7and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816 |
-
-
-| SHA-1 (BYTE-only) |
-Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785
-Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753
-Windows Vista Symmetric Algorithm Implementation #618 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only) |
-Windows Vista BitLocker Drive Encryption #737
-Windows Vista Beta 2 BitLocker Drive Encryption #495 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613
-Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364 |
-
-
-| SHA-1 (BYTE-only) |
-Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611
-Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610
-Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385
-Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #371
-Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #181
-Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #177
-Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589
-Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578
-Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305 |
-
-
-| SHA-1 (BYTE-only) |
-Windows XP Microsoft Enhanced Cryptographic Provider #83
-Crypto Driver for Windows 2000 (fips.sys) #35
-Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32
-Windows 2000 RSAENH.DLL #24
-Windows 2000 RSABASE.DLL #23
-Windows NT 4 SP6 RSAENH.DLL #21
-Windows NT 4 SP6 RSABASE.DLL #20 |
-
-
-
-
-
-#### Triple DES
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- TDES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-CFB64:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-CFB8:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-ECB:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #2558
-Version 10.0.15063.674 |
-
-
-
-- TDES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-CFB64:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-CFB8:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-ECB:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2557
-Version 10.0.15254 |
-
-
-
-- TDES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-CFB64:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-CFB8:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-ECB:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556
-Version 10.0.16299 |
-
-
-| TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, ) |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459
-Version 10.0.15063 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384
-Version 8.00.6246 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383
-Version 8.00.6246 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-CTR ( int only ) |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382
-Version 7.00.2872 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381
-Version 8.00.6246 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
-
-
-Version 10.0.14393 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
-
-
-Version 10.0.10586 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
-
-
-Version 10.0.10240 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692
-Version 6.3.9600 |
-
-
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) ;
-TCFB64( e/d; KO 1,2 ) |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387 |
-
-
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386 |
-
-
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
-Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846 |
-
-
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
-Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656 |
-
-
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
-Windows Vista Symmetric Algorithm Implementation #549 |
-
-
-| Triple DES MAC |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed
-Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed |
-
-
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) |
-Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308
-Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691
-Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #677
-Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #676
-Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #675
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #544
-Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #543
-Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #542
-Windows CE 6.0 and Window CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #526
-Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #517
-Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #381
-Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #370
-Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #365
-Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #315
-Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #201
-Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #199
-Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #192
-Windows XP Microsoft Enhanced Cryptographic Provider #81
-Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #18
-Crypto Driver for Windows 2000 (fips.sys) #16 |
-
-
-
-
-
-#### SP 800-132 Password Based Key Derivation Function (PBKDF)
-
-
-
- |
- Modes / States / Key Sizes
- |
-
- Algorithm Implementation and Certificate #
- |
-
-
- |
- PBKDF (vendor affirmed) |
-
- Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
(Software Version: 10.0.14393)
- Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)
- Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2935
(Software Version: 10.0.14393)
- Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2931
(Software Version: 10.0.14393)
- |
-
-
- |
- PBKDF (vendor affirmed) |
-
- Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)
- Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed
- |
-
-
-
-
-#### Component Validation List
-
-
-
-
-
-
-
-
-| Publication / Component Validated / Description |
-Implementation and Certificate # |
-
-
-
-- ECDSA SigGen:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: DRBG #489 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540
-Version 6.3.9600 |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Microsoft Surface Hub Virtual TPM Implementations #1519
-Version 10.0.15063.674 |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518
-Version 10.0.16299 |
-
-
-
-- RSADP:
-
-- Modulus Size: 2048 (bits)
- |
-Microsoft Surface Hub MsBignum Cryptographic Implementations #1517
-Version 10.0.15063.674 |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Microsoft Surface Hub MsBignum Cryptographic Implementations #1516
-Version 10.0.15063.674 |
-
-
-
-- ECDSA SigGen:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
- Prerequisite: DRBG #1732 |
-Microsoft Surface Hub MsBignum Cryptographic Implementations #1515
-Version 10.0.15063.674 |
-
-
-
-- ECDSA SigGen:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: DRBG #1732 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #1514
-Version 10.0.15063.674 |
-
-
-
-- RSADP:
-
-- Modulus Size: 2048 (bits)
- |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #1513
-Version 10.0.15063.674 |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #1512
-Version 10.0.15063.674 |
-
-
-
-- IKEv1:
-
-- Methods: Digital Signature, Pre-shared Key, Public Key Encryption
-- Pre-shared Key Length: 64-2048
-- Diffie-Hellman shared secrets:
-
-- Diffie-Hellman shared secret:
-
-- Length: 2048 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 256 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 384 (bits)
-- SHA Functions: SHA-384
-
-Prerequisite: SHS #4011, HMAC #3269
-
-- IKEv2:
-
-- Derived Keying Material length: 192-1792
-- Diffie-Hellman shared secrets:
-
-- Diffie-Hellman shared secret:
-
-- Length: 2048 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 256 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 384 (bits)
-- SHA Functions: SHA-384
-
-Prerequisite: SHS #4011, HMAC #3269
-
-- TLS:
-
-- Supports TLS 1.0/1.1
-- Supports TLS 1.2:
-
-- SHA Functions: SHA-256, SHA-384
-
-Prerequisite: SHS #4011, HMAC #3269 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #1511
-Version 10.0.15063.674 |
-
-
-
-- ECDSA SigGen:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: DRBG #1731 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1510
-Version 10.0.15254 |
-
-
-
-- RSADP:
-
-- Modulus Size: 2048 (bits)
- |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1509
-Version 10.0.15254 |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1508
-Version 10.0.15254 |
-
-
-
-- IKEv1:
-
-- Methods: Digital Signature, Pre-shared Key, Public Key Encryption
-- Pre-shared Key Length: 64-2048
-- Diffie-Hellman shared secrets:
-
-- Diffie-Hellman shared secret:
-
-- Length: 2048 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 256 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 384 (bits)
-- SHA Functions: SHA-384
-
-Prerequisite: SHS #4010, HMAC #3268
-
-- IKEv2:
-
-- Derived Keying Material length: 192-1792
-- Diffie-Hellman shared secrets:
-
-- Diffie-Hellman shared secret:
-
-- Length: 2048 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 256 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 384 (bits)
-- SHA Functions: SHA-384
-
-Prerequisite: SHS #4010, HMAC #3268
-
-- TLS:
-
-- Supports TLS 1.0/1.1
-- Supports TLS 1.2:
-
-- SHA Functions: SHA-256, SHA-384
-
-Prerequisite: SHS #4010, HMAC #3268 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1507
-Version 10.0.15254 |
-
-
-
-- ECDSA SigGen:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: DRBG #1731 |
-Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1506
-Version 10.0.15254 |
-
-
-
-- RSADP:
-
-- Modulus Size: 2048 (bits)
- |
-Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1505
-Version 10.0.15254 |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1504
-Version 10.0.15254 |
-
-
-
-- ECDSA SigGen:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503
-Version 10.0.16299 |
-
-
-
-- RSADP:
-
-- Modulus Size: 2048 (bits)
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502
-Version 10.0.16299 |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501
-Version 10.0.16299 |
-
-
-
-- ECDSA SigGen:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499
-Version 10.0.16299 |
-
-
-
-- RSADP:
-
-- Modulus Size: 2048 (bits)
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498
-Version 10.0.16299
- |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1497
-Version 10.0.16299 |
-
-
-
-- IKEv1:
-
-- Methods: Digital Signature, Pre-shared Key, Public Key Encryption
-- Pre-shared Key Length: 64-2048
-- Diffie-Hellman shared secrets:
-
-- Diffie-Hellman shared secret:
-
-- Length: 2048 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 256 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 384 (bits)
-- SHA Functions: SHA-384
-
-Prerequisite: SHS #4009, HMAC #3267
-
-- IKEv2:
-
-- Derived Keying Material length: 192-1792
-- Diffie-Hellman shared secrets:
-
-- Diffie-Hellman shared secret:
-
-- Length: 2048 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 256 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 384 (bits)
-- SHA Functions: SHA-384
-
-Prerequisite: SHS #4009, HMAC #3267
-
-- TLS:
-
-- Supports TLS 1.0/1.1
-- Supports TLS 1.2:
-
-- SHA Functions: SHA-256, SHA-384
-
-Prerequisite: SHS #4009, HMAC #3267 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496
-Version 10.0.16299 |
-
-
-FIPS186-4 ECDSA
-Signature Generation of hash sized messages
-ECDSA SigGen Component: CURVES( P-256 P-384 P-521 ) |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
-Version 10.0. 15063
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
-Version 10.0. 15063
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
-Version 10.0.14393
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
-Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
-Version 10.0.10586
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
-Version 6.3.9600 |
-
-
-FIPS186-4 RSA; PKCS#1 v2.1
-RSASP1 Signature Primitive
-RSASP1: (Mod2048: PKCS1.5 PKCSPSS) |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1285
-Version 10.0.15063
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1282
-Version 10.0.15063
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
-Version 10.0.15063
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
-Version 10.0.14393
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
-Version 10.0.14393
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
-Version 10.0.10586
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
-Version 10.0.10240
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations #289
-Version 6.3.9600 |
-
-
-FIPS186-4 RSA; RSADP
-RSADP Primitive
-RSADP: (Mod2048) |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1283
-Version 10.0.15063
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
-Version 10.0.15063
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
-Version 10.0.14393
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
-Version 10.0.14393
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #663
-Version 10.0.10586
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #576
-Version 10.0.10240 |
-
-
-SP800-135
-Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496
-Version 10.0.16299
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
-Version 10.0.15063
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1140
-Version 7.00.2872
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1139
-Version 8.00.6246
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp #886
-Version 10.0.14393
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BCryptPrimitives and NCryptSSLp #664
-Version 10.0.10586
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
-Version 10.0.10240
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
-Version 6.3.9600 |
-
-
-
-
-
-## References
-
-\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules
-
-\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ
-
-\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised)
-
-\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
-
-## Additional Microsoft References
-
-Enabling FIPS mode -
-
-Cipher Suites in Schannel - [http://msdn.microsoft.com/library/aa374757(VS.85).aspx](https://msdn.microsoft.com/library/aa374757\(vs.85\).aspx)
-
+
+Please be aware that selection of FIPS mode can limit product functionality (See ).
+
+## Information for Software Developers
+
+This section is targeted at developers who wish to build their own applications using the FIPS 140 validated cryptographic modules.
+
+Each of the validated cryptographic modules defines a series of rules that must be followed. The security rules for each validated cryptographic module are specified in the Security Policy document. Links to each of the Security Policy documents is provided in the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section below. Generally, the restriction in Microsoft validated cryptographic modules is limiting the use of cryptography to only FIPS Approved cryptographic algorithms, modes, and key sizes.
+
+### Using Microsoft Cryptographic Modules in a FIPS mode of operation
+
+No matter whether developing with native languages or using .NET, it is important to first check whether the CNG modules for the target system are FIPS validated. The list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section.
+
+When developing using CNG directly, it is the responsibility of the developer to follow the security rules outlined in the FIPS 140 Security Policy for each module. The security policy for each module is provided on the CMVP website. Links to each of the Security Policy documents is provided in the tables below. It is important to remember that setting the FIPS local/group security policy Flag (discussed above) does not affect the behavior of the modules when used for developing custom applications.
+
+If you are developing your application using .NET instead of using the native libraries, then setting the FIPS local policy flag will generate an exception when an improper .NET class is used for cryptography (i.e. the cryptographic classes whose names end in "Managed"). The names of these allowed classes end with "Cng", which use the CNG binaries or "CryptoServiceProvider", which use the legacy CAPI binaries.
+
+### Key Strengths and Validity Periods
+
+NIST Special Publication 800-131A Revision 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, dated November 2015, \[[SP 800-131A](http://dx.doi.org/10.6028/nist.sp.800-131ar1)\], offers guidance for moving to stronger cryptographic keys and algorithms. This does not replace NIST SP 800-57, Recommendation for Key Management Part 1: General, \[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\], but gives more specific guidance. One of the most important topics discussed in these publications deals with the key strengths of FIPS Approved algorithms and their validity periods. When developing applications that use FIPS Approved algorithms, it is also extremely important to select appropriate key sizes based on the security lifetimes recommended by NIST.
+
+## FIPS 140 FAQ
+
+The following are answers to commonly asked questions for the FIPS 140-2 validation of Microsoft products.
+
+1. How does FIPS 140 relate to the Common Criteria?
+ **Answer:** These are two separate security standards with different, but complementary, purposes. FIPS 140 is a standard designed specifically for validating product modules that implement cryptography. On the other hand, Common Criteria is designed to help evaluate security functions in IT products.
+ In many cases, Common Criteria evaluations will rely on FIPS 140 validations to provide assurance that cryptographic functionality is implemented properly.
+2. How does FIPS 140 relate to Suite B?
+ **Answer:** Suite B is simply a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information.
+ The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140 standard.
+3. There are so many modules listed on the NIST website for each release, how are they related and how do I tell which one applies to me?
+ **Answer:** Microsoft strives to validate all releases of its cryptographic modules. Each module provides a different set of cryptographic algorithms. If you are required to use only FIPS validated cryptographic modules, you simply need to verify that the version being used appears on the validation list.
+ Please see the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140)section for a complete list of Microsoft validated modules.
+4. My application links against crypt32.dll, cryptsp.dll, advapi32.dll, bcrypt.dll, bcryptprimitives.dll, or ncrypt.dll. What do I need to do to assure I’m using FIPS 140 validated cryptographic modules?
+ **Answer:** crypt32.dll, cryptsp.dll, advapi32.dll, and ncrypt.dll are intermediary libraries that will offload all cryptographic operations to the FIPS validated cryptographic modules. Bcrypt.dll itself is a validated cryptographic module for Windows Vista and Windows Server 2008. For Windows 7 and Windows Server 2008 R2 and later, bcryptprimitives.dll is the validated module, but bcrypt.dll remains as one of the libraries to link against.
+ You must first verify that the underlying CNG cryptographic module is validated. Once verified, you'll need to confirm that you're using the module correctly in FIPS mode (See [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) section for details).
+5. What does "When operated in FIPS mode" mean on certificates?
+ **Answer:** This caveat identifies that a required configuration and security rules must be followed in order to use the cryptographic module in a manner consistent with its FIPS 140 Security Policy. The security rules are defined in the Security Policy for the module and usually revolve around using only FIPS Approved cryptographic algorithms and key sizes. Please see the Security Policy for the specific security rules for each cryptographic module (See [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section for links to each policy).
+6. Which FIPS validated module is called when Windows 7 or Windows 8 is configured to use the FIPS setting in the wireless configuration?
+ **Answer:** CNG is used. This setting tells the wireless driver to call FIPS 140-2 validated cryptographic modules instead of using the driver’s own cryptography, if any.
+7. Is BitLocker to Go FIPS 140-2 validated?
+ **Answer:** There are two separate parts for BitLocker to Go. One part is simply a native feature of BitLocker and as such, it uses FIPS 140-2 validated cryptographic modules. The other part is the BitLocker to Go Reader application for down-level support of older operating systems such as Windows XP and Windows Vista. The Reader application does not use FIPS 140-2 validated cryptographic modules.
+8. Are applications FIPS 140-2 validated?
+ **Answer:** Microsoft only has low-level cryptographic modules in Windows FIPS 140-2 validated, not high-level applications. A better question is whether a certain application calls a FIPS 140-2 validated cryptographic module in the underlying Windows OS. That question needs to be directed to the company/product group that created the application of interest.
+9. How can Systems Center Operations Manager 2012 be configured to use FIPS 140-2 validated cryptographic modules?
+ **Answer:** See [https://technet.microsoft.com/library/hh914094.aspx](https://technet.microsoft.com/library/hh914094.aspx)
+
+## Microsoft FIPS 140 Validated Cryptographic Modules
+
+### Modules By Operating System
+
+The following tables identify the Cryptographic Modules for an operating system.
+
+#### Windows
+
+##### Windows 10 Creators Update (Version 1703)
+
+Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
+
+
+
+
+\[1\] Applies only to Home, Pro, Enterprise, Education and S
+
+\[2\] Applies only to Pro, Enterprise, Education, S, Mobile and Surface Hub
+
+\[3\] Applies only to Pro, Enterprise Education and S
+
+##### Windows 10 Anniversary Update (Version 1607)
+
+Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
+10.0.14393 |
+#2937 |
+FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886) |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+10.0.14393 |
+#2936 |
+FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887) |
+
+
+| Boot Manager |
+10.0.14393 |
+#2931 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)
+Other algorithms: MD5; PBKDF (non-compliant); VMK KDF |
+
+
+| BitLocker® Windows OS Loader (winload) |
+10.0.14393 |
+#2932 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: NDRNG; MD5 |
+
+
+| BitLocker® Windows Resume (winresume)[1] |
+10.0.14393 |
+#2933 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (dumpfve.sys)[2] |
+10.0.14393 |
+#2934 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064) |
+
+
+| Code Integrity (ci.dll) |
+10.0.14393 |
+#2935 |
+FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: AES (non-compliant); MD5
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888) |
+
+
+| Secure Kernel Code Integrity (skci.dll)[3] |
+10.0.14393 |
+#2938 |
+FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
+
+Other algorithms: MD5
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888) |
+
+
+
+
+
+\[1\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
+
+\[2\] Applies only to Pro, Enterprise, Enterprise LTSB and Mobile
+
+\[3\] Applies only to Pro, Enterprise and Enterprise LTSB
+
+##### Windows 10 November 2015 Update (Version 1511)
+
+Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
+10.0.10586 |
+#2606 |
+FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664) |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+10.0.10586 |
+#2605 |
+FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663) |
+
+
+| Boot Manager[4] |
+10.0.10586 |
+#2700 |
+FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
+
+
+| BitLocker® Windows OS Loader (winload)[5] |
+10.0.10586 |
+#2701 |
+FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
+
+Other algorithms: MD5; NDRNG |
+
+
+| BitLocker® Windows Resume (winresume)[6] |
+10.0.10586 |
+#2702 |
+FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (dumpfve.sys)[7] |
+10.0.10586 |
+#2703 |
+FIPS Approved algorithms: AES (Certs. #3653) |
+
+
+| Code Integrity (ci.dll) |
+10.0.10586 |
+#2604 |
+FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
+
+Other algorithms: AES (non-compliant); MD5
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665) |
+
+
+| Secure Kernel Code Integrity (skci.dll)[8] |
+10.0.10586 |
+#2607 |
+FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
+
+Other algorithms: MD5
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665) |
+
+
+
+
+
+\[4\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
+
+\[5\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
+
+\[6\] Applies only to Home, Pro and Enterprise
+
+\[7\] Applies only to Pro, Enterprise, Mobile and Surface Hub
+
+\[8\] Applies only to Enterprise and Enterprise LTSB
+
+##### Windows 10 (Version 1507)
+
+Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
+10.0.10240 |
+#2606 |
+FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575) |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+10.0.10240 |
+#2605 |
+FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576) |
+
+
+| Boot Manager[9] |
+10.0.10240 |
+#2600 |
+FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
+
+
+| BitLocker® Windows OS Loader (winload)[10] |
+10.0.10240 |
+#2601 |
+FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
+
+Other algorithms: MD5; NDRNG |
+
+
+| BitLocker® Windows Resume (winresume)[11] |
+10.0.10240 |
+#2602 |
+FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (dumpfve.sys)[12] |
+10.0.10240 |
+#2603 |
+FIPS Approved algorithms: AES (Certs. #3497 and #3498) |
+
+
+| Code Integrity (ci.dll) |
+10.0.10240 |
+#2604 |
+FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
+
+Other algorithms: AES (non-compliant); MD5
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572) |
+
+
+| Secure Kernel Code Integrity (skci.dll)[13] |
+10.0.10240 |
+#2607 |
+FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
+
+Other algorithms: MD5
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572) |
+
+
+
+
+
+\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
+
+\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
+
+\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
+
+\[12\] Applies only to Pro, Enterprise and Enterprise LTSB
+
+\[13\] Applies only to Enterprise and Enterprise LTSB
+
+##### Windows 8.1
+
+Validated Editions: RT, Pro, Enterprise, Phone, Embedded
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
+6.3.9600 6.3.9600.17031 |
+#2357 |
+FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323) |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+6.3.9600 6.3.9600.17042 |
+#2356 |
+FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289) |
+
+
+| Boot Manager |
+6.3.9600 6.3.9600.17031 |
+#2351 |
+FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
+
+
+| BitLocker® Windows OS Loader (winload) |
+6.3.9600 6.3.9600.17031 |
+#2352 |
+FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
+
+Other algorithms: MD5; NDRNG |
+
+
+| BitLocker® Windows Resume (winresume)[14] |
+6.3.9600 6.3.9600.17031 |
+#2353 |
+FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (dumpfve.sys) |
+6.3.9600 6.3.9600.17031 |
+#2354 |
+FIPS Approved algorithms: AES (Cert. #2832)
+
+Other algorithms: N/A |
+
+
+| Code Integrity (ci.dll) |
+6.3.9600 6.3.9600.17031 |
+#2355#2355 |
+FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
+
+Other algorithms: MD5
+Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289) |
+
+
+
+
+
+\[14\] Applies only to Pro, Enterprise, and Embedded 8.
+
+##### Windows 8
+
+Validated Editions: RT, Home, Pro, Enterprise, Phone
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
+6.2.9200 |
+#1892 |
+FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert. ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+
+ |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+6.2.9200 |
+#1891 |
+FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RNG (Cert. ); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) |
+
+
+| Boot Manager |
+6.2.9200 |
+#1895 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Windows OS Loader (WINLOAD) |
+6.2.9200 |
+#1896 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG |
+
+
+| BitLocker® Windows Resume (WINRESUME)[15] |
+6.2.9200 |
+#1898 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (DUMPFVE.SYS) |
+6.2.9200 |
+#1899 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198)
+
+Other algorithms: N/A |
+
+
+| Code Integrity (CI.DLL) |
+6.2.9200 |
+#1897 |
+FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5 |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) |
+6.2.9200 |
+#1893 |
+FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert. ); Triple-DES MAC (Triple-DES Cert. , vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. , key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+| Enhanced Cryptographic Provider (RSAENH.DLL) |
+6.2.9200 |
+#1894 |
+FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+
+Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+
+
+
+\[15\] Applies only to Home and Pro
+
+**Windows 7**
+
+Validated Editions: Windows 7, Windows 7 SP1
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
+6.1.7600.16385
+6.1.7601.17514 |
+1329 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+6.1.7600.16385
+6.1.7600.16915
+6.1.7600.21092
+6.1.7601.17514
+6.1.7601.17725
+6.1.7601.17919
+6.1.7601.21861
+6.1.7601.22076 |
+1328 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 |
+
+
+| Boot Manager |
+6.1.7600.16385
+6.1.7601.17514 |
+1319 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
+
+Other algorithms: MD5#1168 and ); HMAC (Cert. ); RSA (Cert. ); SHS (Cert. )
+
+Other algorithms: MD5 |
+
+
+| Winload OS Loader (winload.exe) |
+6.1.7600.16385
+6.1.7600.16757
+6.1.7600.20897
+6.1.7600.20916
+6.1.7601.17514
+6.1.7601.17556
+6.1.7601.21655
+6.1.7601.21675 |
+1326 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
+
+Other algorithms: MD5 |
+
+
+| BitLocker™ Drive Encryption |
+6.1.7600.16385
+6.1.7600.16429
+6.1.7600.16757
+6.1.7600.20536
+6.1.7600.20873
+6.1.7600.20897
+6.1.7600.20916
+6.1.7601.17514
+6.1.7601.17556
+6.1.7601.21634
+6.1.7601.21655
+6.1.7601.21675 |
+1332 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
+
+Other algorithms: Elephant Diffuser |
+
+
+| Code Integrity (CI.DLL) |
+6.1.7600.16385
+6.1.7600.17122
+6.1.7600.21320
+6.1.7601.17514
+6.1.7601.17950
+6.1.7601.22108 |
+1327 |
+FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
+
+Other algorithms: MD5 |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) |
+6.1.7600.16385
+(no change in SP1) |
+1331 |
+FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4 |
+
+
+| Enhanced Cryptographic Provider (RSAENH.DLL) |
+6.1.7600.16385
+(no change in SP1) |
+1330 |
+FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+
+
+
+##### Windows Vista SP1
+
+Validated Editions: Ultimate Edition
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Boot Manager (bootmgr) |
+6.0.6001.18000 and 6.0.6002.18005 |
+978 |
+FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753) |
+
+
+| Winload OS Loader (winload.exe) |
+6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596 |
+979 |
+FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
+
+Other algorithms: MD5 |
+
+
+| Code Integrity (ci.dll) |
+6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005 |
+980 |
+FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
+
+Other algorithms: MD5 |
+
+
+| Kernel Mode Security Support Provider Interface (ksecdd.sys) |
+6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.22869 |
+1000 |
+FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and ); ECDSA (Cert. ); HMAC (Cert. ); RNG (Cert. and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+| Cryptographic Primitives Library (bcrypt.dll) |
+6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.22872 |
+1001 |
+FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength) |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005 |
+1002 |
+FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 |
+1003 |
+FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 |
+
+
+
+
+
+##### Windows Vista
+
+Validated Editions: Ultimate Edition
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+6.0.6000.16386 |
+893 |
+FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+6.0.6000.16386 |
+894 |
+FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 |
+
+
+| BitLocker™ Drive Encryption |
+6.0.6000.16386 |
+947 |
+FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
+
+Other algorithms: Elephant Diffuser |
+
+
+| Kernel Mode Security Support Provider Interface (ksecdd.sys) |
+6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067 |
+891 |
+FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+
+Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5 |
+
+
+
+
+
+##### Windows XP SP3
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Kernel Mode Cryptographic Module (FIPS.SYS) |
+5.1.2600.5512 |
+997 |
+FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)
+Other algorithms: DES; MD5; HMAC MD5 |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+5.1.2600.5507 |
+990 |
+FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)
+Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4 |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+5.1.2600.5507 |
+989 |
+FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)
+Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits) |
+
+
+
+
+
+##### Windows XP SP2
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| DSS/Diffie-Hellman Enhanced Cryptographic Provider |
+5.1.2600.2133 |
+240 |
+FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)
+Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement) |
+
+
+| Microsoft Enhanced Cryptographic Provider |
+5.1.2600.2161 |
+238 |
+FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)
+Other algorithms: DES (Cert. #156); RC2; RC4; MD5 |
+
+
+
+
+
+##### Windows XP SP1
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Microsoft Enhanced Cryptographic Provider |
+5.1.2600.1029 |
+238 |
+FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)
+Other algorithms: DES (Cert. #156); RC2; RC4; MD5 |
+
+
+
+
+
+##### Windows XP
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Kernel Mode Cryptographic Module |
+5.1.2600.0 |
+241 |
+FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)
+Other algorithms: DES (Cert. #89) |
+
+
+
+
+
+##### Windows 2000 SP3
+
+
+
+
+##### Windows 2000 SP2
+
+
+
+
+##### Windows 2000 SP1
+
+
+
+
+##### Windows 2000
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider |
+5.0.2150.1 |
+76 |
+FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)
+Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) |
+
+
+
+
+
+##### Windows 95 and Windows 98
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider |
+5.0.1877.6 and 5.0.1877.7 |
+75 |
+FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)
+Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) |
+
+
+
+
+
+##### Windows NT 4.0
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Base Cryptographic Provider |
+5.0.1877.6 and 5.0.1877.7 |
+68 |
+FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
+
+Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) |
+
+
+
+
+
+#### Windows Server
+
+##### Windows Server 2016
+
+Validated Editions: Standard, Datacenter, Storage Server
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
+10.0.14393 |
+2937 |
+FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt) |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+10.0.14393 |
+2936 |
+FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt) |
+
+
+| Boot Manager |
+10.0.14393 |
+2931 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)
+Other algorithms: MD5; PBKDF (non-compliant); VMK KDF |
+
+
+| BitLocker® Windows OS Loader (winload) |
+10.0.14393 |
+2932 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: NDRNG; MD5 |
+
+
+| BitLocker® Windows Resume (winresume) |
+10.0.14393 |
+2933 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (dumpfve.sys) |
+10.0.14393 |
+2934 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064) |
+
+
+| Code Integrity (ci.dll) |
+10.0.14393 |
+2935 |
+FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: AES (non-compliant); MD5 |
+
+
+| Secure Kernel Code Integrity (skci.dll) |
+10.0.14393 |
+2938 |
+FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
+
+Other algorithms: MD5 |
+
+
+
+
+
+##### Windows Server 2012 R2
+
+Validated Editions: Server, Storage Server,
+
+**StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2**
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
+6.3.9600 6.3.9600.17031 |
+2357 |
+FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+6.3.9600 6.3.9600.17042 |
+2356 |
+FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) |
+
+
+| Boot Manager |
+6.3.9600 6.3.9600.17031 |
+2351 |
+FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
+
+
+| BitLocker® Windows OS Loader (winload) |
+6.3.9600 6.3.9600.17031 |
+2352 |
+FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
+
+Other algorithms: MD5; NDRNG |
+
+
+| BitLocker® Windows Resume (winresume)[16] |
+6.3.9600 6.3.9600.17031 |
+2353 |
+FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (dumpfve.sys)[17] |
+6.3.9600 6.3.9600.17031 |
+2354 |
+FIPS Approved algorithms: AES (Cert. #2832)
+
+Other algorithms: N/A |
+
+
+| Code Integrity (ci.dll) |
+6.3.9600 6.3.9600.17031 |
+2355 |
+FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
+
+Other algorithms: MD5 |
+
+
+
+
+
+\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
+
+\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
+
+**Windows Server 2012**
+
+Validated Editions: Server, Storage Server
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
+6.2.9200 |
+1892 |
+FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert. ); HMAC (Cert. #); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+6.2.9200 |
+1891 |
+FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) |
+
+
+| Boot Manager |
+6.2.9200 |
+1895 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Windows OS Loader (WINLOAD) |
+6.2.9200 |
+1896 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG |
+
+
+| BitLocker® Windows Resume (WINRESUME) |
+6.2.9200 |
+1898 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (DUMPFVE.SYS) |
+6.2.9200 |
+1899 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198)
+
+Other algorithms: N/A |
+
+
+| Code Integrity (CI.DLL) |
+6.2.9200 |
+1897 |
+FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5 |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) |
+6.2.9200 |
+1893 |
+FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+| Enhanced Cryptographic Provider (RSAENH.DLL) |
+6.2.9200 |
+1894 |
+FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+
+Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+
+
+
+##### Windows Server 2008 R2
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Boot Manager (bootmgr) |
+6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.17514 |
+1321 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
+
+Other algorithms: MD5 |
+
+
+| Winload OS Loader (winload.exe) |
+6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675 |
+1333 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
+
+Other algorithms: MD5 |
+
+
+| Code Integrity (ci.dll) |
+6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.22108 |
+1334 |
+FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
+
+Other algorithms: MD5 |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076 |
+1335 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 |
+
+
+| Cryptographic Primitives Library (bcryptprimitives.dll) |
+66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.17514 |
+1336 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4 |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+6.1.7600.16385 |
+1337 |
+FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+6.1.7600.16385 |
+1338 |
+FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4 |
+
+
+| BitLocker™ Drive Encryption |
+6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675 |
+1339 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
+
+Other algorithms: Elephant Diffuser |
+
+
+
+
+
+##### Windows Server 2008
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Boot Manager (bootmgr) |
+6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.22497 |
+1004 |
+FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
+
+Other algorithms: N/A |
+
+
+| Winload OS Loader (winload.exe) |
+6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596 |
+1005 |
+FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
+
+Other algorithms: MD5 |
+
+
+| Code Integrity (ci.dll) |
+6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 |
+1006 |
+FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
+
+Other algorithms: MD5 |
+
+
+| Kernel Mode Security Support Provider Interface (ksecdd.sys) |
+6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.22869 |
+1007 |
+FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert. ); RNG (Cert. and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+| Cryptographic Primitives Library (bcrypt.dll) |
+6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.22872 |
+1008 |
+FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength) |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 |
+1009 |
+FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
+
+-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005 |
+1010 |
+FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+
+
+
+##### Windows Server 2003 SP2
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+5.2.3790.3959 |
+875 |
+FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)
+Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4 |
+
+
+| Kernel Mode Cryptographic Module (FIPS.SYS) |
+5.2.3790.3959 |
+869 |
+FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)
+Other algorithms: DES; HMAC-MD5 |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+5.2.3790.3959 |
+868 |
+FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)
+Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+
+
+
+##### Windows Server 2003 SP1
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Kernel Mode Cryptographic Module (FIPS.SYS) |
+5.2.3790.1830 [SP1] |
+405 |
+FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])
+Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)
+[1] x86
+[2] SP1 x86, x64, IA64 |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+5.2.3790.1830 [Service Pack 1]) |
+382 |
+FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])
+Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5
+[1] x86
+[2] SP1 x86, x64, IA64 |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+5.2.3790.1830 [Service Pack 1] |
+381 |
+FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)
+Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40
+[1] x86
+[2] SP1 x86, x64, IA64 |
+
+
+
+
+
+##### Windows Server 2003
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Kernel Mode Cryptographic Module (FIPS.SYS) |
+5.2.3790.0 |
+405 |
+FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])
+Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)
+[1] x86
+[2] SP1 x86, x64, IA64 |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+5.2.3790.0 |
+382 |
+FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])
+Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5
+[1] x86
+[2] SP1 x86, x64, IA64 |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+5.2.3790.0 |
+381 |
+FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)
+Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40
+[1] x86
+[2] SP1 x86, x64, IA64 |
+
+
+
+
+
+#### Other Products
+
+##### Windows Embedded Compact 7 and Windows Embedded Compact 8
+
+
+
+
+
+##### Windows CE 6.0 and Windows Embedded Compact 7
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Enhanced Cryptographic Provider |
+6.00.1937 [1] and 7.00.1687 [2] |
+825 |
+FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])
+Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES |
+
+
+
+
+
+##### Outlook Cryptographic Provider
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Outlook Cryptographic Provider (EXCHCSP) |
+SR-1A (3821)SR-1A (3821) |
+110 |
+FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)
+Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5 |
+
+
+
+
+
+
+### Cryptographic Algorithms
+
+The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate.
+
+### Advanced Encryption Standard (AES)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- AES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CFB128:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CTR:
+
+- Counter Source: Internal
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-OFB:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ |
+Microsoft Surface Hub Virtual TPM Implementations #4904
+Version 10.0.15063.674 |
+
+
+
+- AES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CFB128:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CTR:
+
+- Counter Source: Internal
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-OFB:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903
+Version 10.0.16299 |
+
+
+
+- AES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CCM:
+
+- Key Lengths: 128, 192, 256 (bits)
+- Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
+- IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
+- Plain Text Length: 0-32
+- AAD Length: 0-65536
+ - AES-CFB128:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CFB8:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CMAC:
+
+- Generation:
+
+- AES-128:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-192:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-256:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - Verification:
+
+- AES-128:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-192:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-256:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-CTR:
+
+- Counter Source: Internal
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-ECB:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-GCM:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+- Tag Lengths: 96, 104, 112, 120, 128 (bits)
+- Plain Text Lengths: 0, 8, 1016, 1024 (bits)
+- AAD Lengths: 0, 8, 1016, 1024 (bits)
+- 96 bit IV supported
+ - AES-XTS:
+
+- Key Size: 128:
+
+- Modes: Decrypt, Encrypt
+- Block Sizes: Full
+ - Key Size: 256:
+
+- Modes: Decrypt, Encrypt
+- Block Sizes: Full
+ |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #4902
+Version 10.0.15063.674 |
+
+
+
+- AES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CCM:
+
+- Key Lengths: 128, 192, 256 (bits)
+- Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
+- IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
+- Plain Text Length: 0-32
+- AAD Length: 0-65536
+ - AES-CFB128:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CFB8:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CMAC:
+
+- Generation:
+
+- AES-128:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-192:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-256:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - Verification:
+
+- AES-128:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-192:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-256:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-CTR:
+
+- Counter Source: Internal
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-ECB:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-GCM:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+- Tag Lengths: 96, 104, 112, 120, 128 (bits)
+- Plain Text Lengths: 0, 8, 1016, 1024 (bits)
+- AAD Lengths: 0, 8, 1016, 1024 (bits)
+- 96 bit IV supported
+ - AES-XTS:
+
+- Key Size: 128:
+
+- Modes: Decrypt, Encrypt
+- Block Sizes: Full
+ - Key Size: 256:
+
+- Modes: Decrypt, Encrypt
+- Block Sizes: Full
+ |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4901
+Version 10.0.15254 |
+
+
+
+- AES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CCM:
+
+- Key Lengths: 128, 192, 256 (bits)
+- Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
+- IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
+- Plain Text Length: 0-32
+- AAD Length: 0-65536
+ - AES-CFB128:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CFB8:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CMAC:
+
+- Generation:
+
+- AES-128:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-192:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-256:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - Verification:
+
+- AES-128:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-192:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-256:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-CTR:
+
+- Counter Source: Internal
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-ECB:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-GCM:
+
+- Modes: Decrypt, Encrypt
+- IV Generation: External
+- Key Lengths: 128, 192, 256 (bits)
+- Tag Lengths: 96, 104, 112, 120, 128 (bits)
+- Plain Text Lengths: 0, 8, 1016, 1024 (bits)
+- AAD Lengths: 0, 8, 1016, 1024 (bits)
+- 96 bit IV supported
+ - AES-XTS:
+
+- Key Size: 128:
+
+- Modes: Decrypt, Encrypt
+- Block Sizes: Full
+ - Key Size: 256:
+
+- Modes: Decrypt, Encrypt
+- Block Sizes: Full
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897
+Version 10.0.16299 |
+
+
+AES-KW:
+
+- Modes: Decrypt, Encrypt
+- CIPHK transformation direction: Forward
+- Key Lengths: 128, 192, 256 (bits)
+- Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
+
+AES Val#4902 |
+Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900
+Version 10.0.15063.674 |
+
+
+AES-KW:
+
+- Modes: Decrypt, Encrypt
+- CIPHK transformation direction: Forward
+- Key Lengths: 128, 192, 256 (bits)
+- Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
+
+AES Val#4901 |
+Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899
+Version 10.0.15254 |
+
+
+AES-KW:
+
+- Modes: Decrypt, Encrypt
+- CIPHK transformation direction: Forward
+- Key Lengths: 128, 192, 256 (bits)
+- Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
+
+AES Val#4897 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898
+Version 10.0.16299 |
+
+
+AES-CCM:
+
+- Key Lengths: 256 (bits)
+- Tag Lengths: 128 (bits)
+- IV Lengths: 96 (bits)
+- Plain Text Length: 0-32
+- AAD Length: 0-65536
+
+AES Val#4902 |
+Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896
+Version 10.0.15063.674 |
+
+
+AES-CCM:
+
+- Key Lengths: 256 (bits)
+- Tag Lengths: 128 (bits)
+- IV Lengths: 96 (bits)
+- Plain Text Length: 0-32
+- AAD Length: 0-65536
+
+AES Val#4901 |
+Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895
+Version 10.0.15254 |
+
+
+AES-CCM:
+
+- Key Lengths: 256 (bits)
+- Tag Lengths: 128 (bits)
+- IV Lengths: 96 (bits)
+- Plain Text Length: 0-32
+- AAD Length: 0-65536
+
+AES Val#4897 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894
+Version 10.0.16299 |
+
+
+CBC ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+OFB ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627
+Version 10.0.15063 |
+
+
+KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
+AES Val#4624 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626
+Version 10.0.15063 |
+
+
+CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+AES Val#4624
+ |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625
+Version 10.0.15063 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported
+GMAC_Supported
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624
+Version 10.0.15063 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 ); |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434
+Version 7.00.2872 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 ); |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433
+Version 8.00.6246 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431
+Version 7.00.2872 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430
+Version 8.00.6246 |
+
+
+CBC ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+OFB ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074
+Version 10.0.14393 |
+
+
+ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
+GMAC_Supported
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064
+Version 10.0.14393 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+ |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
+Version 10.0.14393 |
+
+
+KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )
+AES Val#4064 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062
+Version 10.0.14393 |
+
+
+CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+AES Val#4064 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061
+Version 10.0.14393 |
+
+
+KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
+AES Val#3629 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652
+Version 10.0.10586 |
+
+
+CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+AES Val#3629 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653
+Version 10.0.10586 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+ |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
+Version 10.0.10586 |
+
+
+ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
+GMAC_Supported
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
+
+
+Version 10.0.10586 |
+
+
+KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
+AES Val#3497 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507
+Version 10.0.10240 |
+
+
+CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+AES Val#3497 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498
+Version 10.0.10240 |
+
+
+ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
+GMAC_Supported
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
+Version 10.0.10240 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+ |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
+Version 10.0.10240 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+ |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853
+Version 6.3.9600 |
+
+
+CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+AES Val#2832 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848
+Version 6.3.9600 |
+
+
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported ;
+OtherIVLen_Supported
+GMAC_Supported |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832
+Version 6.3.9600 |
+
+
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+AES Val#2197
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
+AES Val#2197
+GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
+GMAC_Supported |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216 |
+
+
+CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+AES Val#2196 |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+ |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196 |
+
+
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+AES Val#1168 |
+Windows Server 2008 R2 and SP1 CNG algorithms #1187
+Windows 7 Ultimate and SP1 CNG algorithms #1178 |
+
+
+CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
+AES Val#1168 |
+Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+ |
+Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 |
+
+
+GCM
+GMAC |
+Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed |
+
+
+| CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
+Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760 |
+
+
+| CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) |
+Windows Server 2008 CNG algorithms #757
+Windows Vista Ultimate SP1 CNG algorithms #756 |
+
+
+CBC ( e/d; 128 , 256 );
+CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
+Windows Vista Ultimate BitLocker Drive Encryption #715
+Windows Vista Ultimate BitLocker Drive Encryption #424 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 ); |
+Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739
+Windows Vista Symmetric Algorithm Implementation #553 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
+Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 ); |
+Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818
+Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781
+Windows 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #548
+Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #516
+Windows CE and Windows Mobile 6, 6.1, and 6.5 Enhanced Cryptographic Provider (RSAENH) #507
+Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #290
+Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider (RSAENH) #224
+Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #80
+Windows XP, SP1, and SP2 Enhanced Cryptographic Provider (RSAENH) #33 |
+
+
+
+
+
+Deterministic Random Bit Generator (DRBG)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- Counter:
+
+- Modes: AES-256
+- Derivation Function States: Derivation Function not used
+- Prediction Resistance Modes: Not Enabled
+
+Prerequisite: AES #4904 |
+Microsoft Surface Hub Virtual TPM Implementations #1734
+Version 10.0.15063.674 |
+
+
+
+- Counter:
+
+- Modes: AES-256
+- Derivation Function States: Derivation Function not used
+- Prediction Resistance Modes: Not Enabled
+
+Prerequisite: AES #4903 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733
+Version 10.0.16299 |
+
+
+
+- Counter:
+
+- Modes: AES-256
+- Derivation Function States: Derivation Function used
+- Prediction Resistance Modes: Not Enabled
+
+Prerequisite: AES #4902 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #1732
+Version 10.0.15063.674 |
+
+
+
+- Counter:
+
+- Modes: AES-256
+- Derivation Function States: Derivation Function used
+- Prediction Resistance Modes: Not Enabled
+
+Prerequisite: AES #4901 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1731
+Version 10.0.15254 |
+
+
+
+- Counter:
+
+- Modes: AES-256
+- Derivation Function States: Derivation Function used
+- Prediction Resistance Modes: Not Enabled
+
+Prerequisite: AES #4897 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730
+Version 10.0.16299 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ] |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556
+Version 10.0.15063 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ] |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555
+Version 10.0.15063 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ] |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433
+Version 7.00.2872 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ] |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432
+Version 8.00.6246 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ] |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430
+Version 7.00.2872 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ] |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429
+Version 8.00.6246 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ] |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222
+Version 10.0.14393 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ] |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217
+Version 10.0.14393 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ] |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955
+Version 10.0.10586 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ] |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868
+Version 10.0.10240 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ] |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489
+Version 6.3.9600 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] |
+Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] |
+Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23 |
+
+
+| DRBG (SP 800–90) |
+Windows Vista Ultimate SP1, vendor-affirmed |
+
+
+
+
+
+#### Digital Signature Algorithm (DSA)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- DSA:
+
+- 186-4:
+
+- PQGGen:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - PQGVer:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - SigGen:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - SigVer:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - KeyPair:
+
+- L = 2048, N = 256
+- L = 3072, N = 256
+
+Prerequisite: SHS #4011, DRBG #1732 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #1303
+Version 10.0.15063.674 |
+
+
+
+- DSA:
+
+- 186-4:
+
+- PQGGen:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - PQGVer:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - SigGen:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - SigVer:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - KeyPair:
+
+-
+-
+- L = 2048, N = 256
+- L = 3072, N = 256
+
+Prerequisite: SHS #4010, DRBG #1731 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1302
+Version 10.0.15254 |
+
+
+
+- DSA:
+
+- 186-4:
+
+- PQGGen:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - PQGVer:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - SigGen:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - SigVer:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - KeyPair:
+
+- L = 2048, N = 256
+- L = 3072, N = 256
+
+Prerequisite: SHS #4009, DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301
+Version 10.0.16299 |
+
+
+FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen: [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SHS: Val#3790
+DRBG: Val# 1555 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223
+Version 10.0.15063 |
+
+
+FIPS186-4:
+PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+SHS: Val# 3649 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188
+Version 7.00.2872 |
+
+
+FIPS186-4:
+PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+SHS: Val#3648 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187
+Version 8.00.6246 |
+
+
+FIPS186-4:
+PQG(gen)PARMS TESTED: [
+(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen: [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED: [ (2048,256)
+SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SHS: Val# 3347
+DRBG: Val# 1217 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098
+Version 10.0.14393 |
+
+
+FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
+KeyPairGen: [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SHS: Val# 3047
+DRBG: Val# 955 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024
+Version 10.0.10586 |
+
+
+FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen: [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SHS: Val# 2886
+DRBG: Val# 868 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983
+Version 10.0.10240 |
+
+
+FIPS186-4:
+PQG(gen)PARMS TESTED: [
+(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256)
+SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen: [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SHS: Val# 2373
+DRBG: Val# 489 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855
+Version 6.3.9600 |
+
+
+FIPS186-2:
+PQG(ver) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: #1903
+DRBG: #258
+FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SHS: #1903
+DRBG: #258
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687. |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687 |
+
+
+FIPS186-2:
+PQG(ver) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: #1902
+DRBG: #258
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686. |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 1773
+DRBG: Val# 193
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645. |
+Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 1081
+DRBG: Val# 23
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386. |
+Windows Server 2008 R2 and SP1 CNG algorithms #391
+Windows 7 Ultimate and SP1 CNG algorithms #386 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 1081
+RNG: Val# 649
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385. |
+Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390
+Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 753
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283. |
+Windows Server 2008 CNG algorithms #284
+Windows Vista Ultimate SP1 CNG algorithms #283 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 753
+RNG: Val# 435
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281. |
+Windows Server 2008 Enhanced DSS (DSSENH) #282
+Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 618
+RNG: Val# 321
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226. |
+Windows Vista CNG algorithms #227
+Windows Vista Enhanced DSS (DSSENH) #226 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 784
+RNG: Val# 448
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292. |
+Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 783
+RNG: Val# 447
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291. |
+Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291 |
+
+
+FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: Val# 611
+RNG: Val# 314 |
+Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221 |
+
+
+FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: Val# 385 |
+Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146 |
+
+
+FIPS186-2:
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: Val# 181
+
+ |
+Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95 |
+
+
+FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SHS: SHA-1 (BYTE)
+SIG(ver) MOD(1024);
+SHS: SHA-1 (BYTE) |
+Windows 2000 DSSENH.DLL #29
+Windows 2000 DSSBASE.DLL #28
+Windows NT 4 SP6 DSSENH.DLL #26
+Windows NT 4 SP6 DSSBASE.DLL #25 |
+
+
+FIPS186-2: PRIME;
+FIPS186-2:
+KEYGEN(Y):
+SHS: SHA-1 (BYTE)
+SIG(gen):
+SIG(ver) MOD(1024);
+SHS: SHA-1 (BYTE) |
+Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17 |
+
+
+
+
+
+#### Elliptic Curve Digital Signature Algorithm (ECDSA)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384, P-521
+- Generation Methods: Extra Random Bits
+ - Public Key Validation:
+
+- Curves: P-256, P-384, P-521
+ - Signature Generation:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+ - Signature Verification:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: SHS #2373, DRBG #489 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263
+Version 6.3.9600 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384
+- Generation Methods: Testing Candidates
+
+Prerequisite: SHS #4011, DRBG #1734 |
+Microsoft Surface Hub Virtual TPM Implementations #1253
+Version 10.0.15063.674 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384
+- Generation Methods: Testing Candidates
+
+Prerequisite: SHS #4009, DRBG #1733 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252
+Version 10.0.16299 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384, P-521
+- Generation Methods: Extra Random Bits
+ - Public Key Validation:
+
+- Curves: P-256, P-384, P-521
+ - Signature Generation:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+ - Signature Verification:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: SHS #4011, DRBG #1732 |
+Microsoft Surface Hub MsBignum Cryptographic Implementations #1251
+Version 10.0.15063.674 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384, P-521
+- Generation Methods: Extra Random Bits
+ - Public Key Validation:
+
+- Curves: P-256, P-384, P-521
+ - Signature Generation:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+ - Signature Verification:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: SHS #4011, DRBG #1732 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #1250
+Version 10.0.15063.674 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384, P-521
+- Generation Methods: Extra Random Bits
+ - Public Key Validation:
+
+- Curves: P-256, P-384, P-521
+ - Signature Generation:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+ - Signature Verification:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: SHS #4010, DRBG #1731 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1249
+Version 10.0.15254 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384, P-521
+- Generation Methods: Extra Random Bits
+ - Public Key Validation:
+
+- Curves: P-256, P-384, P-521
+ - Signature Generation:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+ - Signature Verification:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: SHS #4010, DRBG #1731 |
+Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1248
+Version 10.0.15254 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384, P-521
+- Generation Methods: Extra Random Bits
+ - Public Key Validation:
+
+- Curves: P-256, P-384, P-521
+ - Signature Generation:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+ - Signature Verification:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: SHS #4009, DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247
+Version 10.0.16299 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384, P-521
+- Generation Methods: Extra Random Bits
+ - Public Key Validation:
+
+- Curves: P-256, P-384, P-521
+ - Signature Generation:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+ - Signature Verification:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: SHS #4009, DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246
+Version 10.0.16299 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 TestingCandidates )
+SHS: Val#3790
+DRBG: Val# 1555 |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136
+Version 10.0.15063 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#3790
+DRBG: Val# 1555 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135
+Version 10.0.15063 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#3790
+DRBG: Val# 1555 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133
+Version 10.0.15063 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
+SHS:Val# 3649
+DRBG:Val# 1430 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073
+Version 7.00.2872 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
+SHS:Val#3648
+DRBG:Val# 1429 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072
+Version 8.00.6246 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 TestingCandidates )
+PKV: CURVES( P-256 P-384 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )
+SHS: Val# 3347
+DRBG: Val# 1222 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920
+Version 10.0.14393 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val# 3347
+DRBG: Val# 1217 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911
+Version 10.0.14393 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val# 3047
+DRBG: Val# 955 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760
+Version 10.0.10586 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val# 2886
+DRBG: Val# 868 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706
+Version 10.0.10240 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#2373
+DRBG: Val# 489 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505
+Version 6.3.9600 |
+
+
+FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: #1903
+DRBG: #258
+SIG(ver):CURVES( P-256 P-384 P-521 )
+SHS: #1903
+DRBG: #258
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: #1903
+DRBG: #258
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341. |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341 |
+
+
+FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#1773
+DRBG: Val# 193
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#1773
+DRBG: Val# 193
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#1773
+DRBG: Val# 193
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295. |
+Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295 |
+
+
+FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#1081
+DRBG: Val# 23
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#1081
+DRBG: Val# 23
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141. |
+Windows Server 2008 R2 and SP1 CNG algorithms #142
+Windows 7 Ultimate and SP1 CNG algorithms #141 |
+
+
+FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#753
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#753
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82. |
+Windows Server 2008 CNG algorithms #83
+Windows Vista Ultimate SP1 CNG algorithms #82 |
+
+
+FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#618
+RNG: Val# 321
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#618
+RNG: Val# 321
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60. |
+Windows Vista CNG algorithms #60 |
+
+
+
+
+
+#### Keyed-Hash Message Authentication Code (HMAC)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- HMAC-SHA-1:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-256:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-384:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+
+Prerequisite: SHS #4011 |
+Microsoft Surface Hub Virtual TPM Implementations #3271
+Version 10.0.15063.674 |
+
+
+
+- HMAC-SHA-1:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-256:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-384:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+
+Prerequisite: SHS #4009 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270
+Version 10.0.16299 |
+
+
+
+- HMAC-SHA-1:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-256:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-384:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-512:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+
+Prerequisite: SHS #4011 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #3269
+Version 10.0.15063.674 |
+
+
+
+- HMAC-SHA-1:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-256:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-384:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-512:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+
+Prerequisite: SHS #4010 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #3268
+Version 10.0.15254 |
+
+
+
+- HMAC-SHA-1:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-256:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-384:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-512:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+
+Prerequisite: SHS #4009 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267
+Version 10.0.16299 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062
+Version 10.0.15063 |
+
+
+HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061
+Version 10.0.15063 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652 |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946
+Version 7.00.2872 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651 |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945
+Version 8.00.6246 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943
+Version 7.00.2872 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942
+Version 8.00.6246 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+SHS Val# 3347
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+SHS Val# 3347
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+SHS Val# 3347 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661
+Version 10.0.14393 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651
+Version 10.0.14393 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+SHS Val# 3047
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+SHS Val# 3047
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+SHS Val# 3047
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+SHS Val# 3047 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381
+Version 10.0.10586 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+SHSVal# 2886
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+SHSVal# 2886
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+ SHSVal# 2886
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+SHSVal# 2886 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233
+Version 10.0.10240 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+SHS Val#2373
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+SHS Val#2373
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+SHS Val#2373
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+SHS Val#2373 |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773
+Version 6.3.9600 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764 |
+Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122
+Version 5.2.29344 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902
+HMAC-SHA256 ( Key Size Ranges Tested: KS#1902 |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902 |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+SHS#1903
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+SHS#1903
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+SHS#1903
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+SHS#1903 |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
+Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773 |
+Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774 |
+Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081 |
+Windows Server 2008 R2 and SP1 CNG algorithms #686
+Windows 7 and SP1 CNG algorithms #677
+Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687
+Windows 7 Enhanced Cryptographic Provider (RSAENH) #673 |
+
+
+HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081 |
+Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816 |
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753 |
+Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753 |
+Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408
+Windows Vista Enhanced Cryptographic Provider (RSAENH) #407 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
+Windows Vista Enhanced Cryptographic Provider (RSAENH) #297 |
+
+
+| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785 |
+Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429
+Windows XP, vendor-affirmed |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783 |
+Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613 |
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289 |
+
+
+| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610 |
+Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753 |
+Windows Server 2008 CNG algorithms #413
+Windows Vista Ultimate SP1 CNG algorithms #412 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737 |
+Windows Vista Ultimate BitLocker Drive Encryption #386 |
+
+
+HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
+Windows Vista CNG algorithms #298 |
+
+
+HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589 |
+Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267 |
+
+
+HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578 |
+Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495 |
+Windows Vista BitLocker Drive Encryption #199 |
+
+
+| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364 |
+Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99
+Windows XP, vendor-affirmed |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305 |
+Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31 |
+
+
+
+
+
+#### Key Agreement Scheme (KAS)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- KAS ECC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
+- Schemes:
+
+- Full Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- KDFs: Concatenation
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+
+Prerequisite: SHS #4011, ECDSA #1253, DRBG #1734 |
+Microsoft Surface Hub Virtual TPM Implementations #150
+Version 10.0.15063.674 |
+
+
+
+- KAS ECC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
+- Schemes:
+
+- Full Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- KDFs: Concatenation
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+
+Prerequisite: SHS #4009, ECDSA #1252, DRBG #1733 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149
+Version 10.0.16299 |
+
+
+
+- KAS ECC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
+- Schemes:
+
+- Ephemeral Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- KDFs: Concatenation
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+ - One Pass DH:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+ - Static Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+
+Prerequisite: SHS #4011, ECDSA #1250, DRBG #1732
+
+- KAS FFC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
+- Schemes:
+
+- dhEphem:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - dhOneFlow:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - dhStatic:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+
+Prerequisite: SHS #4011, DSA #1303, DRBG #1732 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #148
+Version 10.0.15063.674 |
+
+
+
+- KAS ECC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
+- Schemes:
+
+- Ephemeral Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- KDFs: Concatenation
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+ - One Pass DH:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+ - Static Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+
+Prerequisite: SHS #4010, ECDSA #1249, DRBG #1731
+
+- KAS FFC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
+- Schemes:
+
+- dhEphem:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - dhOneFlow:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - dhStatic:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+
+Prerequisite: SHS #4010, DSA #1302, DRBG #1731 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #147
+Version 10.0.15254 |
+
+
+
+- KAS ECC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
+- Schemes:
+
+- Ephemeral Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- KDFs: Concatenation
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+ - One Pass DH:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+ - Static Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+
+Prerequisite: SHS #4009, ECDSA #1246, DRBG #1730
+
+- KAS FFC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
+- Schemes:
+
+- dhEphem:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - dhOneFlow:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - dhStatic:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+
+Prerequisite: SHS #4009, DSA #1301, DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146
+Version 10.0.16299 |
+
+
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
+SHS Val#3790
+DSA Val#1135
+DRBG Val#1556 |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128
+Version 10.0.15063 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS Val#3790
+DSA Val#1223
+DRBG Val#1555
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+
+SHS Val#3790
+ECDSA Val#1133
+DRBG Val#1555 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127
+Version 10.0.15063 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS Val# 3649
+DSA Val#1188
+DRBG Val#1430
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ] |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115
+Version 7.00.2872 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhHybridOneFlow ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS Val#3648
+DSA Val#1187
+DRBG Val#1429
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+
+SHS Val#3648
+ECDSA Val#1072
+DRBG Val#1429 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114
+Version 8.00.6246 |
+
+
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration )
+SCHEMES [ FullUnified ( No_KC < KARole(s): Initiator / Responder > < KDF: CONCAT > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
+SHS Val# 3347 ECDSA Val#920 DRBG Val#1222 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93
+Version 10.0.14393 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation )
+SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic (No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS Val# 3347 DSA Val#1098 DRBG Val#1217
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92
+Version 10.0.14393 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS Val# 3047 DSA Val#1024 DRBG Val#955
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+SHS Val# 3047 ECDSA Val#760 DRBG Val#955 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72
+Version 10.0.10586 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS Val# 2886 DSA Val#983 DRBG Val#868
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+SHS Val# 2886 ECDSA Val#706 DRBG Val#868 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64
+Version 10.0.10240 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS Val#2373 DSA Val#855 DRBG Val#489
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+SHS Val#2373 ECDSA Val#505 DRBG Val#489 |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47
+Version 6.3.9600 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS #1903 DSA Val#687 DRBG #258
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+
+SHS #1903 ECDSA Val#341 DRBG #258 |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36 |
+
+
+KAS (SP 800–56A)
+key agreement
+key establishment methodology provides 80 to 256 bits of encryption strength |
+Windows 7 and SP1, vendor-affirmed
+Windows Server 2008 R2 and SP1, vendor-affirmed |
+
+
+
+
+
+SP 800-108 Key-Based Key Derivation Functions (KBKDF)
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- Counter:
+
+- MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
+
+MAC prerequisite: HMAC #3271
+
+
+- Counter Location: Before Fixed Data
+- R Length: 32 (bits)
+- SPs used to generate K: SP 800-56A, SP 800-90A
+
+ K prerequisite: DRBG #1734, KAS #150 |
+Microsoft Surface Hub Virtual TPM Implementations #161
+Version 10.0.15063.674 |
+
+
+
+- Counter:
+
+- MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
+
+MAC prerequisite: HMAC #3270
+
+
+- Counter Location: Before Fixed Data
+- R Length: 32 (bits)
+- SPs used to generate K: SP 800-56A, SP 800-90A
+
+ K prerequisite: DRBG #1733, KAS #149 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160
+Version 10.0.16299 |
+
+
+
+- Counter:
+
+- MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
+
+MAC prerequisite: AES #4902, HMAC #3269
+
+
+- Counter Location: Before Fixed Data
+- R Length: 32 (bits)
+- SPs used to generate K: SP 800-56A, SP 800-90A
+- K prerequisite: KAS #148
+
+ |
+Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #159
+Version 10.0.15063.674 |
+
+
+
+- Counter:
+
+- MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
+
+MAC prerequisite: AES #4901, HMAC #3268
+
+
+- Counter Location: Before Fixed Data
+- R Length: 32 (bits)
+- SPs used to generate K: SP 800-56A, SP 800-90A
+
+ K prerequisite: KAS #147 |
+Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #158
+Version 10.0.15254 |
+
+
+
+- Counter:
+
+- MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
+
+MAC prerequisite: AES #4897, HMAC #3267
+
+
+- Counter Location: Before Fixed Data
+- R Length: 32 (bits)
+- SPs used to generate K: SP 800-56A, SP 800-90A
+
+ K prerequisite: KAS #146 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157
+Version 10.0.16299 |
+
+
+CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+
+KAS Val#128
+DRBG Val#1556
+MAC Val#3062 |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141
+Version 10.0.15063 |
+
+
+CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+
+KAS Val#127
+AES Val#4624
+DRBG Val#1555
+MAC Val#3061 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140
+Version 10.0.15063 |
+
+
+CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+KAS Val#93 DRBG Val#1222 MAC Val#2661 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102
+Version 10.0.14393 |
+
+
+CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101
+Version 10.0.14393 |
+
+
+CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72
+Version 10.0.10586 |
+
+
+CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66
+Version 10.0.10240 |
+
+
+CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+DRBG Val#489 MAC Val#1773 |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30
+Version 6.3.9600 |
+
+
+CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+DRBG #258 HMAC Val#1345 |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3 |
+
+
+
+
+
+Random Number Generator (RNG)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+FIPS 186-2 General Purpose
+[ (x-Original); (SHA-1) ] |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110 |
+
+
+FIPS 186-2
+[ (x-Original); (SHA-1) ] |
+Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060
+Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292
+Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286
+Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66 |
+
+
+FIPS 186-2
+[ (x-Change Notice); (SHA-1) ]
+FIPS 186-2 General Purpose
+[ (x-Change Notice); (SHA-1) ] |
+Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649
+Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435
+Windows Vista RNG implementation #321 |
+
+
+FIPS 186-2 General Purpose
+[ (x-Change Notice); (SHA-1) ] |
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470
+Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449
+Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #316
+Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313 |
+
+
+FIPS 186-2
+[ (x-Change Notice); (SHA-1) ] |
+Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448
+Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314 |
+
+
+
+
+
+#### RSA
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+RSA:
+
+- 186-4:
+
+- Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
+ - Signature Verification PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+
+Prerequisite: SHS #4011, DRBG #1734 |
+Microsoft Surface Hub Virtual TPM Implementations #2677
+Version 10.0.15063.674 |
+
+
+RSA:
+
+- 186-4:
+
+- Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 240 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
+ - Signature Verification PSS:
+
+- Mod 1024:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+ - Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+
+Prerequisite: SHS #4009, DRBG #1733 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676
+Version 10.0.16299 |
+
+
+RSA:
+
+- 186-4:
+
+- Key Generation:
+- Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+
+Prerequisite: SHS #4011, DRBG #1732 |
+Microsoft Surface Hub RSA32 Algorithm Implementations #2675
+Version 10.0.15063.674 |
+
+
+RSA:
+
+- 186-4:
+
+- Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+
+Prerequisite: SHS #4009, DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674
+Version 10.0.16299 |
+
+
+RSA:
+
+- 186-4:
+
+- Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+
+Prerequisite: SHS #4010, DRBG #1731 |
+Windows 10 Mobile (version 1709) RSA32 Algorithm Implementations #2673
+Version 10.0.15254 |
+
+
+RSA:
+
+- 186-4:
+
+- Key Generation:
+
+- Public Key Exponent: Fixed (10001)
+- Provable Primes with Conditions:
+
+- Mod lengths: 2048, 3072 (bits)
+- Primality Tests: C.3
+ - Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Verification PSS:
+
+- Mod 1024:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 496 (bits)
+ - Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+
+Prerequisite: SHS #4011, DRBG #1732 |
+Microsoft Surface Hub MsBignum Cryptographic Implementations #2672
+Version 10.0.15063.674 |
+
+
+RSA:
+
+- 186-4:
+
+- Key Generation:
+
+- Probable Random Primes:
+
+- Mod lengths: 2048, 3072 (bits)
+- Primality Tests: C.2
+ - Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Verification PSS:
+
+- Mod 1024:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 496 (bits)
+ - Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+
+Prerequisite: SHS #4011, DRBG #1732 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #2671
+Version 10.0.15063.674 |
+
+
+RSA:
+
+- 186-4:
+
+- Key Generation:
+
+- Probable Random Primes:
+
+- Mod lengths: 2048, 3072 (bits)
+- Primality Tests: C.2
+ - Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Verification PSS:
+
+- Mod 1024:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 496 (bits)
+ - Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+
+Prerequisite: SHS #4010, DRBG #1731 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2670
+Version 10.0.15254 |
+
+
+RSA:
+
+- 186-4:
+
+- Key Generation:
+
+- Public Key Exponent: Fixed (10001)
+- Provable Primes with Conditions:
+
+- Mod lengths: 2048, 3072 (bits)
+- Primality Tests: C.3
+ - Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Verification PSS:
+
+- Mod 1024:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 496 (bits)
+ - Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+
+Prerequisite: SHS #4010, DRBG #1731 |
+Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #2669
+Version 10.0.15254 |
+
+
+
+- 186-4:
+
+- Key Generation:
+
+- Public Key Exponent: Fixed (10001)
+- Provable Primes with Conditions:
+
+- Mod lengths: 2048, 3072 (bits)
+- Primality Tests: C.3
+ - Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Verification PSS:
+
+- Mod 1024:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 496 (bits)
+ - Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+
+Prerequisite: SHS #4009, DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668
+Version 10.0.16299 |
+
+
+
+- 186-4:
+
+- Key Generation:
+
+- Probable Random Primes:
+
+- Mod lengths: 2048, 3072 (bits)
+- Primality Tests: C.2
+ - Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Verification PSS:
+
+- Mod 1024:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 496 (bits)
+ - Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+
+Prerequisite: SHS #4009, DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667
+Version 10.0.16299 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
+SHA Val#3790 |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524
+Version 10.0.15063 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3790 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523
+Version 10.0.15063 |
+
+
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val#3790
+DRBG: Val# 1555 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522
+Version 10.0.15063 |
+
+
+FIPS186-4:
+186-4KEY(gen):
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val#3790 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521
+Version 10.0.15063 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
+FIPS186-4:
+ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
+SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3652 |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415
+Version 7.00.2872 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
+FIPS186-4:
+ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
+SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3651 |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414
+Version 8.00.6246 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val# 3649
+DRBG: Val# 1430 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412
+Version 7.00.2872 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3648
+DRBG: Val# 1429 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411
+Version 8.00.6246 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
+SHA Val# 3347 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206
+Version 10.0.14393 |
+
+
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+SHA Val# 3347 DRBG: Val# 1217 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195
+Version 10.0.14393 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3346 |
+soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194
+Version 10.0.14393 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val# 3347 DRBG: Val# 1217 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193
+Version 10.0.14393 |
+
+
+FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val# 3347 DRBG: Val# 1217 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192
+Version 10.0.14393 |
+
+
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+SHA Val# 3047 DRBG: Val# 955 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889
+Version 10.0.10586 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3048 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871
+Version 10.0.10586 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val# 3047 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888
+Version 10.0.10586 |
+
+
+FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val# 3047 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887
+Version 10.0.10586 |
+
+
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+SHA Val# 2886 DRBG: Val# 868 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798
+Version 10.0.10240 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#2871 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784
+Version 10.0.10240 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#2871 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783
+Version 10.0.10240 |
+
+
+FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val# 2886 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802
+Version 10.0.10240 |
+
+
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+SHA Val#2373 DRBG: Val# 489 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487
+Version 6.3.9600 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#2373 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494
+Version 6.3.9600 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#2373 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493
+Version 6.3.9600 |
+
+
+FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val#2373 |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519
+Version 6.3.9600 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
+SHA #1903
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134. |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134 |
+
+
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+SHA #1903 DRBG: #258 |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132. |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052. |
+Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051. |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568. |
+Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560. |
+Windows Server 2008 R2 and SP1 CNG algorithms #567
+Windows 7 and SP1 CNG algorithms #560 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559. |
+Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557. |
+Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395. |
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371. |
+Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357. |
+Windows Server 2008 CNG algorithms #358
+Windows Vista SP1 CNG algorithms #357 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354. |
+Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355
+Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353. |
+Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258. |
+Windows Vista RSA key generation implementation #258 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257. |
+Windows Vista CNG algorithms #257 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255. |
+Windows Vista Enhanced Cryptographic Provider (RSAENH) #255 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245. |
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230. |
+Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222. |
+Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]:
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81. |
+Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52. |
+Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52 |
+
+
+FIPS186-2:
+– PKCS#1 v1.5, signature generation and verification
+– Mod sizes: 1024, 1536, 2048, 3072, 4096
+– SHS: SHA–1/256/384/512 |
+Windows XP, vendor-affirmed
+Windows 2000, vendor-affirmed |
+
+
+
+
+
+#### Secure Hash Standard (SHS)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- SHA-1:
+
+- Supports Empty Message
+ - SHA-256:
+
+- Supports Empty Message
+ - SHA-384:
+
+- Supports Empty Message
+ - SHA-512:
+
+- Supports Empty Message
+ |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #4011
+Version 10.0.15063.674 |
+
+
+
+- SHA-1:
+
+- Supports Empty Message
+ - SHA-256:
+
+- Supports Empty Message
+ - SHA-384:
+
+- Supports Empty Message
+ - SHA-512:
+
+- Supports Empty Message
+ |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4010
+Version 10.0.15254 |
+
+
+
+- SHA-1:
+
+- Supports Empty Message
+ - SHA-256:
+
+- Supports Empty Message
+ - SHA-384:
+
+- Supports Empty Message
+ - SHA-512:
+
+- Supports Empty Message
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009
+Version 10.0.16299 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790
+Version 10.0.15063 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652
+Version 7.00.2872 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651
+Version 8.00.6246 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649
+Version 7.00.2872 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648
+Version 8.00.6246 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
+Version 10.0.14393 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
+Version 10.0.14393 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
+Version 10.0.10586 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
+Version 10.0.10586 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
+Version 10.0.10240 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
+Version 10.0.10240 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
+Version 6.3.9600 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
+Version 6.3.9600 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)
+Implementation does not support zero-length (null) messages. |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774
+Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows 7and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816 |
+
+
+| SHA-1 (BYTE-only) |
+Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785
+Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753
+Windows Vista Symmetric Algorithm Implementation #618 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only) |
+Windows Vista BitLocker Drive Encryption #737
+Windows Vista Beta 2 BitLocker Drive Encryption #495 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613
+Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364 |
+
+
+| SHA-1 (BYTE-only) |
+Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611
+Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610
+Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385
+Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #371
+Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #181
+Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #177
+Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589
+Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578
+Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305 |
+
+
+| SHA-1 (BYTE-only) |
+Windows XP Microsoft Enhanced Cryptographic Provider #83
+Crypto Driver for Windows 2000 (fips.sys) #35
+Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32
+Windows 2000 RSAENH.DLL #24
+Windows 2000 RSABASE.DLL #23
+Windows NT 4 SP6 RSAENH.DLL #21
+Windows NT 4 SP6 RSABASE.DLL #20 |
+
+
+
+
+
+#### Triple DES
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- TDES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-CFB64:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-CFB8:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-ECB:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #2558
+Version 10.0.15063.674 |
+
+
+
+- TDES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-CFB64:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-CFB8:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-ECB:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2557
+Version 10.0.15254 |
+
+
+
+- TDES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-CFB64:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-CFB8:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-ECB:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556
+Version 10.0.16299 |
+
+
+| TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, ) |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459
+Version 10.0.15063 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384
+Version 8.00.6246 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383
+Version 8.00.6246 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+CTR ( int only ) |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382
+Version 7.00.2872 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381
+Version 8.00.6246 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
+
+
+Version 10.0.14393 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
+
+
+Version 10.0.10586 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
+
+
+Version 10.0.10240 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692
+Version 6.3.9600 |
+
+
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) ;
+TCFB64( e/d; KO 1,2 ) |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387 |
+
+
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386 |
+
+
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
+Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846 |
+
+
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
+Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656 |
+
+
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
+Windows Vista Symmetric Algorithm Implementation #549 |
+
+
+| Triple DES MAC |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed
+Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed |
+
+
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) |
+Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308
+Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691
+Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #677
+Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #676
+Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #675
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #544
+Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #543
+Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #542
+Windows CE 6.0 and Window CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #526
+Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #517
+Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #381
+Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #370
+Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #365
+Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #315
+Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #201
+Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #199
+Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #192
+Windows XP Microsoft Enhanced Cryptographic Provider #81
+Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #18
+Crypto Driver for Windows 2000 (fips.sys) #16 |
+
+
+
+
+
+#### SP 800-132 Password Based Key Derivation Function (PBKDF)
+
+
+
+ |
+ Modes / States / Key Sizes
+ |
+
+ Algorithm Implementation and Certificate #
+ |
+
+
+ |
+ PBKDF (vendor affirmed) |
+
+ Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
(Software Version: 10.0.14393)
+ Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)
+ Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2935
(Software Version: 10.0.14393)
+ Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2931
(Software Version: 10.0.14393)
+ |
+
+
+ |
+ PBKDF (vendor affirmed) |
+
+ Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)
+ Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed
+ |
+
+
+
+
+#### Component Validation List
+
+
+
+
+
+
+
+
+| Publication / Component Validated / Description |
+Implementation and Certificate # |
+
+
+
+- ECDSA SigGen:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: DRBG #489 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540
+Version 6.3.9600 |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Microsoft Surface Hub Virtual TPM Implementations #1519
+Version 10.0.15063.674 |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518
+Version 10.0.16299 |
+
+
+
+- RSADP:
+
+- Modulus Size: 2048 (bits)
+ |
+Microsoft Surface Hub MsBignum Cryptographic Implementations #1517
+Version 10.0.15063.674 |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Microsoft Surface Hub MsBignum Cryptographic Implementations #1516
+Version 10.0.15063.674 |
+
+
+
+- ECDSA SigGen:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+ Prerequisite: DRBG #1732 |
+Microsoft Surface Hub MsBignum Cryptographic Implementations #1515
+Version 10.0.15063.674 |
+
+
+
+- ECDSA SigGen:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: DRBG #1732 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #1514
+Version 10.0.15063.674 |
+
+
+
+- RSADP:
+
+- Modulus Size: 2048 (bits)
+ |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #1513
+Version 10.0.15063.674 |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #1512
+Version 10.0.15063.674 |
+
+
+
+- IKEv1:
+
+- Methods: Digital Signature, Pre-shared Key, Public Key Encryption
+- Pre-shared Key Length: 64-2048
+- Diffie-Hellman shared secrets:
+
+- Diffie-Hellman shared secret:
+
+- Length: 2048 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 256 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 384 (bits)
+- SHA Functions: SHA-384
+
+Prerequisite: SHS #4011, HMAC #3269
+
+- IKEv2:
+
+- Derived Keying Material length: 192-1792
+- Diffie-Hellman shared secrets:
+
+- Diffie-Hellman shared secret:
+
+- Length: 2048 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 256 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 384 (bits)
+- SHA Functions: SHA-384
+
+Prerequisite: SHS #4011, HMAC #3269
+
+- TLS:
+
+- Supports TLS 1.0/1.1
+- Supports TLS 1.2:
+
+- SHA Functions: SHA-256, SHA-384
+
+Prerequisite: SHS #4011, HMAC #3269 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #1511
+Version 10.0.15063.674 |
+
+
+
+- ECDSA SigGen:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: DRBG #1731 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1510
+Version 10.0.15254 |
+
+
+
+- RSADP:
+
+- Modulus Size: 2048 (bits)
+ |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1509
+Version 10.0.15254 |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1508
+Version 10.0.15254 |
+
+
+
+- IKEv1:
+
+- Methods: Digital Signature, Pre-shared Key, Public Key Encryption
+- Pre-shared Key Length: 64-2048
+- Diffie-Hellman shared secrets:
+
+- Diffie-Hellman shared secret:
+
+- Length: 2048 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 256 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 384 (bits)
+- SHA Functions: SHA-384
+
+Prerequisite: SHS #4010, HMAC #3268
+
+- IKEv2:
+
+- Derived Keying Material length: 192-1792
+- Diffie-Hellman shared secrets:
+
+- Diffie-Hellman shared secret:
+
+- Length: 2048 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 256 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 384 (bits)
+- SHA Functions: SHA-384
+
+Prerequisite: SHS #4010, HMAC #3268
+
+- TLS:
+
+- Supports TLS 1.0/1.1
+- Supports TLS 1.2:
+
+- SHA Functions: SHA-256, SHA-384
+
+Prerequisite: SHS #4010, HMAC #3268 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1507
+Version 10.0.15254 |
+
+
+
+- ECDSA SigGen:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: DRBG #1731 |
+Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1506
+Version 10.0.15254 |
+
+
+
+- RSADP:
+
+- Modulus Size: 2048 (bits)
+ |
+Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1505
+Version 10.0.15254 |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1504
+Version 10.0.15254 |
+
+
+
+- ECDSA SigGen:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503
+Version 10.0.16299 |
+
+
+
+- RSADP:
+
+- Modulus Size: 2048 (bits)
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502
+Version 10.0.16299 |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501
+Version 10.0.16299 |
+
+
+
+- ECDSA SigGen:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499
+Version 10.0.16299 |
+
+
+
+- RSADP:
+
+- Modulus Size: 2048 (bits)
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498
+Version 10.0.16299
+ |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1497
+Version 10.0.16299 |
+
+
+
+- IKEv1:
+
+- Methods: Digital Signature, Pre-shared Key, Public Key Encryption
+- Pre-shared Key Length: 64-2048
+- Diffie-Hellman shared secrets:
+
+- Diffie-Hellman shared secret:
+
+- Length: 2048 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 256 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 384 (bits)
+- SHA Functions: SHA-384
+
+Prerequisite: SHS #4009, HMAC #3267
+
+- IKEv2:
+
+- Derived Keying Material length: 192-1792
+- Diffie-Hellman shared secrets:
+
+- Diffie-Hellman shared secret:
+
+- Length: 2048 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 256 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 384 (bits)
+- SHA Functions: SHA-384
+
+Prerequisite: SHS #4009, HMAC #3267
+
+- TLS:
+
+- Supports TLS 1.0/1.1
+- Supports TLS 1.2:
+
+- SHA Functions: SHA-256, SHA-384
+
+Prerequisite: SHS #4009, HMAC #3267 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496
+Version 10.0.16299 |
+
+
+FIPS186-4 ECDSA
+Signature Generation of hash sized messages
+ECDSA SigGen Component: CURVES( P-256 P-384 P-521 ) |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
+Version 10.0. 15063
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
+Version 10.0. 15063
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
+Version 10.0.14393
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
+Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
+Version 10.0.10586
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
+Version 6.3.9600 |
+
+
+FIPS186-4 RSA; PKCS#1 v2.1
+RSASP1 Signature Primitive
+RSASP1: (Mod2048: PKCS1.5 PKCSPSS) |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1285
+Version 10.0.15063
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1282
+Version 10.0.15063
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
+Version 10.0.15063
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
+Version 10.0.14393
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
+Version 10.0.14393
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
+Version 10.0.10586
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
+Version 10.0.10240
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations #289
+Version 6.3.9600 |
+
+
+FIPS186-4 RSA; RSADP
+RSADP Primitive
+RSADP: (Mod2048) |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1283
+Version 10.0.15063
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
+Version 10.0.15063
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
+Version 10.0.14393
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
+Version 10.0.14393
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #663
+Version 10.0.10586
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #576
+Version 10.0.10240 |
+
+
+SP800-135
+Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496
+Version 10.0.16299
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
+Version 10.0.15063
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1140
+Version 7.00.2872
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1139
+Version 8.00.6246
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp #886
+Version 10.0.14393
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BCryptPrimitives and NCryptSSLp #664
+Version 10.0.10586
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
+Version 10.0.10240
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
+Version 6.3.9600 |
+
+
+
+
+
+## References
+
+\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules
+
+\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ
+
+\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised)
+
+\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
+
+## Additional Microsoft References
+
+Enabling FIPS mode -
+
+Cipher Suites in Schannel - [https://msdn.microsoft.com/library/aa374757(VS.85).aspx](https://msdn.microsoft.com/library/aa374757\(vs.85\).aspx)
+
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index 7cd0315cc8..b2d4621b58 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -37,5 +37,5 @@ The wsusscn2.cab file contains the metadata of only security updates, update rol
For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit.
- [Windows security baselines](windows-security-baselines.md)
-- [Download Microsoft Security Compliance Toolkit 1.0 ](https://www.microsoft.com/download/details.aspx?id=55319)
+- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319)
- [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md
index ff64c95cca..0f9409ab26 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md
@@ -100,7 +100,7 @@
#### [Protect users, data, and devices with Conditional Access](conditional-access.md)
#### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md)
#### [Information protection in Windows overview](information-protection-in-windows-overview.md)
-##### [Use sensitivity labels to prioritize incident response ](information-protection-investigation.md)
+##### [Use sensitivity labels to prioritize incident response](information-protection-investigation.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
index 9a0cea7281..122b141332 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
@@ -20,7 +20,7 @@ ms.topic: article
## APIs
-Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/en-us/legal/microsoft-apis/terms-of-use).
+Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use).
## Legal Notices
diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
index a550e32f0c..e97f64fda4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
In general, you’ll need to take the following steps to use the APIs:
- Create an AAD application
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
index c3b917aac9..edc1463dfc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@@ -1,57 +1,57 @@
----
-title: Overview of Configuration score in Microsoft Defender Security Center
-ms.reviewer:
-description: Expand your visibility into the overall security configuration posture of your organization
-keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/11/2019
----
-# Configuration score
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
->[!NOTE]
-> Secure score is now part of Threat & Vulnerability Management as Configuration score. We’ll keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection) page.
-
-The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over your organization's security posture based on security best practices.
-
-Your configuration score widget shows the collective security configuration state of your machines across the following categories:
-- Application
-- Operating system
-- Network
-- Accounts
-- Security controls
-
-## How it works
-
-What you'll see in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
-- Compare collected configurations to the collected benchmarks to discover misconfigured assets
-- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration
-- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams)
-- Collect and monitor changes of security control configuration state from all assets
-
-From the widget, you'd be able to see which security aspect require attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can take action based on security benchmarks.
-
-## Improve your configuration score
-The goal is to improve your configuration score by remediating the issues in the security recommendations list. You can filter the view based on:
-- **Related component** - **Accounts**, **Application**, **Network**, **OS**, or **Security controls**
-- **Remediation type** - **Configuration change** or **Software update**
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: Overview of Configuration score in Microsoft Defender Security Center
+ms.reviewer:
+description: Expand your visibility into the overall security configuration posture of your organization
+keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: mjcaparas
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Configuration score
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>[!NOTE]
+> Secure score is now part of Threat & Vulnerability Management as Configuration score. We’ll keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection) page.
+
+The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over your organization's security posture based on security best practices.
+
+Your configuration score widget shows the collective security configuration state of your machines across the following categories:
+- Application
+- Operating system
+- Network
+- Accounts
+- Security controls
+
+## How it works
+
+What you'll see in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
+- Compare collected configurations to the collected benchmarks to discover misconfigured assets
+- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration
+- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams)
+- Collect and monitor changes of security control configuration state from all assets
+
+From the widget, you'd be able to see which security aspect require attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can take action based on security benchmarks.
+
+## Improve your configuration score
+The goal is to improve your configuration score by remediating the issues in the security recommendations list. You can filter the view based on:
+- **Related component** - **Accounts**, **Application**, **Network**, **OS**, or **Security controls**
+- **Remediation type** - **Configuration change** or **Software update**
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
index d1a14f1f7d..0911a2d722 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
@@ -1,45 +1,45 @@
----
-title: Configure Threat & Vulnerability Management in Microsoft Defender ATP
-ms.reviewer:
-description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft System Center Configuration Manager (SCCM) integrations.
-keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM
-search.product: Windows 10
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-# Configure Threat & Vulnerability Management
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
-This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation.
-
-### Before you begin
-> [!IMPORTANT]
-> Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.
-
-Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM).
-
->[!WARNING]
->Only Intune and SCCM enrolled devices are supported in this scenario.
->Use any of the following options to enroll devices in Intune:
->- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
->- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
->- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup).
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Configuration score](configuration-score.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: Configure Threat & Vulnerability Management in Microsoft Defender ATP
+ms.reviewer:
+description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft System Center Configuration Manager (SCCM) integrations.
+keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM
+search.product: Windows 10
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: mjcaparas
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+# Configure Threat & Vulnerability Management
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation.
+
+### Before you begin
+> [!IMPORTANT]
+> Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.
+
+Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM).
+
+>[!WARNING]
+>Only Intune and SCCM enrolled devices are supported in this scenario.
+>Use any of the following options to enroll devices in Intune:
+>- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
+>- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
+>- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup).
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Configuration score](configuration-score.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
index b13eb91164..b1b6bdea64 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
@@ -61,7 +61,7 @@ You can use existing System Center Configuration Manager functionality to create
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
-3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs) topic.
+3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic.
a. Choose a predefined device collection to deploy the package to.
@@ -115,7 +115,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
-3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs) topic.
+3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic.
a. Choose a predefined device collection to deploy the package to.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 0f9793b0a9..69993debe0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -20,13 +20,14 @@ ms.topic: article
**Applies to:**
+- Windows Server 2008 R2 SP1 (pre-release)
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
- Windows Server, 2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[!include[Prerelease information](prerelease.md)]
+[!include[Prerelease information](prerelease.md)]
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink)
@@ -34,6 +35,7 @@ ms.topic: article
Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security Center console.
The service supports the onboarding of the following servers:
+- Windows Server 2008 R2 SP1 (pre-release)
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
@@ -42,9 +44,9 @@ The service supports the onboarding of the following servers:
For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
-## Windows Server 2012 R2 and Windows Server 2016
+## Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016
-There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP:
+There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP:
- **Option 1**: Onboard through Azure Security Center
- **Option 2**: Onboard through Microsoft Defender Security Center
@@ -52,19 +54,25 @@ There are two options to onboard Windows Server 2012 R2 and Windows Server 2016
### Option 1: Onboard servers through Azure Security Center
1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
-2. Select Windows Server 2012 R2 and 2016 as the operating system.
+2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system.
3. Click **Onboard Servers in Azure Security Center**.
4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
### Option 2: Onboard servers through Microsoft Defender Security Center
-You'll need to tak the following steps if you choose to onboard servers through Microsoft Defender Security Center.
+You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center.
-- For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
+- For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
+ - Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598)
+ - Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+ - Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
+
+
+- For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
>[!NOTE]
- >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
+ >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
- Turn on server monitoring from Microsoft Defender Security Center.
- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
@@ -219,7 +227,7 @@ To offboard the server, you can use either of the following methods:
b. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID:
- 
+ 
2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
@@ -237,4 +245,4 @@ To offboard the server, you can use either of the following methods:
- [Onboard non-Windows machines](configure-endpoints-non-windows.md)
- [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md)
-- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
+- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 8f0d992e58..92914defd5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -23,6 +23,10 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+Create custom detection rules from [Advanced hunting](overview-hunting.md) queries to automatically check for threat indicators and generate alerts whenever these indicators are found.
+
+>[!NOTE]
+>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
1. In the navigation pane, select **Advanced hunting**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
index eac5c12814..249bf4cfb4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
@@ -30,7 +30,7 @@ ms.date: 04/24/2018
During the onboarding process, a wizard takes you through the general settings of Microsoft Defender ATP. After onboarding, you might want to update the data retention settings.
-1. In the navigation pane, select **Settings** > **Data rention**.
+1. In the navigation pane, select **Settings** > **Data retention**.
2. Select the data retention duration from the drop-down list.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
index 0958ac0a89..ab927de17d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -30,7 +30,7 @@ If you need programmatic access Microsoft Defender ATP without a user, refer to
If you are not sure which access you need, read the [Introduction page](apis-intro.md).
-Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
In general, you’ll need to take the following steps to use the APIs:
- Create an AAD application
@@ -106,7 +106,7 @@ This page explains how to create an AAD application, get an access token to Micr
## Get an access token
-For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
### Using C#
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
index ae8e9f68c9..4b2377c9a3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
@@ -31,7 +31,7 @@ If you need programmatic access Microsoft Defender ATP on behalf of a user, see
If you are not sure which access you need, see [Get started](apis-intro.md).
-Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
In general, you’ll need to take the following steps to use the APIs:
- Create an AAD application
@@ -130,7 +130,7 @@ This page explains how to create an AAD application, get an access token to Micr
## Get an access token examples:
-For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
### Using PowerShell
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
index b17168bee0..58362fcab8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
@@ -40,7 +40,7 @@ In this section we share PowerShell samples to
Set-ExecutionPolicy -ExecutionPolicy Bypass
```
->For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
+>For more details, refer to [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy)
## Get token
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
index feddd27cd5..72a68df56d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
@@ -50,7 +50,7 @@ Sensitive information types in the Office 365 data loss prevention (DLP) impleme
Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for).
-Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/en-us/office365/securitycompliance/create-a-custom-sensitive-information-type).
+Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type).
When a file is created or edited on a Windows device, Windows Defender ATP scans the content to evaluate if it contains sensitive information.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
index 275fc11cea..a70b53af9f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
@@ -93,7 +93,7 @@ The **Artifact timeline** feature provides an addition view of the evidence that
Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization.
## Related topics
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md)
+- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
index 283772ed84..0df367e9d4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
@@ -60,7 +60,7 @@ The **Most recent observed machinew with URL** section provides a chronological
5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
## Related topics
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md)
+- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
index fc752990fc..cf7f97c744 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
@@ -65,7 +65,7 @@ The **Most recent observed machines with the file** section allows you to specif
This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
## Related topics
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md)
+- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
index fda84c5cce..eaabada51a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
@@ -67,7 +67,7 @@ Use the search filters to define the search criteria. You can also use the timel
Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
## Related topics
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md)
+- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
index 7d7bd87571..5cdc7994a1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@@ -159,7 +159,7 @@ The **Discovered vulnerabilities** section shows the name, severity, and threat
## Related topics
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md)
+- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
index 69493fe5ec..f4570512ea 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
@@ -85,7 +85,7 @@ You can filter the results by the following time periods:
- 6 months
## Related topics
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md)
+- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
index 149999abec..c431ecb195 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
@@ -1,212 +1,212 @@
----
-title: Live response command examples
-description: Learn about common commands and see examples on how it's used
-keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Live response command examples
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
-
-Learn about common commands used in live response and see examples on how they are typically used.
-
-Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on machines using live response](live-response.md).
-
-
-## analyze
-
-```
-# Analyze the file malware.txt
-analyze file c:\Users\user\Desktop\malware.txt
-```
-
-```
-# Analyze the process by PID
-analyze process 1234
-```
-
-## connections
-
-```
-# List active connections in json format using parameter name
-connections -output json
-```
-
-```
-# List active connections in json format without parameter name
-connections json
-```
-
-## dir
-
-```
-# List files and sub-folders in the current folder
-dir
-```
-
-```
-# List files and sub-folders in a specific folder
-dir C:\Users\user\Desktop\
-```
-
-```
-# List files and subfolders in the current folder in json format
-dir -output json
-```
-
-## fileinfo
-
-```
-# Display information about a file
-fileinfo C:\Windows\notepad.exe
-```
-
-## findfile
-
-```
-# Find file by name
-findfile test.txt
-```
-
-## getfile
-
-```
-# Download a file from a machine
-getfile c:\Users\user\Desktop\work.txt
-```
-
-```
-# Download a file from a machine, automatically run prerequisite commands
-getfile c:\Users\user\Desktop\work.txt -auto
-```
-
-## processes
-```
-# Show all processes
-processes
-```
-
-```
-# Get process by pid
-processes 123
-```
-
-```
-# Get process by pid with argument name
-processes -pid 123
-```
-
-```
-# Get process by name
-processes -name notepad.exe
-```
-
-## putfile
-
-```
-# Upload file from library
-putfile get-process-by-name.ps1
-```
-
-```
-# Upload file from library, overwrite file if it exists
-putfile get-process-by-name.ps1 -overwrite
-```
-
-```
-# Upload file from library, keep it on the machine after a restart
-putfile get-process-by-name.ps1 -keep
-```
-
-## registry
-
-```
-# Show information about the values in a registry key
-registry HKEY_CURRENT_USER\Console
-```
-
-```
-# Show information about a specific registry value
-registry HKEY_CURRENT_USER\Console\\ScreenBufferSize
-```
-
-
-## remediate
-
-```
-# Remediate file in specific path
-remediate file c:\Users\user\Desktop\malware.exe
-```
-
-```
-# Remediate process with specific PID
-remediate process 7960
-```
-
-```
-# See list of all remediated entities
-remediate list
-```
-
-## run
-
-```
-# Run PowerShell script from the library without arguments
-run script.ps1
-```
-
-```
-# Run PowerShell script from the library with arguments
-run get-process-by-name.ps1 -parameters "-processName Registry"
-```
-
-## scheduledtask
-
-```
-# Get all scheduled tasks
-scheduledtasks
-```
-
-```
-# Get specific scheduled task by location and name
-scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition
-```
-
-```
-# Get specific scheduled task by location and name with spacing
-scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation"
-```
-
-
-## undo
-
-```
-# Restore remediated registry
-undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize
-```
-
-```
-# Restore remediated scheduledtask
-undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition
-```
-
-```
-# Restore remediated file
-undo file c:\Users\user\Desktop\malware.exe
-```
-
+---
+title: Live response command examples
+description: Learn about common commands and see examples on how it's used
+keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Live response command examples
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+
+
+Learn about common commands used in live response and see examples on how they are typically used.
+
+Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on machines using live response](live-response.md).
+
+
+## analyze
+
+```
+# Analyze the file malware.txt
+analyze file c:\Users\user\Desktop\malware.txt
+```
+
+```
+# Analyze the process by PID
+analyze process 1234
+```
+
+## connections
+
+```
+# List active connections in json format using parameter name
+connections -output json
+```
+
+```
+# List active connections in json format without parameter name
+connections json
+```
+
+## dir
+
+```
+# List files and sub-folders in the current folder
+dir
+```
+
+```
+# List files and sub-folders in a specific folder
+dir C:\Users\user\Desktop\
+```
+
+```
+# List files and subfolders in the current folder in json format
+dir -output json
+```
+
+## fileinfo
+
+```
+# Display information about a file
+fileinfo C:\Windows\notepad.exe
+```
+
+## findfile
+
+```
+# Find file by name
+findfile test.txt
+```
+
+## getfile
+
+```
+# Download a file from a machine
+getfile c:\Users\user\Desktop\work.txt
+```
+
+```
+# Download a file from a machine, automatically run prerequisite commands
+getfile c:\Users\user\Desktop\work.txt -auto
+```
+
+## processes
+```
+# Show all processes
+processes
+```
+
+```
+# Get process by pid
+processes 123
+```
+
+```
+# Get process by pid with argument name
+processes -pid 123
+```
+
+```
+# Get process by name
+processes -name notepad.exe
+```
+
+## putfile
+
+```
+# Upload file from library
+putfile get-process-by-name.ps1
+```
+
+```
+# Upload file from library, overwrite file if it exists
+putfile get-process-by-name.ps1 -overwrite
+```
+
+```
+# Upload file from library, keep it on the machine after a restart
+putfile get-process-by-name.ps1 -keep
+```
+
+## registry
+
+```
+# Show information about the values in a registry key
+registry HKEY_CURRENT_USER\Console
+```
+
+```
+# Show information about a specific registry value
+registry HKEY_CURRENT_USER\Console\\ScreenBufferSize
+```
+
+
+## remediate
+
+```
+# Remediate file in specific path
+remediate file c:\Users\user\Desktop\malware.exe
+```
+
+```
+# Remediate process with specific PID
+remediate process 7960
+```
+
+```
+# See list of all remediated entities
+remediate list
+```
+
+## run
+
+```
+# Run PowerShell script from the library without arguments
+run script.ps1
+```
+
+```
+# Run PowerShell script from the library with arguments
+run get-process-by-name.ps1 -parameters "-processName Registry"
+```
+
+## scheduledtask
+
+```
+# Get all scheduled tasks
+scheduledtasks
+```
+
+```
+# Get specific scheduled task by location and name
+scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition
+```
+
+```
+# Get specific scheduled task by location and name with spacing
+scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation"
+```
+
+
+## undo
+
+```
+# Restore remediated registry
+undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize
+```
+
+```
+# Restore remediated scheduledtask
+undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition
+```
+
+```
+# Restore remediated file
+undo file c:\Users\user\Desktop\malware.exe
+```
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
index 358e414a2d..d3ed3224e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
@@ -1,255 +1,255 @@
----
-title: Investigate entities on machines using live response in Microsoft Defender ATP
-description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time.
-keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Investigate entities on machines using live response
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
-
-Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.
-
-Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
-
-With live response, analysts will have the ability to:
-- Run basic and advanced commands to do investigative work
-- Download files such as malware samples and outcomes of PowerShell scripts
-- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level
-- Take or undo remediation actions
-
-
-## Before you begin
-Before you can initiate a session on a machine, make sure you fulfill the following requirements:
-
-- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later.
-
-- **Enable live response from the settings page**
-You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
-
- >[!NOTE]
- >Only users with manage security or global admin roles can edit these settings.
-
-- **Enable live response unsigned script execution** (optional)
-
- >[!WARNING]
- >Allowing the use of unsigned scripts may increase your exposure to threats.
-
- Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
-
-- **Ensure that you have the appropriate permissions**
- Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md).
-
- Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role.
-
-## Live response dashboard overview
-When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as:
-
-- Who created the session
-- When the session started
-- The duration of the session
-
-The dashboard also gives you access to:
-- Disconnect session
-- Upload files to the library
-- Command console
-- Command log
-
-
-## Initiate a live response session on a machine
-
-1. Log in to Microsoft Defender Security Center.
-2. Navigate to the machines list page and select a machine to investigate. The machine page opens.
-
- >[!NOTE]
- >Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later.
-
-2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine.
-3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands).
-4. After completing your investigation, select **Disconnect session**, then select **Confirm**.
-
-
-
-## Live response commands
-Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md).
-
-### Basic commands
-The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
-
-Command | Description
-:---|:---|:---
-cd | Changes the current directory.
-cls | Clears the console screen.
-connect | Initiates a live response session to the machine.
-connections | Shows all the active connections.
-dir | Shows a list of files and subdirectories in a directory
-drivers | Shows all drivers installed on the machine.
-fileinfo | Get information about a file.
-findfile | Locates files by a given name on the machine.
-help | Provides help information for live response commands.
-persistence | Shows all known persistence methods on the machine.
-processes | Shows all processes running on the machine.
-registry | Shows registry values.
-scheduledtasks| Shows all scheduled tasks on the machine.
-services | Shows all services on the machine.
-trace | Sets the terminal's logging mode to debug.
-
-
-### Advanced commands
-The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
-
-Command | Description
-:---|:---
-analyze | Analyses the entity with various incrimination engines to reach a verdict.
-getfile | Gets a file from the machine.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `getfile` to automatically run the prerequisite command.
-run | Runs a PowerShell script from the library on the machine.
-library | Lists files that were uploaded to the live response library.
-putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default.
-remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `remediate` to automatically run the prerequisite command.
-undo | Restores an entity that was remediated.
-
-
-## Use live response commands
-The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/windows-commands#BKMK_c).
-
-The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity.
-
-### Get a file from the machine
-For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation.
-
->[!NOTE]
->There is a file size limit of 750mb.
-
-### Put a file in the library
-Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level.
-
-Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them.
-
-You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with.
-
-**To upload a file in the library:**
-1. Click **Upload file to library**.
-2. Click **Browse** and select the file.
-3. Provide a brief description.
-4. Specify if you'd like to overwrite a file with the same name.
-5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
-6. Click **Confirm**.
-7. (Optional) To verify that the file was uploaded to the library, run the `library` command.
-
-
-### Cancel a command
-Anytime during a session, you can cancel a command by pressing CTRL + C.
-
->[!WARNING]
->Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled.
-
-
-
-### Automatically run prerequisite commands
-Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error.
-
-You can use the auto flag to automatically run prerequisite commands, for example:
-
-```
-getfile c:\Users\user\Desktop\work.txt -auto
-```
-
-
-## Run a PowerShell script
-Before you can run a PowerShell script, you must first upload it to the library.
-
-After uploading the script to the library, use the `run` command to run the script.
-
-If you plan to use an unsigned script in the session, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
-
->[!WARNING]
->Allowing the use of unsigned scripts may increase your exposure to threats.
-
-
-
-## Apply command parameters
-- View the console help to learn about command parameters. To learn about an individual command, run:
-
- `help `
-
-- When applying parameters to commands, note that parameters are handled based on a fixed order:
-
- ` param1 param2`
-
-- When specifying parameters outside of the fixed order, specify the name of the parameter with a hyphen before providing the value:
-
- ` -param2_name param2`
-
-- When using commands that have prerequisite commands, you can use flags:
-
- ` -type file -id - auto` or `remediate file - auto`.
-
-
-
-## Supported output types
-Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands:
-
-- `-output json`
-- `-output table`
-
->[!NOTE]
->Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown.
-
-
-## Supported output pipes
-Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt.
-
-Example:
-
-```
-processes > output.txt
-```
-
-
-
-## View the command log
-Select the **Command log** tab to see the commands used on the machine during a session.
-Each command is tracked with full details such as:
-- ID
-- Command line
-- Duration
-- Status and input or output side bar
-
-
-
-
-## Limitations
-- Live response sessions are limited to 10 live response sessions at a time
-- Large scale command execution is not supported
-- A user can only initiate one session at a time
-- A machine can only be in one session at a time
-- There is a file size limit of 750mb when downloading files from a machine
-
-## Related topic
-- [Live response command examples](live-response-command-examples.md)
-
-
-
-
-
-
-
-
-
+---
+title: Investigate entities on machines using live response in Microsoft Defender ATP
+description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time.
+keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file,
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Investigate entities on machines using live response
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.
+
+Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
+
+With live response, analysts will have the ability to:
+- Run basic and advanced commands to do investigative work
+- Download files such as malware samples and outcomes of PowerShell scripts
+- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level
+- Take or undo remediation actions
+
+
+## Before you begin
+Before you can initiate a session on a machine, make sure you fulfill the following requirements:
+
+- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later.
+
+- **Enable live response from the settings page**
+You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
+
+ >[!NOTE]
+ >Only users with manage security or global admin roles can edit these settings.
+
+- **Enable live response unsigned script execution** (optional)
+
+ >[!WARNING]
+ >Allowing the use of unsigned scripts may increase your exposure to threats.
+
+ Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
+
+- **Ensure that you have the appropriate permissions**
+ Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md).
+
+ Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role.
+
+## Live response dashboard overview
+When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as:
+
+- Who created the session
+- When the session started
+- The duration of the session
+
+The dashboard also gives you access to:
+- Disconnect session
+- Upload files to the library
+- Command console
+- Command log
+
+
+## Initiate a live response session on a machine
+
+1. Log in to Microsoft Defender Security Center.
+2. Navigate to the machines list page and select a machine to investigate. The machine page opens.
+
+ >[!NOTE]
+ >Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later.
+
+2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine.
+3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands).
+4. After completing your investigation, select **Disconnect session**, then select **Confirm**.
+
+
+
+## Live response commands
+Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md).
+
+### Basic commands
+The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
+
+Command | Description
+:---|:---|:---
+cd | Changes the current directory.
+cls | Clears the console screen.
+connect | Initiates a live response session to the machine.
+connections | Shows all the active connections.
+dir | Shows a list of files and subdirectories in a directory
+drivers | Shows all drivers installed on the machine.
+fileinfo | Get information about a file.
+findfile | Locates files by a given name on the machine.
+help | Provides help information for live response commands.
+persistence | Shows all known persistence methods on the machine.
+processes | Shows all processes running on the machine.
+registry | Shows registry values.
+scheduledtasks| Shows all scheduled tasks on the machine.
+services | Shows all services on the machine.
+trace | Sets the terminal's logging mode to debug.
+
+
+### Advanced commands
+The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
+
+Command | Description
+:---|:---
+analyze | Analyses the entity with various incrimination engines to reach a verdict.
+getfile | Gets a file from the machine.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `getfile` to automatically run the prerequisite command.
+run | Runs a PowerShell script from the library on the machine.
+library | Lists files that were uploaded to the live response library.
+putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default.
+remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `remediate` to automatically run the prerequisite command.
+undo | Restores an entity that was remediated.
+
+
+## Use live response commands
+The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands#BKMK_c).
+
+The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity.
+
+### Get a file from the machine
+For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation.
+
+>[!NOTE]
+>There is a file size limit of 750mb.
+
+### Put a file in the library
+Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level.
+
+Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them.
+
+You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with.
+
+**To upload a file in the library:**
+1. Click **Upload file to library**.
+2. Click **Browse** and select the file.
+3. Provide a brief description.
+4. Specify if you'd like to overwrite a file with the same name.
+5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
+6. Click **Confirm**.
+7. (Optional) To verify that the file was uploaded to the library, run the `library` command.
+
+
+### Cancel a command
+Anytime during a session, you can cancel a command by pressing CTRL + C.
+
+>[!WARNING]
+>Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled.
+
+
+
+### Automatically run prerequisite commands
+Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error.
+
+You can use the auto flag to automatically run prerequisite commands, for example:
+
+```
+getfile c:\Users\user\Desktop\work.txt -auto
+```
+
+
+## Run a PowerShell script
+Before you can run a PowerShell script, you must first upload it to the library.
+
+After uploading the script to the library, use the `run` command to run the script.
+
+If you plan to use an unsigned script in the session, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
+
+>[!WARNING]
+>Allowing the use of unsigned scripts may increase your exposure to threats.
+
+
+
+## Apply command parameters
+- View the console help to learn about command parameters. To learn about an individual command, run:
+
+ `help `
+
+- When applying parameters to commands, note that parameters are handled based on a fixed order:
+
+ ` param1 param2`
+
+- When specifying parameters outside of the fixed order, specify the name of the parameter with a hyphen before providing the value:
+
+ ` -param2_name param2`
+
+- When using commands that have prerequisite commands, you can use flags:
+
+ ` -type file -id - auto` or `remediate file - auto`.
+
+
+
+## Supported output types
+Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands:
+
+- `-output json`
+- `-output table`
+
+>[!NOTE]
+>Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown.
+
+
+## Supported output pipes
+Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt.
+
+Example:
+
+```
+processes > output.txt
+```
+
+
+
+## View the command log
+Select the **Command log** tab to see the commands used on the machine during a session.
+Each command is tracked with full details such as:
+- ID
+- Command line
+- Duration
+- Status and input or output side bar
+
+
+
+
+## Limitations
+- Live response sessions are limited to 10 live response sessions at a time
+- Large scale command execution is not supported
+- A user can only initiate one session at a time
+- A machine can only be in one session at a time
+- There is a file size limit of 750mb when downloading files from a machine
+
+## Related topic
+- [Live response command examples](live-response-command-examples.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
index 2dc83b0d07..c5abbcade3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
@@ -80,4 +80,4 @@ For example, to show data about Windows 10 machines with Active sensor health st
## Related topic
-- [Threat protection report ](threat-protection-reports.md)
\ No newline at end of file
+- [Threat protection report](threat-protection-reports.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
index c02a9598e4..046e0f4f05 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
@@ -116,7 +116,7 @@ Added comments instantly appear on the pane.
## Related topics
- [Manage suppression rules](manage-suppression-rules.md)
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md)
+- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index aac7917bca..c72919ffb8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -82,7 +82,7 @@ The attack surface reduction set of capabilities provide the first line of defen
-**[Next generation protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)**
+**[Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)**
To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index 442773e50f..661633b8eb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -57,6 +57,7 @@ For more information about licensing requirements for Microsoft Defender ATP pla
- Windows 10 Pro
- Windows 10 Pro Education
- Windows server
+ - Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2016, version 1803
@@ -86,7 +87,7 @@ When you run the onboarding wizard for the first time, you must choose where you
> - You cannot change your data storage location after the first-time setup.
> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data.
-
+
### Diagnostic data settings
You must ensure that the diagnostic data service is enabled on all the machines in your organization.
By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 666ab6abfe..070ec84568 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -1,68 +1,68 @@
----
-title: Next-generation Threat & Vulnerability Management
-ms.reviewer:
-description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Threat & Vulnerability Management
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
-Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrustructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
-
-It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
-
-## Next-generation capabilities
-Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase.
-
-It is the first solution in the industry to automate the remediation process through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) for patching, configuration changes, or upgrades.
->[!Note]
-> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks.
-
-It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
-- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
-- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery
-- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
-
-### Real-time discovery
-
-To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides:
-- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
-- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, as well as software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
-- Application runtime context. Constant visibility into application usage patterns for better prioritization and decision-making. Critical dependencies, such as vulnerable runtime libraries being loaded by other applications, are made visible.
-- Configuration posture. Visibility into organizational security configuration, surfacing issues like disabled antivirus, enabled SMBv1, or misconfigurations that could allow escalation of privileges. Issues are reported in the dashboard with actionable security recommendations.
-
-### Intelligence-driven prioritization
-
-Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context:
-- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
-- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
-- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to call attention to exposed machines with business-critical applications, confidential data, or high-value users.
-
-### Seamless remediation
-
-Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
-- One-click remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click. We plan to expand this capability to other IT security management platforms.
-- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
-- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
-
-## Related topics
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Configuration score](configuration-score.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: Next-generation Threat & Vulnerability Management
+ms.reviewer:
+description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
+keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: mjcaparas
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Threat & Vulnerability Management
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrustructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
+
+It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
+
+## Next-generation capabilities
+Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase.
+
+It is the first solution in the industry to automate the remediation process through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) for patching, configuration changes, or upgrades.
+>[!Note]
+> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks.
+
+It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
+- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
+- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery
+- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
+
+### Real-time discovery
+
+To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides:
+- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
+- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, as well as software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
+- Application runtime context. Constant visibility into application usage patterns for better prioritization and decision-making. Critical dependencies, such as vulnerable runtime libraries being loaded by other applications, are made visible.
+- Configuration posture. Visibility into organizational security configuration, surfacing issues like disabled antivirus, enabled SMBv1, or misconfigurations that could allow escalation of privileges. Issues are reported in the dashboard with actionable security recommendations.
+
+### Intelligence-driven prioritization
+
+Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context:
+- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
+- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
+- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to call attention to exposed machines with business-critical applications, confidential data, or high-value users.
+
+### Seamless remediation
+
+Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
+- One-click remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click. We plan to expand this capability to other IT security management platforms.
+- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
+- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
+
+## Related topics
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Configuration score](configuration-score.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
index 9e5d1c75b1..bec39c02a1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@@ -70,7 +70,7 @@ Review the following details to verify minimum system requirements:
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
>Don't install .NET framework 4.0.x, since it will negate the above installation.
-- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
+- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
@@ -92,7 +92,7 @@ Once completed, you should see onboarded endpoints in the portal within an hour.
### Configure proxy and Internet connectivity settings
-- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
+- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway).
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Microsoft Defender ATP service:
Agent Resource | Ports
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
index eb814bb184..d9d1de552d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
@@ -1,7 +1,7 @@
---
title: Custom detections overview
ms.reviewer:
-description: Understand how how you can leverage the power of advanced hunting to create custom detections
+description: Understand how you can leverage the power of advanced hunting to create custom detections
keywords: custom detections, detections, advanced hunting, hunt, detect, query
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -24,13 +24,16 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Alerts in Microsoft Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats.
+Alerts in Microsoft Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious events or emerging threats.
-This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
+This can be done by leveraging the power of [Advanced hunting](overview-hunting.md) through the creation of custom detection rules.
Custom detections are queries that run periodically every 24 hours and can be configured so that when the query meets the criteria you set, alerts are created and are surfaced in Microsoft Defender Security Center. These alerts will be treated like any other alert in the system.
This capability is particularly useful for scenarios when you want to pro-actively prevent threats and be notified quickly of emerging threats.
+>[!NOTE]
+>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+
## Related topic
- [Create custom detection rules](custom-detection-rules.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
index f65850cce0..c70bb4f029 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
@@ -45,7 +45,7 @@ You can access these options from Microsoft Defender Security Center. Both the P
## Create a Microsoft Defender ATP dashboard on Power BI service
Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
-1. In the navigation pane, select **Settings** > **Power BI reports**.
+1. In the navigation pane, select **Settings** > **General** > **Power BI reports**.
2. Click **Create dashboard**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index 2cd29e4940..ebc7ab056b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -42,6 +42,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
+- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
You can now onboard Windows Server 2008 R2 SP1.
+
- [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac)
Microsoft Defender ATP for Mac brings the next-generation protection, and endpoint detection and response coverage to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices.
- [Live response](live-response.md)
Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md
index 389a39fd4a..409f485d23 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md
@@ -31,7 +31,7 @@ You first need to [create an app](apis-intro.md).
## Use case
A common scenario is scheduling an advanced query and using the results for follow up actions and processing.
-In this section we share sample for this purpose using [Microsoft Flow](https://flow.microsoft.com/) (or [Logic Apps](https://azure.microsoft.com/en-us/services/logic-apps/)).
+In this section we share sample for this purpose using [Microsoft Flow](https://flow.microsoft.com/) (or [Logic Apps](https://azure.microsoft.com/services/logic-apps/)).
## Define a flow to run query and parse results
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
index 1c62e63285..bd86e1319d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
@@ -37,7 +37,7 @@ You first need to [create an app](apis-intro.md).
Set-ExecutionPolicy -ExecutionPolicy Bypass
```
->For more details, see [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
+>For more details, see [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy)
## Get token
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 20faa27ae0..5d53cdeabf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -1,108 +1,108 @@
----
-title: Threat & Vulnerability Management scenarios
-ms.reviewer:
-description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when collaborating with IT Administrators and SecOps while protecting their organization from cybersecurity threats.
-keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Threat & Vulnerability Management scenarios
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
-## Before you begin
-Ensure that your machines:
-- Are onboarded to Microsoft Defender Advanced Threat Protection
-- Running with Windows 10 1709 (Fall Creators Update) or later
-- Have the following mandatory updates installed:
-- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)
-- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464)
-- Have at least one security recommendation that can be viewed in the machine page
-- Are tagged or marked as co-managed
-
-
-## Reduce your threat and vulnerability exposure
-Threat & Vulnerability Management introduces a new exposure score metric which visually represents how exposed your machines are to imminent threats.
-
-The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
-- Weaknesses, such as vulnerabilities and misconfigurations discovered on the device
-- External and internal threats such as public exploit code and security alerts
-- Likelihood of the device getting breached given its current security posture
-- Value of the device to the organization given its role and content
-
-The exposure score is broken down into the following levels:
-- 0 to 29: low exposure score
-- 30 to 69: medium exposure score
-- 70 to 100: high exposure score
-
-You can reduce the exposure score by remediating issues based on prioritized security recommendations. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
-
-To lower down your threat and vulnerability exposure:
-
-1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. This opens the **Security recommendation** page.
-
- >>
-
- >[!NOTE]
- > There are two types of recommendations:
- > - Security update which refers to recommendations that require a package installation
- > - Configuration change which refers to recommendations that require a registry or GPO modification
- > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon.
-
-2. In the **Security recommendations** page, you will see the description of what needs to be done and why. It shows the vulnerability details, such as the associated exploits affecting what machines and its business impact. Click **Open software page** option from the flyout menu. 
-
-3. Click **Installed machines** and select the affected machine from the list to open the flyout page with the relevant machine details, exposure and risk levels, alert and incident activities. 
-
-4. Click **Open machine page** to connect to the machine and apply the selected recommendation. 
-
-5. Allow a few hours for the changes to propagate in the system.
-
-6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate won't be listed there anymore, and the exposure score should decrease.
-
-## Improve your security configuration
->[!NOTE]
-> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). We’ll keep the secure score page available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page.
-
-Remediating issues in the security recommendations list will improve your configuration. As you do so, your configuration score improves, which means building your organization's resilience against cybersecurity threats and vulnerabilities stronger.
-
-1. From the Configuration score widget, select **Security controls**. This opens the **Security recommendations** page showing the list of issues related to security controls.
-
- >>
-
-2. Select the first item on the list. This opens the flyout menu with the description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
- 
-
-3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
-
+---
+title: Threat & Vulnerability Management scenarios
+ms.reviewer:
+description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when collaborating with IT Administrators and SecOps while protecting their organization from cybersecurity threats.
+keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: mjcaparas
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Threat & Vulnerability Management scenarios
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+## Before you begin
+Ensure that your machines:
+- Are onboarded to Microsoft Defender Advanced Threat Protection
+- Running with Windows 10 1709 (Fall Creators Update) or later
+- Have the following mandatory updates installed:
+- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)
+- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464)
+- Have at least one security recommendation that can be viewed in the machine page
+- Are tagged or marked as co-managed
+
+
+## Reduce your threat and vulnerability exposure
+Threat & Vulnerability Management introduces a new exposure score metric which visually represents how exposed your machines are to imminent threats.
+
+The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
+- Weaknesses, such as vulnerabilities and misconfigurations discovered on the device
+- External and internal threats such as public exploit code and security alerts
+- Likelihood of the device getting breached given its current security posture
+- Value of the device to the organization given its role and content
+
+The exposure score is broken down into the following levels:
+- 0 to 29: low exposure score
+- 30 to 69: medium exposure score
+- 70 to 100: high exposure score
+
+You can reduce the exposure score by remediating issues based on prioritized security recommendations. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
+
+To lower down your threat and vulnerability exposure:
+
+1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. This opens the **Security recommendation** page.
+
+ >>
+
+ >[!NOTE]
+ > There are two types of recommendations:
+ > - Security update which refers to recommendations that require a package installation
+ > - Configuration change which refers to recommendations that require a registry or GPO modification
+ > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon or the possible alert activity [possible alert activity](images/tvm_alert_icon.png) icon.
+
+2. In the **Security recommendations** page, you will see the description of what needs to be done and why. It shows the vulnerability details, such as the associated exploits affecting what machines and its business impact. Click **Open software page** option from the flyout menu. 
+
+3. Click **Installed machines** and select the affected machine from the list to open the flyout page with the relevant machine details, exposure and risk levels, alert and incident activities. 
+
+4. Click **Open machine page** to connect to the machine and apply the selected recommendation. 
+
+5. Allow a few hours for the changes to propagate in the system.
+
+6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate won't be listed there anymore, and the exposure score should decrease.
+
+## Improve your security configuration
+>[!NOTE]
+> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). We’ll keep the secure score page available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page.
+
+Remediating issues in the security recommendations list will improve your configuration. As you do so, your configuration score improves, which means building your organization's resilience against cybersecurity threats and vulnerabilities stronger.
+
+1. From the Configuration score widget, select **Security controls**. This opens the **Security recommendations** page showing the list of issues related to security controls.
+
+ >>
+
+2. Select the first item on the list. This opens the flyout menu with the description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
+ 
+
+3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
+
> >.
>
> You will see a confirmation message that the remediation task has been created.
> 
-
-4. Save your CSV file.
- 
-
-5. Send a follow up email to your IT Administrator and allow the time that you have alloted for the remediation to propagate in the system.
-
-6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be be listed there anymore, and your configuration score should increase.
-
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Configuration score](configuration-score.md)
-
+
+4. Save your CSV file.
+ 
+
+5. Send a follow up email to your IT Administrator and allow the time that you have alloted for the remediation to propagate in the system.
+
+6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
+
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Configuration score](configuration-score.md)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
index 5402aa8cf9..e620a05684 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
@@ -39,7 +39,7 @@ Each layer in the threat protection stack plays a critical role in protecting cu
Microsoft Defender ATP provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers.
## Azure Information Protection
-Keep sensitive data secure while enabling productivity in the workplace through data data discovery and data protection.
+Keep sensitive data secure while enabling productivity in the workplace through data discovery and data protection.
## Conditional Access
Microsoft Defender ATP's dynamic machine risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 93c50f478c..2f3d53c781 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -1,77 +1,77 @@
----
-title: What's in the dashboard and what it means for my organization's security posture
-ms.reviewer:
-description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions in addressing cybersecurity threat vulnerabilities and building their organization's security resilience.
-keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: eADQiWindows 10XVcnh
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-# Threat & Vulnerability Management dashboard overview
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
-- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
-- Invaluable machine vulnerability context during incident investigations
-- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM)
-
- >[!NOTE]
- > Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks.
-
-You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
-- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines
-- Correlate EDR insights with endpoint vulnerabilities and process them
-- Select remediation options, triage and track the remediation tasks
-
-## Threat & Vulnerability Management in Microsoft Defender Security Center
-When you open the portal, you’ll see the main areas of the capability:
-
- 
-
- 
-
-- (1) Menu in the navigation pane
-- (2) Threat & Vulnerability Management icon
-- (3) Threat & Vulnerability Management dashboard
-
-You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
-
-Area | Description
-:---|:---
-(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
-(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, and **Software inventory**.
-**Dashboards** | Get a high-level view of the organization exposure score, MDATP configuration score, top remediation activities, top security recommendations, top vulnerable software, and top exposed machines data.
-**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, and have the option to open the software page, and see the remediation options.
-**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV.
-**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the vulnerabilities and misconfigurations associated and its machine and version distribution details.
-(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, **Top exposed machines**, and **Threat campaigns**.
-**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down your organization’s exposure score to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
-**MDATP Configuration score** | See the security posture of your organization’s operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security recommendation** page for details.
-**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it will take you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, OS platform, its health state, when it was last seen, and its tags.
-**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts , associated public exploits , and recommendation insights . You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
-**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page.
-**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities.
-**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.
-
-See [Microsoft Defender ATP icons](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Configuration score](configuration-score.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: What's in the dashboard and what it means for my organization's security posture
+ms.reviewer:
+description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions in addressing cybersecurity threat vulnerabilities and building their organization's security resilience.
+keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+# Threat & Vulnerability Management dashboard overview
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
+Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
+- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
+- Invaluable machine vulnerability context during incident investigations
+- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM)
+
+ >[!NOTE]
+ > Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks.
+
+You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
+- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines
+- Correlate EDR insights with endpoint vulnerabilities and process them
+- Select remediation options, triage and track the remediation tasks
+
+## Threat & Vulnerability Management in Microsoft Defender Security Center
+When you open the portal, you’ll see the main areas of the capability:
+
+ 
+
+ 
+
+- (1) Menu in the navigation pane
+- (2) Threat & Vulnerability Management icon
+- (3) Threat & Vulnerability Management dashboard
+
+You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
+
+Area | Description
+:---|:---
+(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
+(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, and **Software inventory**.
+**Dashboards** | Get a high-level view of the organization exposure score, MDATP configuration score, top remediation activities, top security recommendations, top vulnerable software, and top exposed machines data.
+**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, and have the option to open the software page, and see the remediation options.
+**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV.
+**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the vulnerabilities and misconfigurations associated and its machine and version distribution details.
+(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, **Top exposed machines**, and **Threat campaigns**.
+**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down your organization’s exposure score to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
+**MDATP Configuration score** | See the security posture of your organization’s operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security recommendation** page for details.
+**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it will take you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, OS platform, its health state, when it was last seen, and its tags.
+**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts , associated public exploits , and recommendation insights . You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
+**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page.
+**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities.
+**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.
+
+See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Configuration score](configuration-score.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index 9723b0afa6..a923e76e1e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -45,7 +45,7 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
>[!NOTE]
>This setting is only available in the Microsoft Defender ATP administrator (default) role.
- - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
+ - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
- **Live response capabilities** - Users can take basic or advanced live response commands.
- Basic commands allow users to:
@@ -90,4 +90,4 @@ After creating roles, you'll need to create a machine group and provide access t
## Related topic
- [User basic permissions to access the portal](basic-permissions.md)
-- [Create and manage machine groups](machine-groups.md)
\ No newline at end of file
+- [Create and manage machine groups](machine-groups.md)
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 2549af8feb..3168a333af 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -106,7 +106,7 @@ Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improv
For more information, see [Windows Defender in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
-For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation).
+For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation).
### Data Execution Prevention
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
index bbad08d05e..a780487207 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -23,7 +23,7 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!IMPORTANT]
-> [Windows Defender Advanced Threat Protection ](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection) does not adhere to Windows Defender Antivirus exclusion settings. This means that any Windows Defender exclusions, no matter how you created them, are not applied by Windows Defender ATP.
+> [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection) does not adhere to Windows Defender Antivirus exclusion settings. This means that any Windows Defender exclusions, no matter how you created them, are not applied by Windows Defender ATP.
You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists.
@@ -150,7 +150,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use
**Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:**
-Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
+Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
ExclusionExtension
@@ -185,34 +185,34 @@ The following table describes how the wildcards can be used and provides some ex
| Wildcard |
- Use in file and file extension exclusions |
+ Use in file name and file extension exclusions |
Use in folder exclusions |
Example use |
- Example matches> |
+ Example matches |
- | (asterisk) |
+ * (asterisk) |
Replaces any number of characters.
Only applies to files in the last folder defined in the argument. |
- Replaces a single folder.
Use multiple with folder slashes \ to indicate multiple, nested folders. After matching to the number of wilcarded and named folders, all subfolders will also be included. |
+ Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders. After matching the number of wilcarded and named folders, all subfolders will also be included. |
- - C:\MyData\.txt
- - C:\somepath\\Data
- - C:\Serv\\\Backup
+
- C:\MyData\*.txt
+ - C:\somepath\*\Data
+ - C:\Serv\*\*\Backup
|
- - C:\MyData\notes.txt
+ - C:\MyData\notes.txt
- Any file in:
- - C:\somepath\Archives\Data and its subfolders
- - C:\somepath\Authorized\Data and its subfolders
+ - C:\somepath\Archives\Data and its subfolders
+ - C:\somepath\Authorized\Data and its subfolders
- Any file in:
- - C:\Serv\Primary\Denied\Backup and its subfolders
- - C:\Serv\Secondary\Allowed\Backup and its subfolders
+ - C:\Serv\Primary\Denied\Backup and its subfolders
+ - C:\Serv\Secondary\Allowed\Backup and its subfolders
|
@@ -227,7 +227,7 @@ The following table describes how the wildcards can be used and provides some ex
Replaces a single character in a folder name.
- After matching to the number of wilcarded and named folders, all subfolders will also be included.
+ After matching the number of wilcarded and named folders, all subfolders will also be included.
|
@@ -238,9 +238,9 @@ The following table describes how the wildcards can be used and provides some ex
|
- - C:\MyData\my1.zip
- - Any file in C:\somepath\P\Data and its subfolders
- - Any file in C:\somepath\test01\Data and its subfolders
+ - C:\MyData\my1.zip
+ - Any file in C:\somepath\P\Data and its subfolders
+ - Any file in C:\somepath\test01\Data and its subfolders
|
@@ -255,7 +255,7 @@ The following table describes how the wildcards can be used and provides some ex
- - C:\ProgramData\CustomLogFiles\Folder1\file1.txt
+ - C:\ProgramData\CustomLogFiles\Folder1\file1.txt
|
@@ -286,7 +286,7 @@ If you use PowerShell, you can retrieve the list in two ways:
**Validate the exclusion list by using MpCmdRun:**
-To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
+To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
```DOS
MpCmdRun.exe -CheckExclusion -path
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index ef3d91de6b..d2191e0488 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -111,7 +111,7 @@ See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-de
**Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:**
-Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
+Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
ExclusionProcess
@@ -158,7 +158,7 @@ If you use PowerShell, you can retrieve the list in two ways:
**Validate the exclusion list by using MpCmdRun:**
-To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
+To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
```DOS
MpCmdRun.exe -CheckExclusion -path
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index 1a297b77d7..caae6efc4e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -166,7 +166,7 @@ This section lists the default exclusions for all Windows Server 2016 roles.
- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
> [!NOTE]
- > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions).
+ > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions).
- *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index b1dc15b985..5d16f8d6e6 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -197,7 +197,7 @@ This setting will prevent a scan from occurring after receiving an update. You c
### Exclusions
On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
-- [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus)
+- [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus)
## Additional resources
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index ca65e8d570..cb39ebc506 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -60,7 +60,7 @@ Microsoft Update allows for rapid releases, which means it will download small d
The WSUS, Configuration Manager, and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger).
> [!IMPORTANT]
-> If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC when the current update is considered to be out-of-date (by default, this is 2 consecutive days of not being able to apply updates from the WSUS or Microsoft Update services).
+> If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC when the current update is considered to be out-of-date (by default, this is 14 consecutive days of not being able to apply updates from the WSUS or Microsoft Update services).
> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
index add0f3f650..4a6531ad42 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
@@ -39,7 +39,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android** and the deployment method to **Mobile Device Management / Microsoft Intune**.
3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
-5. Download **IntuneAppUtil** from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos).
+5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
@@ -83,7 +83,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
## Client device setup
-You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp).
+You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
1. You'll be asked to confirm device management.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
index 57f36fcbf5..a0c446dd3f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
@@ -74,7 +74,7 @@ The configuration profile contains a custom settings payload that includes:
To set the onboarding information, add a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_, as a custom setting. You can do this by navigating to **Computers**>**Configuration Profiles**, selecting **New**, then choosing **Custom Settings**>**Configure**. From there, you can upload the property list.
>[!IMPORTANT]
- > You must set the the Preference Domain as "com.microsoft.wdav.atp"
+ > You must set the Preference Domain as "com.microsoft.wdav.atp"
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 2023523f4a..c074504ddd 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -1,58 +1,58 @@
----
-title: Prevent security settings changes with Tamper Protection
-ms.reviewer:
-manager: dansimp
-description: Use tamper protection to prevent malicious apps from changing important security settings.
-keywords: malware, defender, antivirus, tamper protection
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
----
-
-# Prevent security settings changes with tamper protection
-
-**Applies to:**
-
-- Windows 10
-
-Tamper Protection helps prevent malicious apps from changing important security settings. These settings include:
-
-- Real-time protection
-- Cloud-delivered protection
-- IOfficeAntivirus (IOAV)
-- Behavior monitoring
-- Removing security intelligence updates
-
-With Tamper Protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings:
-
-- Mobile device management (MDM) apps like Intune
-- Enterprise configuration management apps like System Center Configuration Manager (SCCM)
-- Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures
-- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup)
-- Group Policy
-- Other Windows Management Instrumentation (WMI) apps
-
-The Tamper Protection setting doesn't affect how third party antivirus apps register with the Windows Security app.
-
-On computers running Windows 10 Enterprise E5, users can't change the Tamper Protection setting.
-
-Tamper Protection is set to **On** by default. If you set Tamper Protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & Threat Protection**.
-
-## Configure tamper protection
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Select **Virus & threat protection**, then select **Virus & threat protection settings**.
-3. Set **Tamper Protection** to **On** or **Off**.
-
->[!NOTE]
->Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
->
->To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later.
->
->Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
+---
+title: Prevent security settings changes with Tamper Protection
+ms.reviewer:
+manager: dansimp
+description: Use tamper protection to prevent malicious apps from changing important security settings.
+keywords: malware, defender, antivirus, tamper protection
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: dansimp
+ms.author: dansimp
+---
+
+# Prevent security settings changes with tamper protection
+
+**Applies to:**
+
+- Windows 10
+
+Tamper Protection helps prevent malicious apps from changing important security settings. These settings include:
+
+- Real-time protection
+- Cloud-delivered protection
+- IOfficeAntivirus (IOAV)
+- Behavior monitoring
+- Removing security intelligence updates
+
+With Tamper Protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings:
+
+- Mobile device management (MDM) apps like Intune
+- Enterprise configuration management apps like System Center Configuration Manager (SCCM)
+- Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures
+- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup)
+- Group Policy
+- Other Windows Management Instrumentation (WMI) apps
+
+The Tamper Protection setting doesn't affect how third party antivirus apps register with the Windows Security app.
+
+On computers running Windows 10 Enterprise E5, users can't change the Tamper Protection setting.
+
+Tamper Protection is set to **On** by default. If you set Tamper Protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & Threat Protection**.
+
+## Configure tamper protection
+
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+2. Select **Virus & threat protection**, then select **Virus & threat protection settings**.
+3. Set **Tamper Protection** to **On** or **Off**.
+
+>[!NOTE]
+>Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
+>
+>To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later.
+>
+>Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 18aaf0b398..960a7fb0ca 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -70,6 +70,7 @@ You can set several rule options within a WDAC policy. Table 2 describes each ru
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.|
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
+| **17 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. |
## Windows Defender Application Control file rule levels
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 647debfcee..ac87bbc9ed 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -39,7 +39,7 @@ Attack surface reduction rules target behaviors that malware and malicious apps
- Obfuscated or otherwise suspicious scripts
- Behaviors that apps don't usually initiate during normal day-to-day work
-You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
+You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center.
@@ -185,7 +185,7 @@ This rule blocks the following file types from launching unless they either meet
- Executable files (such as .exe, .dll, or .scr)
>[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+>You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
>[!IMPORTANT]
>The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
@@ -203,7 +203,7 @@ GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.
>[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+>You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
Intune name: Advanced ransomware protection
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
index 3e7dd85f9c..6dd4b9f19f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
@@ -42,7 +42,7 @@ The limited subset of rules that can be used in Windows 10 Enterprise E3 include
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
-For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard).
+For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard).
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
index 00e0789bab..3029df4d23 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
@@ -45,7 +45,7 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
Here is an example query
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index 4559d896b6..2b7dec1738 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -40,7 +40,7 @@ You can exclude files and folders from being evaluated by attack surface reducti
An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules.
-An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
+An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
index 43cdc009e2..6e52ff5447 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
@@ -42,7 +42,7 @@ You can add additional folders to be protected, but you cannot remove the defaul
Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
-You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
You can use the Windows Security app or Group Policy to add and remove additional protected folders.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index c238e5c8c2..0e744a0011 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -208,7 +208,7 @@ Where:
For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
```PowerShell
-Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
+Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
```
You can disable audit mode by using the same command but replacing `-Enable` with `-Disable`.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index 6240e524cc..b346df9a75 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -53,7 +53,7 @@ You can exclude files and folders from being evaluated by most attack surface re
>- Block process creations originating from PSExec and WMI commands
>- Block JavaScript or VBScript from launching downloaded executable content
-You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
+You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
@@ -73,9 +73,9 @@ The following procedures for enabling ASR rules include instructions for how to
## MDM
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
-The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules).
+The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules).
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
index 0c1ff68ba4..29ed15335f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
@@ -72,7 +72,7 @@ For more information about disabling local list merging, see [Prevent or allow u
## MDM
-Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
+Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
## SCCM
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
index dcffecd121..7d3b72d249 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -65,7 +65,7 @@ You can also manually navigate to the event area that corresponds to the feature
3. On the left panel, under **Actions**, click **Create Custom View...**
- 
+ 
4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
index 7bf07fbce8..d211891329 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -49,7 +49,7 @@ Windows 10 version 1709 or later | [Windows Defender AV real-time protection](..
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
## Review network protection events in Windows Event Viewer
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index 15fd8b2886..58f95ecbc5 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -39,9 +39,9 @@ The following tables provide more information about the hardware, firmware, and
|--------------------------------|----------------------------------------------------|-------------------|
| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | |
| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
-| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
+| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
@@ -64,7 +64,7 @@ The following tables describe additional hardware and firmware qualifications, a
| Protections for Improved Security | Description | Security benefits |
|---------------------------------------------|----------------------------------------------------|-----|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies).
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies).
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
| Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
index 24b4c8ebd1..1a7b1eae79 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
@@ -21,7 +21,7 @@ ms.author: dansimp
Windows Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.
-See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune.
+See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune.
## Group Policy settings
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index ceb1488e72..be6c791392 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -61,7 +61,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
>[!NOTE]
->To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity).
+>To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity).
## Requirements Met by System Guard Enabled Machines
Any machine with System Guard enabled will automatically meet the following low-level hardware requirements:
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index 9dc6366064..8de4021830 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -27,9 +27,7 @@ ms.date: 04/11/2019
To get started, open Device Configuration in Intune, then create a new profile.
Choose Windows 10 as the platform, and Endpoint Protection as the profile type.
-Select Windows Defender Firewall.
-Add a firewall rule to this new Endpoint Protection profile using the Add button at the bottom of the blade.
-
+Select Windows Defender Firewall.
>[!IMPORTANT]
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index f5a711db65..d9cd25a523 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -1,177 +1,177 @@
----
-title: Common Criteria Certifications
-description: This topic details how Microsoft supports the Common Criteria certification program.
-ms.prod: w10
-audience: ITPro
-author: dulcemontemayor
-ms.author: dolmont
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 3/20/2019
-ms.reviewer:
----
-
-# Common Criteria Certifications
-
-Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria certifications of Microsoft Windows products.
-
-## Common Criteria Security Targets
-
-### Information for Systems Integrators and Accreditors
-
-The Security Target describes security functionality and assurance measures used to evaluate Windows.
-
- - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
- - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
- - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
- - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
- - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
- - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
- - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
- - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
- - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
- - [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
- - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
- - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf)
- - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf)
- - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf)
- - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf)
- - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf)
- - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
- - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
- - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
- - [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305)
- - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
- - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
- - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
- - [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf)
- - [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
- - [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
-
-## Common Criteria Deployment and Administration
-
-### Information for IT Administrators
-
-These documents describe how to configure Windows to replicate the configuration used during the Common Criteria evaluation.
-
-**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2**
-
-
- - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
- - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
- - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
- - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
- - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
- - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx)
- - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf)
- - [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx)
- - [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf)
- - [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf)
- - [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf)
-
-**Windows 8.1 and Windows Phone 8.1**
-
- - [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
- - [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
-
-**Windows 8, Windows RT, and Windows Server 2012**
-
- - [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
- - [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
- - [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
- - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
-
-**Windows 7 and Windows Server 2008 R2**
-
- - [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
- - [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308)
-
-**Windows Vista and Windows Server 2008**
-
- - [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
- - [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
-
-**Windows Server 2003 SP2 including R2, x64, and Itanium**
-
- - [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949)
- - [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc)
-
-**Windows Server 2003 SP1(x86), x64, and IA64**
-
- - [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef)
- - [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8)
-
-**Windows Server 2003 SP1**
-
- - [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc)
- - [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38)
-
-**Windows XP Professional SP2 (x86) and x64 Edition**
-
- - [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee)
- - [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694)
- - [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779)
- - [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431)
- - [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54)
- - [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569)
-
-**Windows XP Professional SP2, and XP Embedded SP2**
-
- - [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60)
- - [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de)
- - [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8)
-
-**Windows Server 2003 Certificate Server**
-
- - [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
- - [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
- - [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
-
-## Common Criteria Evaluation Technical Reports and Certification / Validation Reports
-
-### Information for Systems Integrators and Accreditors
-
-An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team.
-
- - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
- - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
- - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
- - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
- - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
- - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
- - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
- - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf)
- - [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
- - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf)
- - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf)
- - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf)
- - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf)
- - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf)
- - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf)
- - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
- - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
- - [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
- - [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
- - [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
- - [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
- - [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef)
- - [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658)
- - [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- - [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- - [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- - [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265)
- - [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf)
- - [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
- - [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
- - [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
-
-## Other Common Criteria Related Documents
-
- - [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc)
-
+---
+title: Common Criteria Certifications
+description: This topic details how Microsoft supports the Common Criteria certification program.
+ms.prod: w10
+audience: ITPro
+author: dulcemontemayor
+ms.author: dolmont
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 3/20/2019
+ms.reviewer:
+---
+
+# Common Criteria Certifications
+
+Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria certifications of Microsoft Windows products.
+
+## Common Criteria Security Targets
+
+### Information for Systems Integrators and Accreditors
+
+The Security Target describes security functionality and assurance measures used to evaluate Windows.
+
+ - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
+ - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
+ - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
+ - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
+ - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
+ - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
+ - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
+ - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
+ - [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
+ - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
+ - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf)
+ - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf)
+ - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf)
+ - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf)
+ - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf)
+ - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
+ - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
+ - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
+ - [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305)
+ - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
+ - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
+ - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
+ - [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf)
+ - [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
+ - [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
+
+## Common Criteria Deployment and Administration
+
+### Information for IT Administrators
+
+These documents describe how to configure Windows to replicate the configuration used during the Common Criteria evaluation.
+
+**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2**
+
+
+ - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
+ - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
+ - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
+ - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
+ - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx)
+ - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf)
+ - [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx)
+ - [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf)
+ - [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf)
+ - [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf)
+
+**Windows 8.1 and Windows Phone 8.1**
+
+ - [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
+ - [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
+
+**Windows 8, Windows RT, and Windows Server 2012**
+
+ - [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
+ - [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
+ - [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
+ - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
+
+**Windows 7 and Windows Server 2008 R2**
+
+ - [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
+ - [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308)
+
+**Windows Vista and Windows Server 2008**
+
+ - [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
+ - [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
+
+**Windows Server 2003 SP2 including R2, x64, and Itanium**
+
+ - [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949)
+ - [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc)
+
+**Windows Server 2003 SP1(x86), x64, and IA64**
+
+ - [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef)
+ - [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8)
+
+**Windows Server 2003 SP1**
+
+ - [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc)
+ - [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38)
+
+**Windows XP Professional SP2 (x86) and x64 Edition**
+
+ - [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee)
+ - [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694)
+ - [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779)
+ - [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431)
+ - [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54)
+ - [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569)
+
+**Windows XP Professional SP2, and XP Embedded SP2**
+
+ - [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60)
+ - [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de)
+ - [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8)
+
+**Windows Server 2003 Certificate Server**
+
+ - [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
+ - [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
+ - [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
+
+## Common Criteria Evaluation Technical Reports and Certification / Validation Reports
+
+### Information for Systems Integrators and Accreditors
+
+An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team.
+
+ - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
+ - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
+ - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
+ - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
+ - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
+ - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
+ - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
+ - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf)
+ - [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
+ - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf)
+ - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf)
+ - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf)
+ - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf)
+ - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf)
+ - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf)
+ - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
+ - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
+ - [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
+ - [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
+ - [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
+ - [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
+ - [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef)
+ - [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658)
+ - [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
+ - [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
+ - [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
+ - [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265)
+ - [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf)
+ - [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
+ - [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
+ - [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
+
+## Other Common Criteria Related Documents
+
+ - [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc)
+
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md
index 5ff581cba2..2e88240751 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md
@@ -27,9 +27,9 @@ Microsoft recommends the following configuration for level 1 devices.
Devices targeting Level 1 should support the following hardware features:
-- [Trusted Platform Module (TPM) 2.0](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-tpm)
-- [Bitlocker Drive Encryption](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker)
-- [UEFI Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot)
+- [Trusted Platform Module (TPM) 2.0](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-tpm)
+- [Bitlocker Drive Encryption](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-bitlocker)
+- [UEFI Secure Boot](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-secure-boot)
- Drivers and Firmware Distributed through Windows Update
## Policies
@@ -341,7 +341,7 @@ The controls enabled in level 1 enforce a reasonable security level while minimi
| Feature | Config | Description |
|-----------------------------------|-------------------------------------|--------------------|
| [Local Admin Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) | Deployed to all devices | Generates a unique local admin password to devices, mitigating many lateral traversal attacks. |
-| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. |
+| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. |
| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md
index 55172a03e1..6cf7155a9a 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md
@@ -27,10 +27,10 @@ A level 2 configuration should include all the configurations from level 1 and a
Devices targeting level 2 should support all level 1 features, and add the following hardware features:
-- [Virtualization and HVCI Enabled](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs)
-- [Drivers and Apps HVCI-Ready](https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard)
-- [Windows Hello](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements)
-- [DMA I/O Protection](https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)
+- [Virtualization and HVCI Enabled](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs)
+- [Drivers and Apps HVCI-Ready](https://docs.microsoft.com/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard)
+- [Windows Hello](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements)
+- [DMA I/O Protection](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)
## Policies
@@ -110,11 +110,11 @@ is anticipated to be slightly longer than the process in level 1.
| Feature Set | Feature | Description |
|-------------------------------------------------------------|-------------------------------------------------------|----------------|
-| [Windows Hello for Business](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification) | Configure and enforce Windows Hello for Business | In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. Windows Hello addresses the following problems with passwords:
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
- Passwords are subject to replay attacks.
- Users can inadvertently expose their passwords due to phishing attacks. |
-| [Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/) | Configure and enforce Conditional Access rules based on
- Application Risk
- Session Risk | With conditional access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions. Conditional access policies are enforced after the first-factor authentication has been completed. Therefore, conditional access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (e.g. the sign-in risk level, location of the request, and so on) to determine access. |
+| [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) | Configure and enforce Windows Hello for Business | In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. Windows Hello addresses the following problems with passwords:
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
- Passwords are subject to replay attacks.
- Users can inadvertently expose their passwords due to phishing attacks. |
+| [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/) | Configure and enforce Conditional Access rules based on
- Application Risk
- Session Risk | With conditional access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions. Conditional access policies are enforced after the first-factor authentication has been completed. Therefore, conditional access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (e.g. the sign-in risk level, location of the request, and so on) to determine access. |
| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls:
- Control flow guard (CFG)
- Data Execution Protection (DEP)
- Mandatory ASLR
- Bottom-Up ASLR
- High-entropy ASLR
- Validate Exception Chains (SEHOP)
- Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and enforce [Attack Surface Reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules)| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode |
-| [Controlled Folder Access (CFA)](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) | Configure and audit [Controlled Folder Access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) | Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. Controlled folder access works best with Microsoft Defender Advanced Threat Protection, which gives you detailed reporting into controlled folder access events and blocks as part of the usual alert investigation scenarios.
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode
+| [Controlled Folder Access (CFA)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) | Configure and audit [Controlled Folder Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) | Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. Controlled folder access works best with Microsoft Defender Advanced Threat Protection, which gives you detailed reporting into controlled folder access events and blocks as part of the usual alert investigation scenarios.
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode
## Behaviors
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md
index b5c294ad6c..e7cc86bf0e 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md
@@ -27,8 +27,8 @@ A level 3 configuration should include all the configurations from level 2 and l
Devices targeting Level 3 should support all Level 2 and Level 1 features, and add the following hardware features:
-- [System Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows)
-- [Modern Standby](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby)
+- [System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows)
+- [Modern Standby](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby)
## Policies
diff --git a/windows/threat-protection/index.md b/windows/threat-protection/index.md
deleted file mode 100644
index 1417ec0534..0000000000
--- a/windows/threat-protection/index.md
+++ /dev/null
@@ -1,3 +0,0 @@
----
-redirect_url: https://docs.microsoft.com/windows/security/threat-protection/
----
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index de2548056a..5e5fc5b59d 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -47,4 +47,4 @@ For detailed information about Windows 10 servicing, see [Overview of Windows as
## See Also
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
-[Windows 10 - Release information](https://docs.microsoft.com/en-us/windows/windows-10/release-information): Windows 10 current versions by servicing option.
\ No newline at end of file
+[Windows 10 - Release information](https://docs.microsoft.com/windows/windows-10/release-information): Windows 10 current versions by servicing option.
\ No newline at end of file
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 46e7f7bca5..0e1be04497 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -126,7 +126,7 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
-Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/en-au/windows/mt782787).
+Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/windows/mt782787).
### Windows Defender Antivirus
Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 7f6354c1f2..61b20e6870 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -36,7 +36,7 @@ This article lists new and updated features and content that are of interest to
Windows 10 Education support has been added to Windows 10 Subscription Activation.
-With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation).
+With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation).
### SetupDiag
@@ -51,7 +51,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update
## Servicing
- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon!
-- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
+- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
@@ -127,7 +127,7 @@ This new feature is displayed under the Device Security page with the string “
### Identity Protection
- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
-- [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
+- [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
- [Remote Desktop with Biometrics](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
@@ -143,7 +143,7 @@ Several new features are coming in the next version of Edge. See the [news from
## See Also
-[What's New in Windows Server, version 1903](https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
+[What's New in Windows Server, version 1903](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
[What's new in Windows 10](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
|
|
+ 
+ 
+ 
+ 
+ 
+ 
+ ++
+ ++
+ ++
+
+ 
+
+ 
+
+ 
