diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index e6293265fe..4b75b026fc 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -84,6 +84,11 @@ "source_path": "windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy", + "redirect_document_id": false }, { "source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md", @@ -15654,6 +15659,11 @@ "source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac", + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md", diff --git a/education/docfx.json b/education/docfx.json index 809a2da28f..8ba1394c6d 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -7,7 +7,8 @@ "**/**.yml" ], "exclude": [ - "**/obj/**" + "**/obj/**", + "**/includes/**" ] } ], @@ -19,7 +20,8 @@ "**/*.svg" ], "exclude": [ - "**/obj/**" + "**/obj/**", + "**/includes/**" ] } ], diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md index b1d4002955..556ff58e7a 100644 --- a/windows/client-management/mdm/change-history-for-mdm-documentation.md +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -21,6 +21,7 @@ This article lists new and updated articles for the Mobile Device Management (MD |New or updated article | Description| |--- | ---| | [Policy CSP](policy-configuration-service-provider.md) | Added the following new policy:
- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) | +| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
-Properties/SleepMode | ## October 2020 diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index ee9ee3c5f7..15c29f831f 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -27,6 +27,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s |New or updated article|Description| |-----|-----| | [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2:
- [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) | +| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
-Properties/SleepMode | | [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:
- Settings/AllowWindowsDefenderApplicationGuard | ## What’s new in MDM for Windows 10, version 2004 diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 739826c640..bd4bcafd21 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -50,17 +50,17 @@ ms.date: 10/08/2020 - [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) - [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) -- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) -- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) -- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) -- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) -- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) -- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) -- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) +- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9 +- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9 +- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9 +- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9 +- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) 9 +- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) 9 +- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) 9 +- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) 9 +- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) 9 +- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) 9 +- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) 9 - [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) - [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo) - [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) @@ -83,20 +83,22 @@ ms.date: 10/08/2020 - [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) 8 - [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) 8 - [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) 8 +- [RemoteLock/Lock](https://docs.microsoft.com/windows/client-management/mdm/remotelock-csp) 9 - [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) -- [Security/AllowAddProvisioningPackage](policy-csp-security.md#security-allowaddprovisioningpackage) -- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#security-allowremoveprovisioningpackage) +- [Security/AllowAddProvisioningPackage](policy-csp-security.md#security-allowaddprovisioningpackage) 9 +- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#security-allowremoveprovisioningpackage) 9 - [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) - [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) +- [Settings/PageVisibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) 9 - [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) - [System/AllowLocation](policy-csp-system.md#system-allowlocation) - [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard) - [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) -- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) -- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) -- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) -- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) +- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) 9 +- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) 9 +- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) 9 +- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) 9 - [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) - [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) - [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel) @@ -122,6 +124,7 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. +- 9 - Available in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2) ## Related topics diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 4061074c76..1031aada9c 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -371,7 +371,7 @@ ADMX Info: -This policy allows you to to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. +This policy allows you to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. @@ -754,8 +754,7 @@ The following list shows the supported values: - 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. - 3 – HTTP blended with Internet peering. - 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. -- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. - +- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. Note that this value is deprecated and will be removed in a future release. @@ -882,7 +881,7 @@ The options set in this policy only apply to Group (2) download mode. If Group ( For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. -Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5. +Starting with Windows 10, version 1903, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5. diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index df12efd32b..b6f2c4f536 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -75,6 +75,9 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (``) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator. +> [!NOTE] +> There is currently a reporting issue in the Microsoft Endpoint Manager (MEM) console which results in the setting reporting back a 'Remediation failed' (0x87d1fde8) error, even when the setting is successfully applied. To verify whether the setting has applied successfully, check the local Windows 10 device: Event Viewer>Applications and Services LogsWindows>DeviceManagement-Enterprise-Diagnostics-Provider>Admin>Event ID 814. This issue is the result of the use of the CDATA tags, which are neccesary when more than a single entry is required. If there is only a single entry, the CDATA tags can be omitted - which will resolve the reporting false positive. + > [!NOTE] > `` is the entity encoding of 0xF000. @@ -84,6 +87,18 @@ For example, the following syntax grants user rights to Authenticated Users and ``` +For example, the following syntax grants user rights to two specific users from Contoso, user1 and user2: + +```xml + +``` + +For example, the following syntax grants user rights to a specific user or group, by using the Security Identifier (SID) of the account or group: + +```xml + +``` +
diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index b50e43abae..ee292cb2a6 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -251,7 +251,7 @@ If the physical computer is still running in a frozen state, follow these steps Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag. -Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](https://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx). +Learn [how to use Memory Pool Monitor to troubleshoot kernel mode memory leaks](https://support.microsoft.com/office/how-to-use-memory-pool-monitor-poolmon-exe-to-troubleshoot-kernel-mode-memory-leaks-4f4a05c2-ef8a-fca4-3ae0-670b940af398). ### Use memory dump to collect data for the virtual machine that's running in a frozen state diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 956ca7dc78..c72bdf03e9 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1659,7 +1659,7 @@ You can turn off **Enhanced Notifications** as follows: -or- -- Create a new REG_SZ registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** to a value of **1**. +- Create a new REG_DWORD registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** and enter the decimal value **1**. ### 24.1 Windows Defender SmartScreen diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md index 61198672fc..5e7db538d0 100644 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md @@ -3368,9 +3368,9 @@ This security group has not changed since Windows Server 2008. ### Server Operators -Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. +Members in the Server Operators group can administer domain controllers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. -By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups, Administrators and Domain Admins, in the domain, and the Enterprise Admins group. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table. +By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups Administrators and Domain Admins in the domain, and the Enterprise Admins group in the forest root domain. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table. The Server Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). diff --git a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png b/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png index d9af0e8fc4..46f838c8d2 100644 Binary files a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png and b/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png differ diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 4486823bc5..8e3e7d4f74 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -44,9 +44,12 @@ Prepare the Active Directory Federation Services deployment by installing and up > 1. Launch AD FS management console. Brose to "Services > Scope Descriptions". > 2. Right click "Scope Descriptions" and select "Add Scope Description". > 3. Under name type "ugs" and Click Apply > OK. -> 4. Launch Powershell as Administrator. -> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier. -> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'. +> 4. Launch PowerShell as an administrator. +> 5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b": +> ```PowerShell +> (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier +> ``` +> 6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'`. > 7. Restart the ADFS service. > 8. On the client: Restart the client. User should be prompted to provision WHFB. > 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot. diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index b96b25c8f4..b3026e84d7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -144,7 +144,7 @@ Beginning with Windows 10, version 1709, Windows Hello for Business used as a sm The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process does not receive the PIN, but rather the ticket that grants them private key operations. Windows 10 does not provide any Group Policy settings to adjust this caching. ## Can I disable the PIN while using Windows Hello for Business? -No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurrence where you cannot authenticate with biometrics, you need a fall back mechanism that is not a password. The PIN is the fall back mechanism. Disabling or hiding the PIN credential provider disabled the use of biometrics. +No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurrence where you cannot authenticate with biometrics, you need a fallback mechanism that is not a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics. ## How are keys protected? Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index e5ebf54b09..81afb0421e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -506,7 +506,7 @@ The following script helps you with the creation of the issuance transform rules #### Configure Device Authentication in AD FS Using an elevated PowerShell command window, configure AD FS policy by executing the following command -`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod All` +`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod SignedToken` #### Check your configuration For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index fa3b1d7a97..18959a0f1e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -67,7 +67,7 @@ Key trust deployments do not need client issued certificates for on-premises aut The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca). -* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL. +* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder. * The certificate Subject section should contain the directory path of the server object (the distinguished name). * The certificate Key Usage section must contain Digital Signature and Key Encipherment. * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. diff --git a/windows/security/identity-protection/vpn/images/vpn-connection-intune.png b/windows/security/identity-protection/vpn/images/vpn-connection-intune.png index bf551eabb7..8098b3445e 100644 Binary files a/windows/security/identity-protection/vpn/images/vpn-connection-intune.png and b/windows/security/identity-protection/vpn/images/vpn-connection-intune.png differ diff --git a/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png b/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png index 94cbb2c5cb..c6437e95d1 100644 Binary files a/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png and b/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png differ diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index fc09e68a62..9aee353de2 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -74,10 +74,12 @@ Two client-side configuration service providers are leveraged for VPN device com - Collects TPM data used to verify health states - Forwards the data to the Health Attestation Service (HAS) - Provisions the Health Attestation Certificate received from the HAS - - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification + - Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification > [!NOTE] -> Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources. +> Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources. +> +> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero). ## Client connection flow diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index 92c4d2b8c5..d825487b05 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: dulcemontemayor ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 11/13/2020 ms.reviewer: manager: dansimp ms.author: dansimp @@ -61,11 +61,11 @@ There are a number of Universal Windows Platform VPN applications, such as Pulse See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. -The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune. +The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune: ![Available connection types](images/vpn-connection-intune.png) -In Intune, you can also include custom XML for third-party plug-in profiles. +In Intune, you can also include custom XML for third-party plug-in profiles: ![Custom XML](images/vpn-custom-xml-intune.png) diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md index cb543ad1cd..ae26cfc95a 100644 --- a/windows/security/identity-protection/vpn/vpn-guide.md +++ b/windows/security/identity-protection/vpn/vpn-guide.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: dulcemontemayor ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 11/13/2020 ms.reviewer: manager: dansimp ms.author: dansimp @@ -20,12 +20,12 @@ ms.author: dansimp - Windows 10 - Windows 10 Mobile -This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10. +This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10. -![Intune VPN policy template](images/vpn-intune-policy.png) +To create a Windows 10 VPN device configuration profile see: [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-windows-10). ->[!NOTE] ->This guide does not explain server deployment. +> [!NOTE] +> This guide does not explain server deployment. ## In this guide @@ -43,7 +43,5 @@ This guide will walk you through the decisions you will make for Windows 10 clie ## Learn more -- [VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune) - - +- [Create VPN profiles to connect to VPN servers in Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-configure) diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index 29b5df1daf..077c2d4c8f 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -34,7 +34,6 @@ The following table lists the VPN settings and whether the setting can be config | Routing: forced-tunnel | yes | | Authentication (EAP) | yes, if connection type is built-in | | Conditional access | yes | -| Proxy settings | yes, by PAC/WPAD file or server and port | | Name resolution: NRPT | yes | | Name resolution: DNS suffix | no | | Name resolution: persistent | no | @@ -45,6 +44,10 @@ The following table lists the VPN settings and whether the setting can be config | LockDown | no | | Windows Information Protection (WIP) | yes | | Traffic filters | yes | +| Proxy settings | yes, by PAC/WPAD file or server and port | + +> [!NOTE] +> VPN proxy settings are only used on Force Tunnel Connections. On Split Tunnel Connections, the general proxy settings are used. The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic. diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 2b79e081bc..551b239d72 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -74,6 +74,8 @@ The hard disk must be partitioned with at least two drives: - The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system. - The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space. +A fixed data volume or removable data volume cannot be marked as an active partition. + When installed on a new computer, Windows will automatically create the partitions that are required for BitLocker. When installing the BitLocker optional component on a server you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives. @@ -98,4 +100,3 @@ When installing the BitLocker optional component on a server you will also need | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| | [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic covers how to use BitLocker with Windows 10 IoT Core | - diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 1d2ce21e5e..c2d26e8f57 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -8,7 +8,7 @@ ### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md) ### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md) ### [Portal overview](microsoft-defender-atp/portal-overview.md) -### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md) +### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/gov.md) ### [Microsoft Defender ATP for non-Windows platforms](microsoft-defender-atp/non-windows.md) ## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md) @@ -162,7 +162,7 @@ ###### [Detect and block Potentially Unwanted Applications](microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) ###### [Enable and configure always-on protection and monitoring](microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) -##### [Antivirus on Windows Server 2016](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md) +##### [Antivirus on Windows Server](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md) ##### [Antivirus compatibility]() ###### [Compatibility charts](microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) @@ -180,29 +180,29 @@ ##### [Deploy, manage updates, and report on antivirus]() ###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md) ###### [Deploy and enable antivirus](microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md) -####### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md) +###### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md) ###### [Report on antivirus protection]() -####### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md) -####### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md) +###### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md) +###### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md) ###### [Manage updates and apply baselines]() -####### [Learn about the different kinds of updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md) -####### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md) -####### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md) -####### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md) -####### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md) -####### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) +###### [Learn about the different kinds of updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md) +###### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md) +###### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md) +###### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md) +###### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md) +###### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) ##### [Customize, initiate, and review the results of scans and remediation]() ###### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md) ###### [Configure and validate exclusions in antivirus scans]() -####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) -####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) -####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) -####### [Configure antivirus exclusions Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) -####### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md) +###### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure antivirus exclusions Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) +###### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md) ###### [Configure scanning antivirus options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md) ###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md) ###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md) @@ -216,10 +216,10 @@ ###### [Management overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md) ###### [Configure and validate exclusions in antivirus scans]() -####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) -####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) -####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) -####### [Configure antivirus exclusions on Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) +###### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +###### [Configure antivirus exclusions on Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) ###### [Configure scanning options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md) @@ -231,7 +231,7 @@ ###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md) ###### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md) -#### [Better together: Microsoft Defender Antivirus and Microsoft Defender ATP](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md) +#### [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md) #### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md) @@ -278,7 +278,7 @@ #### [Configure]() ##### [Configure iOS features](microsoft-defender-atp/ios-configure-features.md) -#### [Privacy](microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md) +#### [Privacy](microsoft-defender-atp/ios-privacy.md) ### [Microsoft Defender Advanced Threat Protection for Linux]() @@ -297,6 +297,7 @@ ##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md) ##### [Set preferences](microsoft-defender-atp/linux-preferences.md) ##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/linux-pua.md) +##### [Schedule scans with Microsoft Defender ATP for Linux](microsoft-defender-atp/linux-schedule-scan-atp.md) #### [Troubleshoot]() ##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md) diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 867aadf0d5..98392dd180 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -1,6 +1,6 @@ --- title: Federal Information Processing Standard (FIPS) 140 Validation -description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140. +description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140. ms.prod: w10 audience: ITPro author: dansimp @@ -16,41 +16,48 @@ ms.reviewer: ## FIPS 140-2 standard overview -The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard that defines minimum security requirements for cryptographic modules in information technology products, as defined in Section 5131 of the Information Technology Management Reform Act of 1996. +The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. -The [Cryptographic Module Validation Program (CMVP)](https://csrc.nist.gov/Projects/cryptographic-module-validation-program), a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS), validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover eleven areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module. +The [Cryptographic Module Validation Program (CMVP)](https://csrc.nist.gov/Projects/cryptographic-module-validation-program) is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module. ## Microsoft’s approach to FIPS 140-2 validation -Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since the inception of the standard in 2001. Microsoft validates its cryptographic modules under the NIST CMVP, as described above. Multiple Microsoft products, including Windows 10, Windows Server, and many cloud services, use these cryptographic modules. +Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001. Microsoft validates its cryptographic modules under the NIST CMVP, as described above. Multiple Microsoft products, including Windows 10, Windows Server, and many cloud services, use these cryptographic modules. ## Using Windows in a FIPS 140-2 approved mode of operation -Windows 10 and Windows Server may be configured to run in a FIPS 140-2 approved mode of operation. This is commonly referred to as “FIPS mode.”  When this mode is enabled, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) modules will run self-tests before Windows cryptographic operations are run. These self-tests are run in accordance with FIPS 140-2 Section 4.9 and are utilized to ensure that the modules are functioning properly. The Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library are the only modules affected by this mode of operation. The FIPS 140-2 approved mode of operation will not prevent Windows and its subsystems from using non-FIPS validated cryptographic algorithms. For applications or components beyond the Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library, FIPS mode is merely advisory. +Windows 10 and Windows Server may be configured to run in a FIPS 140-2 approved mode of operation, commonly referred to as "FIPS mode."  If you turn on FIPS mode, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) modules will run self-tests before Windows runs cryptographic operations. These self-tests are run according to FIPS 140-2 Section 4.9. They ensure that the modules are functioning properly. -While US government regulations continue to mandate that FIPS mode be enabled on government computers running Windows, our recommendation is that it is each customer’s decision to make when considering enabling FIPS mode. There are many applications and protocols that look to the FIPS mode policy to determine which cryptographic functionality should be utilized in a given solution. We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it is operating in FIPS 140-2 approved mode.  +The Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library are the only modules affected by FIPS mode. FIPS mode won't prevent Windows and its subsystems from using non-FIPS validated cryptographic algorithms. FIPS mode is merely advisory for applications or components other than the Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library. + +US government regulations continue to mandate FIPS mode for government devices running Windows. Other customers should decide for themselves if FIPS mode is right for them. There are many applications and protocols that use FIPS mode policy to determine which cryptographic functionality to run. Customers seeking to follow the FIPS 140-2 standard should research the configuration settings of their applications and protocols. This research will help ensure that they can be configured to use FIPS 140-2 validated cryptography. Achieving this FIPS 140-2 approved mode of operation of Windows requires administrators to complete all four steps outlined below. ### Step 1: Ensure FIPS 140-2 validated cryptographic modules are installed -Administrators must ensure that all cryptographic modules installed are FIPS 140-2 validated. This is accomplished by cross-checking the version number of the cryptographic module with the table of validated modules at the end of this topic, organized by operating system release. +Administrators must ensure that all cryptographic modules installed are FIPS 140-2 validated. Tables listing validated modules, organized by operating system release, are available later in this article. ### Step 2: Ensure all security policies for all cryptographic modules are followed -Each of the cryptographic modules has a defined security policy that must be met for the module to operate in its FIPS 140-2 approved mode. The security policy may be found in each module’s published Security Policy Document (SPD). The SPDs for each module may be found by following the links in the table of validated modules at the end of this topic. Click on the module version number to view the published SPD for the module. - +Each of the cryptographic modules has a defined security policy that must be met for the module to operate in its FIPS 140-2 approved mode. The security policy may be found in each module’s published Security Policy Document (SPD). The SPDs for each module may be found in the table of validated modules at the end of this article. Select the module version number to view the published SPD for the module. + ### Step 3: Enable the FIPS security policy -Windows provides the security policy setting, “System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing,” which is used by some Microsoft products to determine whether to operate in a FIPS 140-2 approved mode. When this policy is enabled, the validated cryptographic modules in Windows will also operate in FIPS approved mode. The policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution. For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing). +Windows provides the security policy setting, *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*. This setting is used by some Microsoft products to determine whether to run in FIPS mode. When this policy is turned on, the validated cryptographic modules in Windows will also operate in FIPS mode. This policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution. For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing). -### Step 4: Ensure only FIPS validated cryptographic algorithms are used +### Step 4: Ensure that only FIPS validated cryptographic algorithms are used -Neither the operating system nor the cryptographic modules can enforce a FIPS approved mode of operation, regardless of the FIPS security policy setting. To run in a FIPS approved mode, an application or service must check for the policy flag and enforce the security policies of the validated modules. If an application or service uses a non-approved cryptographic algorithm or does not follow the security policies of the validated modules, it is not operating in a FIPS approved mode. +FIPS mode is enforced at the level of the application or service. It is not enforced by the operating system or by individual cryptographic modules. Applications or services running in FIPS mode must follow the security policies of validated modules. They must not use a cryptographic algorithm that isn't FIPS-compliant. + +In short, an application or service is running in FIPS mode if it: + +* Checks for the policy flag +* Enforces security policies of validated modules ## Frequently asked questions -### How long does it take to certify cryptographic modules? +### How long does it take to certify a cryptographic module? Microsoft begins certification of cryptographic modules after each major feature release of Windows 10 and Windows Server. The duration of each evaluation varies, depending on many factors. @@ -58,29 +65,29 @@ Microsoft begins certification of cryptographic modules after each major feature The cadence for starting module validation aligns with the feature updates of Windows 10 and Windows Server. As the software industry evolves, operating systems release more frequently. Microsoft completes validation work on major releases but, in between releases, seeks to minimize the changes to the cryptographic modules. -### What is the difference between “FIPS 140 validated” and “FIPS 140 compliant”? +### What is the difference between *FIPS 140 validated* and *FIPS 140 compliant*? -“FIPS 140 validated” means that the cryptographic module, or a product that embeds the module, has been validated (“certified”) by the CMVP as meeting the FIPS 140-2 requirements. “FIPS 140 compliant” is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality. +*FIPS 140 validated* means that the cryptographic module, or a product that embeds the module, has been validated ("certified") by the CMVP as meeting the FIPS 140-2 requirements. *FIPS 140 compliant* is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality. -### I need to know if a Windows service or application is FIPS 140-2 validated. +### How do I know if a Windows service or application is FIPS 140-2 validated? -The cryptographic modules leveraged in Windows are validated through the CMVP, not individual services, applications, hardware peripherals, or other solutions. For a solution to be considered compliant, it must call a FIPS 140-2 validated cryptographic module in the underlying OS and the OS must be configured to run in FIPS mode. Contact the vendor of the service, application, or product for information on whether it calls a validated cryptographic module. +The cryptographic modules used in Windows are validated through the CMVP. They aren't validated by individual services, applications, hardware peripherals, or other solutions. Any compliant solution must call a FIPS 140-2 validated cryptographic module in the underlying OS, and the OS must be configured to run in FIPS mode. Contact the vendor of the service, application, or product for information on whether it calls a validated cryptographic module. -### What does "When operated in FIPS mode" mean on a certificate? +### What does *When operated in FIPS mode* mean on a certificate? -This caveat identifies required configuration and security rules that must be followed to use the cryptographic module in a way that is consistent with its FIPS 140-2 security policy. Each module has its own security policy—a precise specification of the security rules under which it will operate—and employs approved cryptographic algorithms, cryptographic key management, and authentication techniques. The security rules are defined in the Security Policy Document (SPD) for each module. +This label means that certain configuration and security rules must be followed to use the cryptographic module in compliance with its FIPS 140-2 security policy. Each module has its own security policy—a precise specification of the security rules under which it will operate—and employs approved cryptographic algorithms, cryptographic key management, and authentication techniques. The security rules are defined in the Security Policy Document (SPD) for each module. ### What is the relationship between FIPS 140-2 and Common Criteria? -These are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules, while Common Criteria is designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly. +FIPS 140-2 and Common Criteria are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules. Common Criteria are designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly. ### How does FIPS 140 relate to Suite B? -Suite B is a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140-2 standard. +Suite B is a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. The Suite B cryptographic algorithms are a subset of the FIPS approved cryptographic algorithms allowed by the FIPS 140-2 standard. ### Is SMB3 (Server Message Block) FIPS 140 compliant in Windows? -When Windows is configured to operate in FIPS 140 approved mode on both client and server, SMB3 is FIPS 140 compliant and relies on the underlying Windows FIPS 140 validated cryptographic modules for cryptographic operations.  +SMB3 can be FIPS 140 compliant, if Windows is configured to operate in FIPS 140 mode on both client and server. In FIPS mode, SMB3 relies on the underlying Windows FIPS 140 validated cryptographic modules for cryptographic operations. ## Microsoft FIPS 140-2 validated cryptographic modules @@ -314,7 +321,7 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) 10.0.15063 #3095 -

FIPS Approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459)
+

FIPS approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459)

Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278)

@@ -324,7 +331,7 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile 10.0.15063 #3094

#3094

-

FIPS Approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459)
+

FIPS approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459)

Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert.#1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert.#2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert.#1281)

@@ -333,40 +340,40 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile Boot Manager 10.0.15063 #3089 -

FIPS Approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790)

+

FIPS approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790)

Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)

Windows OS Loader 10.0.15063 #3090 -

FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)

+

FIPS approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)

Other algorithms: NDRNG

Windows Resume[1] 10.0.15063 #3091 -FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790) +FIPS approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790) BitLocker® Dump Filter[2] 10.0.15063 #3092 -FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790) +FIPS approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790) Code Integrity (ci.dll) 10.0.15063 #3093 -

FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

+

FIPS approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

Secure Kernel Code Integrity (skci.dll)[3] 10.0.15063 #3096 -

FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

+

FIPS approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

@@ -401,7 +408,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) 10.0.14393 #2937 -

FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+

FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)

Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886)

@@ -410,7 +417,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.14393 #2936 -

FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+

FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)

Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887)

@@ -419,14 +426,14 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile Boot Manager 10.0.14393 #2931 -

FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

+

FIPS approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

BitLocker® Windows OS Loader (winload) 10.0.14393 #2932 -FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: NDRNG; MD5 @@ -434,7 +441,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile BitLocker® Windows Resume (winresume)[1] 10.0.14393 #2933 -FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: MD5 @@ -442,13 +449,13 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile BitLocker® Dump Filter (dumpfve.sys)[2] 10.0.14393 #2934 -FIPS Approved algorithms: AES (Certs. #4061 and #4064) +FIPS approved algorithms: AES (Certs. #4061 and #4064) Code Integrity (ci.dll) 10.0.14393 #2935 -

FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
+

FIPS approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: AES (non-compliant); MD5

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

@@ -457,7 +464,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile Secure Kernel Code Integrity (skci.dll)[3] 10.0.14393 #2938 -

FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
+

FIPS approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)

Other algorithms: MD5

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

@@ -494,7 +501,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) 10.0.10586 #2606 -

FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
+

FIPS approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888, and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)

Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664)

@@ -503,7 +510,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.10586 #2605 -

FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
+

FIPS approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888, and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)

Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663)

@@ -512,7 +519,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub Boot Manager[4] 10.0.10586 #2700 -FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
+FIPS approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)

Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) @@ -520,7 +527,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub BitLocker® Windows OS Loader (winload)[5] 10.0.10586 #2701 -FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
+FIPS approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)

Other algorithms: MD5; NDRNG @@ -528,7 +535,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub BitLocker® Windows Resume (winresume)[6] 10.0.10586 #2702 -FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
+FIPS approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)

Other algorithms: MD5 @@ -536,13 +543,13 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub BitLocker® Dump Filter (dumpfve.sys)[7] 10.0.10586 #2703 -FIPS Approved algorithms: AES (Certs. #3653) +FIPS approved algorithms: AES (Certs. #3653) Code Integrity (ci.dll) 10.0.10586 #2604 -

FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
+

FIPS approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)

Other algorithms: AES (non-compliant); MD5

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

@@ -551,7 +558,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub Secure Kernel Code Integrity (skci.dll)[8] 10.0.10586 #2607 -

FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
+

FIPS approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)

Other algorithms: MD5

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

@@ -592,7 +599,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) 10.0.10240 #2606 -

FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
+

FIPS approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)

Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575)

@@ -601,7 +608,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.10240 #2605 -

FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
+

FIPS approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)

Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576)

@@ -610,7 +617,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Boot Manager[9] 10.0.10240 #2600 -FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
+FIPS approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)

Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) @@ -618,7 +625,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface BitLocker® Windows OS Loader (winload)[10] 10.0.10240 #2601 -FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
+FIPS approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)

Other algorithms: MD5; NDRNG @@ -626,7 +633,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface BitLocker® Windows Resume (winresume)[11] 10.0.10240 #2602 -FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
+FIPS approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)

Other algorithms: MD5 @@ -634,13 +641,13 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface BitLocker® Dump Filter (dumpfve.sys)[12] 10.0.10240 #2603 -FIPS Approved algorithms: AES (Certs. #3497 and #3498) +FIPS approved algorithms: AES (Certs. #3497 and #3498) Code Integrity (ci.dll) 10.0.10240 #2604 -

FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
+

FIPS approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)

Other algorithms: AES (non-compliant); MD5

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

@@ -649,7 +656,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Secure Kernel Code Integrity (skci.dll)[13] 10.0.10240 #2607 -

FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
+

FIPS approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)

Other algorithms: MD5

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

@@ -658,13 +665,13 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface -\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB +\[9\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB -\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB +\[10\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB -\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB +\[11\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB -\[12\] Applies only to Pro, Enterprise and Enterprise LTSB +\[12\] Applies only to Pro, Enterprise, and Enterprise LTSB \[13\] Applies only to Enterprise and Enterprise LTSB @@ -690,25 +697,25 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) 6.3.9600 6.3.9600.17031 #2357 -

FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
+

FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)

-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323)

Kernel Mode Cryptographic Primitives Library (cng.sys) 6.3.9600 6.3.9600.17042 #2356 -

FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
+

FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)

-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

Boot Manager 6.3.9600 6.3.9600.17031 #2351 -FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+FIPS approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)

Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) @@ -716,7 +723,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded BitLocker® Windows OS Loader (winload) 6.3.9600 6.3.9600.17031 #2352 -FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)

Other algorithms: MD5; NDRNG @@ -724,7 +731,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded BitLocker® Windows Resume (winresume)[14] 6.3.9600 6.3.9600.17031 #2353 -FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)

Other algorithms: MD5 @@ -732,7 +739,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded BitLocker® Dump Filter (dumpfve.sys) 6.3.9600 6.3.9600.17031 #2354 -FIPS Approved algorithms: AES (Cert. #2832)
+FIPS approved algorithms: AES (Cert. #2832)

Other algorithms: N/A @@ -740,7 +747,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded Code Integrity (ci.dll) 6.3.9600 6.3.9600.17031 #2355#2355 -

FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
+

FIPS approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)

Other algorithms: MD5

Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

@@ -767,9 +774,9 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) 6.2.9200 #1892 -FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)

-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert.); ECDSA (Cert.); HMAC (Cert.); KAS (Cert); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert.); ECDSA (Cert.); HMAC (Cert.); KAS (Cert); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)

@@ -777,17 +784,17 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone Kernel Mode Cryptographic Primitives Library (cng.sys) 6.2.9200 #1891 -FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)

-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and); ECDSA (Cert.); HMAC (Cert.); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RNG (Cert.); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and); ECDSA (Cert.); HMAC (Cert.); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RNG (Cert.); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)

-Other algorithms: AES (Cert., key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) +Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) Boot Manager 6.2.9200 #1895 -FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: MD5 @@ -795,7 +802,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone BitLocker® Windows OS Loader (WINLOAD) 6.2.9200 #1896 -FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG @@ -803,7 +810,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone BitLocker® Windows Resume (WINRESUME)[15] 6.2.9200 #1898 -FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: MD5 @@ -811,7 +818,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone BitLocker® Dump Filter (DUMPFVE.SYS) 6.2.9200 #1899 -FIPS Approved algorithms: AES (Certs. #2196 and #2198)
+FIPS approved algorithms: AES (Certs. #2196 and #2198)

Other algorithms: N/A @@ -819,7 +826,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone Code Integrity (CI.DLL) 6.2.9200 #1897 -FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: MD5 @@ -827,19 +834,19 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) 6.2.9200 #1893 -FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)

-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert.); Triple-DES MAC (Triple-DES Cert., vendor affirmed)
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert.); Triple-DES MAC (Triple-DES Certificate, vendor affirmed)

-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert., key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Certificate, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) Enhanced Cryptographic Provider (RSAENH.DLL) 6.2.9200 #1894 -FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+FIPS approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)

-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) @@ -870,11 +877,11 @@ Validated Editions: Windows 7, Windows 7 SP1

6.1.7600.16385

6.1.7601.17514

1329 -FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)

-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and); SHS (Cert.); Triple-DES (Cert.)
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and); SHS (Cert.); Triple-DES (Cert.)

-Other algorithms: AES (Cert., key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 +Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 Kernel Mode Cryptographic Primitives Library (cng.sys) @@ -887,16 +894,16 @@ Validated Editions: Windows 7, Windows 7 SP1

6.1.7601.21861

6.1.7601.22076

1328 -FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)

-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 +Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 Boot Manager

6.1.7600.16385

6.1.7601.17514

1319 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)

Other algorithms: MD5#1168 and); HMAC (Cert.); RSA (Cert.); SHS (Cert.)

@@ -913,7 +920,7 @@ Validated Editions: Windows 7, Windows 7 SP1

6.1.7601.21655

6.1.7601.21675

1326 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)

Other algorithms: MD5 @@ -932,7 +939,7 @@ Validated Editions: Windows 7, Windows 7 SP1

6.1.7601.21655

6.1.7601.21675

1332 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)

Other algorithms: Elephant Diffuser @@ -945,7 +952,7 @@ Validated Editions: Windows 7, Windows 7 SP1

6.1.7601.17950

6.1.7601.22108

1327 -FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
+FIPS approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)

Other algorithms: MD5 @@ -954,7 +961,7 @@ Validated Editions: Windows 7, Windows 7 SP1 6.1.7600.16385
(no change in SP1) 1331 -FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)

Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4 @@ -963,9 +970,9 @@ Validated Editions: Windows 7, Windows 7 SP1 6.1.7600.16385
(no change in SP1) 1330 -FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)

-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) @@ -993,13 +1000,13 @@ Validated Editions: Ultimate Edition Boot Manager (bootmgr) 6.0.6001.18000 and 6.0.6002.18005 978 -FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753) +FIPS approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753) Winload OS Loader (winload.exe) 6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596 979 -FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
+FIPS approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)

Other algorithms: MD5 @@ -1007,37 +1014,37 @@ Validated Editions: Ultimate Edition Code Integrity (ci.dll) 6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005 980 -FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
+FIPS approved algorithms: RSA (Cert. #354); SHS (Cert. #753)

Other algorithms: MD5 Kernel Mode Security Support Provider Interface (ksecdd.sys) -6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.22869 +6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.22869 1000 -

FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and); ECDSA (Cert.); HMAC (Cert.); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)

-

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

+

FIPS approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and); ECDSA (Cert.); HMAC (Cert.); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)

+

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

Cryptographic Primitives Library (bcrypt.dll) -6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.22872 +6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.22872 1001 -

FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)

-

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)

+

FIPS approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)

+

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)

Enhanced Cryptographic Provider (RSAENH) -6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005 +6.0.6001.22202 and 6.0.6002.18005 1002 -

FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)

-

Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

+

FIPS approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)

+

Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) -6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 +6.0.6001.18000 and 6.0.6002.18005 1003 -

FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)

-

Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4

+

FIPS approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)

+

Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4

@@ -1059,23 +1066,23 @@ Validated Editions: Ultimate Edition Enhanced Cryptographic Provider (RSAENH) 6.0.6000.16386 893 -FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+FIPS approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)

-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 6.0.6000.16386 894 -FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)

-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 BitLocker™ Drive Encryption 6.0.6000.16386 947 -FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
+FIPS approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)

Other algorithms: Elephant Diffuser @@ -1083,9 +1090,9 @@ Validated Editions: Ultimate Edition Kernel Mode Security Support Provider Interface (ksecdd.sys) 6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067 891 -FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+FIPS approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)

-Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5 +Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 bits to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5 @@ -1111,22 +1118,22 @@ Validated Editions: Ultimate Edition Kernel Mode Cryptographic Module (FIPS.SYS) 5.1.2600.5512 997 -

FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)

+

FIPS approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)

Other algorithms: DES; MD5; HMAC MD5

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 5.1.2600.5507 990 -

FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)

-

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4

+

FIPS approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)

+

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4

Enhanced Cryptographic Provider (RSAENH) 5.1.2600.5507 989 -

FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)

-

Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits)

+

FIPS approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)

+

Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits)

@@ -1152,14 +1159,14 @@ Validated Editions: Ultimate Edition DSS/Diffie-Hellman Enhanced Cryptographic Provider 5.1.2600.2133 240 -

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)

+

FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)

Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement)

Microsoft Enhanced Cryptographic Provider 5.1.2600.2161 238 -

FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

+

FIPS approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

Other algorithms: DES (Cert. #156); RC2; RC4; MD5

@@ -1186,7 +1193,7 @@ Validated Editions: Ultimate Edition Microsoft Enhanced Cryptographic Provider 5.1.2600.1029 238 -

FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

+

FIPS approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

Other algorithms: DES (Cert. #156); RC2; RC4; MD5

@@ -1213,7 +1220,7 @@ Validated Editions: Ultimate Edition Kernel Mode Cryptographic Module 5.1.2600.0 241 -

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)

+

FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)

Other algorithms: DES (Cert. #89)

@@ -1240,7 +1247,7 @@ Validated Editions: Ultimate Edition Kernel Mode Cryptographic Module (FIPS.SYS) 5.0.2195.1569 106 -

FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

+

FIPS approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

Other algorithms: DES (Certs. #89)

@@ -1250,7 +1257,7 @@ Validated Editions: Ultimate Edition

(DSS/DH Enh: 5.0.2195.3665 [SP3])

(Enh: 5.0.2195.3839 [SP3]

103 -

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

+

FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

@@ -1277,7 +1284,7 @@ Validated Editions: Ultimate Edition Kernel Mode Cryptographic Module (FIPS.SYS) 5.0.2195.1569 106 -

FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

+

FIPS approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

Other algorithms: DES (Certs. #89)

@@ -1291,7 +1298,7 @@ Validated Editions: Ultimate Edition

(Enh:

5.0.2195.2228 [SP2])

103 -

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

+

FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

@@ -1321,7 +1328,7 @@ Validated Editions: Ultimate Edition

(DSS/DH Enh: 5.0.2150.1391 [SP1])

(Enh: 5.0.2150.1391 [SP1])

103 -

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

+

FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

@@ -1348,7 +1355,7 @@ Validated Editions: Ultimate Edition Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider 5.0.2150.1 76 -

FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)

+

FIPS approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)

Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

@@ -1375,7 +1382,7 @@ Validated Editions: Ultimate Edition Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider 5.0.1877.6 and 5.0.1877.7 75 -

FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)

+

FIPS approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)

Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

@@ -1396,7 +1403,7 @@ Validated Editions: Ultimate Edition Base Cryptographic Provider 5.0.1877.6 and 5.0.1877.7 68 -FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
+FIPS approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)

Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) @@ -1631,7 +1638,7 @@ Validated Editions: Standard, Datacenter, Storage Server Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) 10.0.14393 2937 -FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)

Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt) @@ -1639,7 +1646,7 @@ Validated Editions: Standard, Datacenter, Storage Server Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.14393 2936 -FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)

Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt) @@ -1647,14 +1654,14 @@ Validated Editions: Standard, Datacenter, Storage Server Boot Manager 10.0.14393 2931 -

FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

+

FIPS approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

BitLocker® Windows OS Loader (winload) 10.0.14393 2932 -FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: NDRNG; MD5 @@ -1662,7 +1669,7 @@ Validated Editions: Standard, Datacenter, Storage Server BitLocker® Windows Resume (winresume) 10.0.14393 2933 -FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: MD5 @@ -1670,13 +1677,13 @@ Validated Editions: Standard, Datacenter, Storage Server BitLocker® Dump Filter (dumpfve.sys) 10.0.14393 2934 -FIPS Approved algorithms: AES (Certs. #4061 and #4064) +FIPS approved algorithms: AES (Certs. #4061 and #4064) Code Integrity (ci.dll) 10.0.14393 2935 -FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
+FIPS approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)

Other algorithms: AES (non-compliant); MD5 @@ -1684,7 +1691,7 @@ Validated Editions: Standard, Datacenter, Storage Server Secure Kernel Code Integrity (skci.dll) 10.0.14393 2938 -FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
+FIPS approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)

Other algorithms: MD5 @@ -1710,23 +1717,23 @@ Validated Editions: Server, Storage Server, Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) 6.3.9600 6.3.9600.17031 2357 -FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
+FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)

-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) Kernel Mode Cryptographic Primitives Library (cng.sys) 6.3.9600 6.3.9600.17042 2356 -FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
+FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)

-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) Boot Manager 6.3.9600 6.3.9600.17031 2351 -FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+FIPS approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)

Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) @@ -1734,7 +1741,7 @@ Validated Editions: Server, Storage Server, BitLocker® Windows OS Loader (winload) 6.3.9600 6.3.9600.17031 2352 -FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)

Other algorithms: MD5; NDRNG @@ -1742,7 +1749,7 @@ Validated Editions: Server, Storage Server, BitLocker® Windows Resume (winresume)[16] 6.3.9600 6.3.9600.17031 2353 -FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)

Other algorithms: MD5 @@ -1750,7 +1757,7 @@ Validated Editions: Server, Storage Server, BitLocker® Dump Filter (dumpfve.sys)[17] 6.3.9600 6.3.9600.17031 2354 -FIPS Approved algorithms: AES (Cert. #2832)
+FIPS approved algorithms: AES (Cert. #2832)

Other algorithms: N/A @@ -1758,7 +1765,7 @@ Validated Editions: Server, Storage Server, Code Integrity (ci.dll) 6.3.9600 6.3.9600.17031 2355 -FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
+FIPS approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)

Other algorithms: MD5 @@ -1766,9 +1773,9 @@ Validated Editions: Server, Storage Server, -\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** +\[16\] Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** -\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** +\[17\] Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** **Windows Server 2012** @@ -1786,27 +1793,27 @@ Validated Editions: Server, Storage Server Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) 6.2.9200 1892 -FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)

-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert.); HMAC (Cert. #); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert.); HMAC (Cert. #); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)

-Other algorithms: AES (Cert., key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) +Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) Kernel Mode Cryptographic Primitives Library (cng.sys) 6.2.9200 1891 -FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)

-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)

-Other algorithms: AES (Cert., key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) +Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) Boot Manager 6.2.9200 1895 -FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: MD5 @@ -1814,7 +1821,7 @@ Validated Editions: Server, Storage Server BitLocker® Windows OS Loader (WINLOAD) 6.2.9200 1896 -FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG @@ -1822,7 +1829,7 @@ Validated Editions: Server, Storage Server BitLocker® Windows Resume (WINRESUME) 6.2.9200 1898 -FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: MD5 @@ -1830,7 +1837,7 @@ Validated Editions: Server, Storage Server BitLocker® Dump Filter (DUMPFVE.SYS) 6.2.9200 1899 -FIPS Approved algorithms: AES (Certs. #2196 and #2198)
+FIPS approved algorithms: AES (Certs. #2196 and #2198)

Other algorithms: N/A @@ -1838,7 +1845,7 @@ Validated Editions: Server, Storage Server Code Integrity (CI.DLL) 6.2.9200 1897 -FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)

Other algorithms: MD5 @@ -1846,7 +1853,7 @@ Validated Editions: Server, Storage Server Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) 6.2.9200 1893 -FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)

Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) @@ -1854,9 +1861,9 @@ Validated Editions: Server, Storage Server Enhanced Cryptographic Provider (RSAENH.DLL) 6.2.9200 1894 -FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+FIPS approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)

-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) @@ -1874,65 +1881,65 @@ Validated Editions: Server, Storage Server Boot Manager (bootmgr) -6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.17514 +6.1.7600.16385 or 6.1.7601.17514 1321 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)

Other algorithms: MD5 Winload OS Loader (winload.exe) -6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675 +6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675 1333 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)

Other algorithms: MD5 Code Integrity (ci.dll) -6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.22108 +6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.22108 1334 -FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
+FIPS approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)

Other algorithms: MD5 Kernel Mode Cryptographic Primitives Library (cng.sys) -6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076 +6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076 1335 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)

--Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 +-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 Cryptographic Primitives Library (bcryptprimitives.dll) -66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.17514 +66.1.7600.16385 or 6.1.7601.17514 1336 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)

-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4 +Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4 Enhanced Cryptographic Provider (RSAENH) 6.1.7600.16385 1337 -FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)

-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 6.1.7600.16385 1338 -FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)

Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4 BitLocker™ Drive Encryption -6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675 +6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675 1339 -FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)

Other algorithms: Elephant Diffuser @@ -1952,61 +1959,61 @@ Validated Editions: Server, Storage Server Boot Manager (bootmgr) -6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.22497 +6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.22497 1004 -FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
+FIPS approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)

Other algorithms: N/A Winload OS Loader (winload.exe) -6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596 +6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596 1005 -FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
+FIPS approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)

Other algorithms: MD5 Code Integrity (ci.dll) -6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 +6.0.6001.18000 and 6.0.6002.18005 1006 -FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
+FIPS approved algorithms: RSA (Cert. #355); SHS (Cert. #753)

Other algorithms: MD5 Kernel Mode Security Support Provider Interface (ksecdd.sys) -6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.22869 +6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.22869 1007 -FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+FIPS approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)

-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert.); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert.); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)

-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) Cryptographic Primitives Library (bcrypt.dll) -6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.22872 +6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.22872 1008 -FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+FIPS approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)

-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength) +Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength) Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) -6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 +6.0.6001.18000 and 6.0.6002.18005 1009 -FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)

--Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 +-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 Enhanced Cryptographic Provider (RSAENH) -6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005 +6.0.6001.22202 and 6.0.6002.18005 1010 -FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
+FIPS approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)

-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) @@ -2032,22 +2039,22 @@ Validated Editions: Server, Storage Server Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 5.2.3790.3959 875 -

FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)

-

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4

+

FIPS approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)

+

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4

Kernel Mode Cryptographic Module (FIPS.SYS) 5.2.3790.3959 869 -

FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)

+

FIPS approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)

Other algorithms: DES; HMAC-MD5

Enhanced Cryptographic Provider (RSAENH) 5.2.3790.3959 868 -

FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)

-

Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

+

FIPS approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)

+

Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

@@ -2073,7 +2080,7 @@ Validated Editions: Server, Storage Server Kernel Mode Cryptographic Module (FIPS.SYS) 5.2.3790.1830 [SP1] 405 -

FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

+

FIPS approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

[1] x86
[2] SP1 x86, x64, IA64

@@ -2082,7 +2089,7 @@ Validated Editions: Server, Storage Server Enhanced Cryptographic Provider (RSAENH) 5.2.3790.1830 [Service Pack 1]) 382 -

FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

+

FIPS approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

[1] x86
[2] SP1 x86, x64, IA64

@@ -2091,7 +2098,7 @@ Validated Editions: Server, Storage Server Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 5.2.3790.1830 [Service Pack 1] 381 -

FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

+

FIPS approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

[1] x86
[2] SP1 x86, x64, IA64

@@ -2120,7 +2127,7 @@ Validated Editions: Server, Storage Server Kernel Mode Cryptographic Module (FIPS.SYS) 5.2.3790.0 405 -

FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

+

FIPS approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

[1] x86
[2] SP1 x86, x64, IA64

@@ -2129,7 +2136,7 @@ Validated Editions: Server, Storage Server Enhanced Cryptographic Provider (RSAENH) 5.2.3790.0 382 -

FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

+

FIPS approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

[1] x86
[2] SP1 x86, x64, IA64

@@ -2138,7 +2145,7 @@ Validated Editions: Server, Storage Server Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) 5.2.3790.0 381 -

FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

+

FIPS approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

[1] x86
[2] SP1 x86, x64, IA64

@@ -2169,15 +2176,15 @@ Validated Editions: Server, Storage Server Enhanced Cryptographic Provider 7.00.2872 [1] and 8.00.6246 [2] 2957 -

FIPS Approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384)

-

Allowed algorithms: HMAC-MD5; MD5; NDRNG

+

FIPS approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384)

+

Allowed algorithms: HMAC-MD5, MD5, NDRNG

Cryptographic Primitives Library (bcrypt.dll) 7.00.2872 [1] and 8.00.6246 [2] 2956 -

FIPS Approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382)

-

Allowed algorithms: MD5; NDRNG; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength

+

FIPS approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382)

+

Allowed algorithms: MD5, NDRNG, RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength

@@ -2204,7 +2211,7 @@ Validated Editions: Server, Storage Server Enhanced Cryptographic Provider 6.00.1937 [1] and 7.00.1687 [2] 825 -

FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])

+

FIPS approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])

Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES

@@ -2229,9 +2236,9 @@ Validated Editions: Server, Storage Server Outlook Cryptographic Provider (EXCHCSP) -SR-1A (3821)SR-1A (3821) +SR-1A (3821) 110 -

FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)

+

FIPS approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)

Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5

@@ -2320,7 +2327,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
  • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
  • AES-CFB128:
    • @@ -2393,7 +2400,7 @@ The following tables are organized by cryptographic algorithms with their modes,
    • Key Lengths: 128, 192, 256 (bits)
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)
    • 96 bit IV supported
  • AES-XTS:
    • @@ -2426,7 +2433,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
  • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
  • AES-CFB128:
    • @@ -2499,7 +2506,7 @@ The following tables are organized by cryptographic algorithms with their modes,
    • Key Lengths: 128, 192, 256 (bits)
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)
    • 96 bit IV supported
  • AES-XTS:
    • @@ -2532,7 +2539,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
  • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
  • AES-CFB128:
    • @@ -2606,7 +2613,7 @@ The following tables are organized by cryptographic algorithms with their modes,
    • Key Lengths: 128, 192, 256 (bits)
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)
    • 96 bit IV supported
  • AES-XTS:
    • @@ -2634,7 +2641,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Key Lengths: 128, 192, 256 (bits)
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • -

    AES Val#4902

    +

    AES validation number 4902

    Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900

    Version 10.0.15063.674

    @@ -2646,7 +2653,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Key Lengths: 128, 192, 256 (bits)
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • -

    AES Val#4901

    +

    AES validation number 4901

    Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899

    Version 10.0.15254

    @@ -2658,7 +2665,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Key Lengths: 128, 192, 256 (bits)
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • -

    AES Val#4897

    +

    AES validation number 4897

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898

    Version 10.0.16299

    @@ -2669,9 +2676,9 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 128 (bits)
  • IV Lengths: 96 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
    • -

    AES Val#4902

    +

    AES validation number 4902

    Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896

    Version 10.0.15063.674

    @@ -2682,9 +2689,9 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 128 (bits)
  • IV Lengths: 96 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
    • -

    AES Val#4901

    +

    AES validation number 4901

    Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895

    Version 10.0.15254

    @@ -2695,9 +2702,9 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 128 (bits)
  • IV Lengths: 96 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
    • -

    AES Val#4897

    +

    AES validation number 4897

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

    Version 10.0.16299

    @@ -2711,13 +2718,13 @@ The following tables are organized by cryptographic algorithms with their modes,

    KW (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

    -

    AES Val#4624

    +

    AES validation number 4624

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626

    Version 10.0.15063

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    -

    AES Val#4624

    +

    AES validation number 4624

     

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625

    Version 10.0.15063

    @@ -2732,8 +2739,8 @@ The following tables are organized by cryptographic algorithms with their modes,

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16)

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)

    -

    IV Generated: (External); PT Lengths Tested: (0, 1024, 8, 1016); AAD Lengths tested: (0, 1024, 8, 1016); 96BitIV_Supported

    -

    GMAC_Supported

    +

    IV Generated: (External); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); 96 bit IV supported

    +

    GMAC supported

    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624

    Version 10.0.15063

    @@ -2778,8 +2785,8 @@ The following tables are organized by cryptographic algorithms with their modes,

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    -IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); AAD Lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96BitIV_Supported
    -GMAC_Supported

    +IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
    +GMAC supported

    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064

    Version 10.0.14393

    @@ -2794,25 +2801,25 @@ Version 10.0.14393

    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 192, 256, 320, 2048)

    -

    AES Val#4064

    +

    AES validation number 4064

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062

    Version 10.0.14393

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    -

    AES Val#4064

    +

    AES validation number 4064

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061

    Version 10.0.14393

    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

    -

    AES Val#3629

    +

    AES validation number 3629

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652

    Version 10.0.10586

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    -

    AES Val#3629

    +

    AES validation number 3629

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653

    Version 10.0.10586

    @@ -2830,8 +2837,8 @@ Version 10.0.10586

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    -IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); AAD Lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96BitIV_Supported
    -GMAC_Supported

    +IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
    +GMAC supported

    XTS((KS: XTS_128((e/d) (f)) KS: XTS_256((e/d) (f))

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629

    @@ -2840,13 +2847,13 @@ GMAC_Supported

    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

    -

    AES Val#3497

    +

    AES validation number 3497

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507

    Version 10.0.10240

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    -

    AES Val#3497

    +

    AES validation number 3497

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498

    Version 10.0.10240

    @@ -2856,8 +2863,8 @@ GMAC_Supported

    CMAC(Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    -IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); AAD Lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested:  (0, 0); 96BitIV_Supported
    -GMAC_Supported

    +IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested:  (0, 0); 96 bit IV supported
    +GMAC supported

    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
    Version 10.0.10240 @@ -2880,8 +2887,8 @@ Version 10.0.10240

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    -

    AES Val#2832

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848

    +

    AES validation number 2832

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BitLocker Cryptographic Implementations #2848

    Version 6.3.9600

    @@ -2889,26 +2896,26 @@ Version 10.0.10240

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)

    -

    IV Generated:  (Externally); PT Lengths Tested:  (0, 128, 1024, 8, 1016); AAD Lengths tested:  (0, 128, 1024, 8, 1016); IV Lengths Tested:  (8, 1024); 96BitIV_Supported;
    +

    IV Generated:  (Externally); PT Lengths Tested:  (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 128, 1024, 8, 1016); IV Lengths Tested:  (8, 1024); 96 bit IV supported;
    OtherIVLen_Supported
    -GMAC_Supported

    -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

    +GMAC supported

    +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

    Version 6.3.9600

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
    -AES Val#2197

    +AES validation number 2197

    CMAC (Generation/Verification) (KS: 128; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16)
    -AES Val#2197

    +AES validation number 2197

    GCM(KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    -IV Generated: (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); AAD Lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96BitIV_Supported
    -GMAC_Supported

    +IV Generated: (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96 bit IV supported
    +GMAC supported

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216 -

    CCM (KS: 256) (Assoc. Data Len Range: 0 - 0, 2^16 ) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    -

    AES Val#2196

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0 - 0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    +

    AES validation number 2196

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198 @@ -2927,14 +2934,14 @@ GMAC_Supported

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196 -CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 – 0, 2^16 ) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
    -AES Val#1168 +CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 – 0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
    +AES validation number 1168

    Windows Server 2008 R2 and SP1 CNG algorithms #1187

    Windows 7 Ultimate and SP1 CNG algorithms #1178

    -CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
    -AES Val#1168 +CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16)
    +AES validation number 1168 Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177 @@ -2950,11 +2957,11 @@ AES #1168, vendor-affirmed -CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) +CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16) Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760 -CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 - 0, 2^16 ) (Payload Length Range: 1 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) +CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 - 0, 2^16) (Payload Length Range: 1 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    Windows Server 2008 CNG algorithms #757

    Windows Vista Ultimate SP1 CNG algorithms #756

    @@ -2995,7 +3002,7 @@ AES -CTR_DRBG: [Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4627)] +CTR_DRBG: [Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4627)]

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556

    Version 10.0.15063

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#4624)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4624)]

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555

    Version 10.0.15063

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4434)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4434)]

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433

    Version 7.00.2872

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4433)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4433)]

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432

    Version 8.00.6246

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4431)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4431)]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430

    Version 7.00.2872

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4430)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4430)]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429

    Version 8.00.6246

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4074)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4074)]

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

    Version 10.0.14393

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#4064)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4064)]

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217

    Version 10.0.14393

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#3629)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3629)]

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955

    Version 10.0.10586

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#3497)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3497)]

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868

    Version 10.0.10240

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#2832)] -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

    +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2832)] +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

    Version 6.3.9600

    -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#2197)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2197)] Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258 -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#2023)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 2023)] Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193 -CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#1168)] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 1168)] Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23 @@ -3280,26 +3287,26 @@ Deterministic Random Bit Generator (DRBG)

    PQG(gen)PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]

    PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    KeyPairGen:   [(2048,256); (3072,256)]

    -

    SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256); ]

    +

    SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    -

    SHS: Val#3790

    -

    DRBG: Val# 1555

    +

    SHS: validation number 3790

    +

    DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223

    Version 10.0.15063

    FIPS186-4:
    -PQG(ver)PARMS TESTED:       [(1024,160) SHA(1); ]
    -SIG(ver)PARMS TESTED:   [(1024,160) SHA(1); ]
    -SHS: Val# 3649 +PQG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    +SIG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    +SHS: validation number 3649

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188

    Version 7.00.2872

    FIPS186-4:
    -PQG(ver)PARMS TESTED:       [(1024,160) SHA(1); ]
    -SIG(ver)PARMS TESTED:   [(1024,160) SHA(1); ]
    -SHS: Val#3648 +PQG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    +SIG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    +SHS: validation number 3648

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187

    Version 8.00.6246

    @@ -3310,20 +3317,20 @@ PQG(gen)PARMS TESTED: [
    PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    KeyPairGen:    [(2048,256); (3072,256)]
    SIG(gen)PARMS TESTED:   [(2048,256)
    -SHA(256); (3072,256) SHA(256); ]
    +SHA(256); (3072,256) SHA(256)]
    SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    -

    SHS: Val# 3347
    -DRBG: Val# 1217

    +

    SHS: validation number 3347
    +DRBG: validation number 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098

    Version 10.0.14393

    FIPS186-4:
    PQG(gen)    PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)] PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    -KeyPairGen:    [(2048,256); (3072,256)] SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256); ]
    +KeyPairGen:    [(2048,256); (3072,256)] SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    -

    SHS: Val# 3047
    -DRBG: Val# 955

    +

    SHS: validation number 3047
    +DRBG: validation number 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024

    Version 10.0.10586

    @@ -3332,9 +3339,9 @@ DRBG: Val# 2886
    -DRBG: Val# 868

    +SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)] SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    SHS: validation number 2886
    +DRBG: validation number 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983

    Version 10.0.10240

    @@ -3345,11 +3352,11 @@ PQG(gen)PARMS TESTED:   [
    PQG(ver)PARMS TESTED:   [(2048,256)
    SHA(256); (3072,256) SHA(256)]
    KeyPairGen:    [(2048,256); (3072,256)]
    -SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256); ]
    +SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    -

    SHS: Val# 2373
    -DRBG: Val# 489

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

    +

    SHS: validation number 2373
    +DRBG: validation number 489

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

    Version 6.3.9600

    @@ -3361,11 +3368,11 @@ DRBG: #1903
    DRBG: #258
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.

    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 687.

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687 @@ -3374,75 +3381,75 @@ PQG(ver) MOD(1024);
    SIG(ver) MOD(1024);
    SHS: #1902
    DRBG: #258
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686. +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 686. Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686 FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 1773
    -DRBG: Val# 193
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645. +SHS: validation number 1773
    +DRBG: validation number 193
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 645. Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645 FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 1081
    -DRBG: Val# 23
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386. +SHS: validation number 1081
    +DRBG: validation number 23
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 391. See Historical DSA List validation number 386.

    Windows Server 2008 R2 and SP1 CNG algorithms #391

    Windows 7 Ultimate and SP1 CNG algorithms #386

    FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 1081
    -RNG: Val# 649
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385. +SHS: validation number 1081
    +RNG: validation number 649
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 390. See Historical DSA List validation number 385.

    Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390

    Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385

    FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 753
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283. +SHS: validation number 753
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 284. See Historical DSA List validation number 283.

    Windows Server 2008 CNG algorithms #284

    Windows Vista Ultimate SP1 CNG algorithms #283

    FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 753
    -RNG: Val# 435
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281. +SHS: validation number 753
    +RNG: validation number 435
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 282. See Historical DSA List validation number 281.

    Windows Server 2008 Enhanced DSS (DSSENH) #282

    Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281

    FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 618
    -RNG: Val# 321
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226. +SHS: validation number 618
    +RNG: validation number 321
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 227. See Historical DSA List validation number 226.

    Windows Vista CNG algorithms #227

    Windows Vista Enhanced DSS (DSSENH) #226

    FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 784
    -RNG: Val# 448
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292. +SHS: validation number 784
    +RNG: validation number 448
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 292. Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292 FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 783
    -RNG: Val# 447
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291. +SHS: validation number 783
    +RNG: validation number 447
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 291. Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291 @@ -3452,8 +3459,8 @@ PQG(gen) MOD(1024);
    KEYGEN(Y) MOD(1024);
    SIG(gen) MOD(1024);
    SIG(ver) MOD(1024);
    -SHS: Val# 611
    -RNG: Val# 314 +SHS: validation number 611
    +RNG: validation number 314 Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221 @@ -3463,7 +3470,7 @@ PQG(gen) MOD(1024);
    KEYGEN(Y) MOD(1024);
    SIG(gen) MOD(1024);
    SIG(ver) MOD(1024);
    -SHS: Val# 385 +SHS: validation number 385 Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146 @@ -3472,7 +3479,7 @@ PQG(ver) MOD(1024);
    KEYGEN(Y) MOD(1024);
    SIG(gen) MOD(1024);
    SIG(ver) MOD(1024);
    -SHS: Val# 181
    +SHS: validation number 181

    Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95 @@ -3548,7 +3555,7 @@ SHS: SHA-1 (BYTE)

    Prerequisite: SHS #2373, DRBG #489

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

    Version 6.3.9600

    @@ -3794,8 +3801,8 @@ SHS: SHA-1 (BYTE)

    FIPS186-4:
    PKG: CURVES    (P-256 P-384 TestingCandidates)
    -SHS: Val#3790
    -DRBG: Val# 1555 +SHS: validation number 3790
    +DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136

    Version 10.0.15063

    @@ -3805,8 +3812,8 @@ PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    PKV: CURVES(P-256 P-384 P-521)
    SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    -SHS: Val#3790
    -DRBG: Val# 1555 +SHS: validation number 3790
    +DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135

    Version 10.0.15063

    @@ -3816,8 +3823,8 @@ PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    PKV: CURVES(P-256 P-384 P-521)
    SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    -SHS: Val#3790
    -DRBG: Val# 1555 +SHS: validation number 3790
    +DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133

    Version 10.0.15063

    @@ -3827,8 +3834,8 @@ PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    PKV: CURVES(P-256 P-384 P-521)
    SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
    -SHS:Val# 3649
    -DRBG:Val# 1430 +SHS:validation number 3649
    +DRBG:validation number 1430

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073

    Version 7.00.2872

    @@ -3838,8 +3845,8 @@ PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    PKV: CURVES(P-256 P-384 P-521)
    SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
    -SHS:Val#3648
    -DRBG:Val# 1429 +SHS:validation number 3648
    +DRBG:validation number 1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072

    Version 8.00.6246

    @@ -3849,8 +3856,8 @@ PKG: CURVES(P-256 P-384 TestingCandidates)
    PKV: CURVES(P-256 P-384)
    SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
    SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384))

    -

    SHS: Val# 3347
    -DRBG: Val# 1222

    +

    SHS: validation number 3347
    +DRBG: validation number 1222

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

    Version 10.0.14393

    @@ -3860,8 +3867,8 @@ PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    PKV: CURVES(P-256 P-384 P-521)
    SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))

    -

    SHS: Val# 3347
    -DRBG: Val# 1217

    +

    SHS: validation number 3347
    +DRBG: validation number 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911

    Version 10.0.14393

    @@ -3870,8 +3877,8 @@ DRBG: Val# 3047
    -DRBG: Val# 955

    +

    SHS: validation number 3047
    +DRBG: validation number 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760

    Version 10.0.10586

    @@ -3880,8 +3887,8 @@ DRBG: Val# 2886
    -DRBG: Val# 868

    +

    SHS: validation number 2886
    +DRBG: validation number 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706

    Version 10.0.10240

    @@ -3890,9 +3897,9 @@ DRBG: Val#2373
    -DRBG: Val# 489

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

    +

    SHS: validation number 2373
    +DRBG: validation number 489

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

    Version 6.3.9600

    @@ -3900,7 +3907,7 @@ DRBG: #1903
    DRBG: #258
    -SIG(ver):CURVES(P-256 P-384 P-521)
    +SIG(ver): CURVES(P-256 P-384 P-521)
    SHS: #1903
    DRBG: #258

    FIPS186-4:
    @@ -3909,57 +3916,57 @@ PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    SHS: #1903
    DRBG: #258
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.

    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 341.

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341

    FIPS186-2:
    PKG: CURVES    (P-256 P-384 P-521)
    -SHS: Val#1773
    -DRBG: Val# 193
    +SHS: validation number 1773
    +DRBG: validation number 193
    SIG(ver): CURVES(P-256 P-384 P-521)
    -SHS: Val#1773
    -DRBG: Val# 193

    +SHS: validation number 1773
    +DRBG: validation number 193

    FIPS186-4:
    PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    -SHS: Val#1773
    -DRBG: Val# 193
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.

    +SHS: validation number 1773
    +DRBG: validation number 193
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 295.

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295 FIPS186-2:
    PKG: CURVES    (P-256 P-384 P-521)
    -SHS: Val#1081
    -DRBG: Val# 23
    +SHS: validation number 1081
    +DRBG: validation number 23
    SIG(ver): CURVES(P-256 P-384 P-521)
    -SHS: Val#1081
    -DRBG: Val# 23
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141. +SHS: validation number 1081
    +DRBG: validation number 23
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 142. See Historical ECDSA List validation number 141.

    Windows Server 2008 R2 and SP1 CNG algorithms #142

    Windows 7 Ultimate and SP1 CNG algorithms #141

    FIPS186-2:
    PKG: CURVES    (P-256 P-384 P-521)
    -SHS: Val#753
    +SHS: validation number 753
    SIG(ver): CURVES(P-256 P-384 P-521)
    -SHS: Val#753
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82. +SHS: validation number 753
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 83. See Historical ECDSA List validation number 82.

    Windows Server 2008 CNG algorithms #83

    Windows Vista Ultimate SP1 CNG algorithms #82

    FIPS186-2:
    PKG: CURVES    (P-256 P-384 P-521)
    -SHS: Val#618
    -RNG: Val# 321
    +SHS: validation number 618
    +RNG: validation number 321
    SIG(ver): CURVES(P-256 P-384 P-521)
    -SHS: Val#618
    -RNG: Val# 321
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60. +SHS: validation number 618
    +RNG: validation number 321
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 60. Windows Vista CNG algorithms #60 @@ -4122,111 +4129,111 @@ Some of the previously validated components for this validation have been remove

    Version 10.0.16299

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3790

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3790

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3790

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062

    Version 10.0.15063

    -

    HMAC-SHA1(Key Sizes Ranges Tested: KSBS) SHS Val#3790

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3790

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3790

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS Val#3790

    +

    HMAC-SHA1(Key Sizes Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061

    Version 10.0.15063

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3652

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3652

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3652

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#3652

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3652

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3652

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3652

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3652

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946

    Version 7.00.2872

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3651

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3651

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3651

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#3651

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3651

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3651

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3651

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3651

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945

    Version 8.00.6246

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val# 3649

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val# 3649

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val# 3649

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal# 3649

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3649

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3649

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3649

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3649

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943

    Version 7.00.2872

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3648

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3648

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3648

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#3648

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3648

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3648

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3648

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3648

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942

    Version 8.00.6246

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    -SHS Val# 3347

    +SHS validation number 3347

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    -SHS Val# 3347

    +SHS validation number 3347

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    -SHS Val# 3347

    +SHS validation number 3347

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

    Version 10.0.14393

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val# 3347

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val# 3347

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val# 3347

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS Val# 3347

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3347

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3347

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3347

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 3347

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651

    Version 10.0.14393

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    -SHS Val# 3047

    +SHS validation number 3047

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    -SHS Val# 3047

    +SHS validation number 3047

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    -SHS Val# 3047

    +SHS validation number 3047

    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    -SHS Val# 3047

    +SHS validation number 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381

    Version 10.0.10586

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    -SHSVal# 2886

    +SHSvalidation number 2886

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    -SHSVal# 2886

    +SHSvalidation number 2886

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    - SHSVal# 2886

    + SHSvalidation number 2886

    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    -SHSVal# 2886

    +SHSvalidation number 2886

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233

    Version 10.0.10240

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    -SHS Val#2373

    +SHS validation number 2373

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    -SHS Val#2373

    +SHS validation number 2373

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    -SHS Val#2373

    +SHS validation number 2373

    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    -SHS Val#2373

    -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

    +SHS validation number 2373

    +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

    Version 6.3.9600

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#2764

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#2764

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#2764

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS Val#2764

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 2764

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 2764

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 2764

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 2764

    Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122

    Version 5.2.29344

    @@ -4254,133 +4261,133 @@ SHS 1345 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#1773

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#1773

    -

    Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#1773

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#1773

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1773

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773

    +

    Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#1774

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#1774

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#1774

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#1774

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1774

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#1081

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#1081

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#1081

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#1081

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1081

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081

    Windows Server 2008 R2 and SP1 CNG algorithms #686

    Windows 7 and SP1 CNG algorithms #677

    Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687

    Windows 7 Enhanced Cryptographic Provider (RSAENH) #673

    -

    HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSVal#1081

    +

    HMAC-SHA1(Key Sizes Ranges Tested: KSvalidation number 1081

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 1081

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#816

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#816

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#816

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#816

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 816

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 816

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 816

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 816

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSVal#753

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 753

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 753

    Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#753

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#753

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#753

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS)SHS Val#753

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS)SHS validation number 753

    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408

    Windows Vista Enhanced Cryptographic Provider (RSAENH) #407

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)SHSVal#618

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#618

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#618

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#618

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)SHSvalidation number 618

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    Windows Vista Enhanced Cryptographic Provider (RSAENH) #297 -HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#785 +HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 785

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429

    Windows XP, vendor-affirmed

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#783

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#783

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#783

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#783

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 783

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 783

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 783

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 783

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#613

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#613

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#613

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#613

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 613

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 613

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 613

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 613

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289 -HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#610 +HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 610 Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#753

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#753

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#753

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#753

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    Windows Server 2008 CNG algorithms #413

    Windows Vista Ultimate SP1 CNG algorithms #412

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSVal#737

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 737

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 737

    Windows Vista Ultimate BitLocker Drive Encryption #386 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#618

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#618

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#618

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#618

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    Windows Vista CNG algorithms #298 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#589

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS)SHSVal#589

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#589

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#589

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 589

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS)SHSvalidation number 589

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 589

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 589

    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#578

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#578

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#578

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#578

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 578

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 578

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 578

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 578

    Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSVal#495

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 495

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 495

    Windows Vista BitLocker Drive Encryption #199 -HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#364 +HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 364

    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99

    Windows XP, vendor-affirmed

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#305

    -

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#305

    -

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#305

    -

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#305

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 305

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 305

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 305

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 305

    Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31 @@ -4500,7 +4507,7 @@ SHS -
  • One Pass DH:
    • +
  • One-Pass DH:
    • Key Agreement Roles: Initiator, Responder
    • Parameter Sets:
      • @@ -4802,7 +4809,7 @@ SHS

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration) SCHEMES [FullUnified (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC)]

      -

      SHS Val#3790
      -DSA Val#1135
      -DRBG Val#1556

      +

      SHS validation number 3790
      +DSA validation number 1135
      +DRBG validation number 1556

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128

      Version 10.0.15063

      @@ -4932,16 +4939,16 @@ DRBG Val#3790
      -DSA Val#1223
      -DRBG Val#1555

      +SHS validation number 3790
      +DSA validation number 1223
      +DRBG validation number 1555

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES [EphemeralUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]
      [StaticUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]

      -SHS Val#3790
      -ECDSA Val#1133
      -DRBG Val#1555

      +SHS validation number 3790
      +ECDSA validation number 1133
      +DRBG validation number 1555

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127

      Version 10.0.15063

      @@ -4949,9 +4956,9 @@ DRBG Val# 3649
      -DSA Val#1188
      -DRBG Val#1430

      +SHS validation number 3649
      +DSA validation number 1188
      +DRBG validation number 1430

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES [EphemeralUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]
      [StaticUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]

      @@ -4963,23 +4970,23 @@ DRBG Val#3648
      -DSA Val#1187
      -DRBG Val#1429

      +SHS validation number 3648
      +DSA validation number 1187
      +DRBG validation number 1429

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES [EphemeralUnified (No_KC) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]
      [StaticUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]

      -SHS Val#3648
      -ECDSA Val#1072
      -DRBG Val#1429

      +SHS validation number 3648
      +ECDSA validation number 1072
      +DRBG validation number 1429

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114

      Version 8.00.6246

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration)
      SCHEMES  [FullUnified  (No_KC  < KARole(s): Initiator / Responder > < KDF: CONCAT >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC)]

      -

      SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

      +

      SHS validation number 3347 ECDSA validation number 920 DRBG validation number 1222

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

      Version 10.0.14393

      @@ -4988,11 +4995,11 @@ DRBG Val# 3347 DSA Val#1098 DRBG Val#1217

      +

      SHS validation number 3347 DSA validation number 1098 DRBG validation number 1217

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH  (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
      [StaticUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

      -

      SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651

      +

      SHS validation number 3347 DSA validation number 1098 ECDSA validation number 911 DRBG validation number 1217 HMAC validation number 2651

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92

      Version 10.0.14393

      @@ -5000,11 +5007,11 @@ DRBG Val# 3047 DSA Val#1024 DRBG Val#955

      +

      SHS validation number 3047 DSA validation number 1024 DRBG validation number 955

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH  (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
      [StaticUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

      -

      SHS Val# 3047 ECDSA Val#760 DRBG Val#955

      +

      SHS validation number 3047 ECDSA validation number 760 DRBG validation number 955

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72

      Version 10.0.10586

      @@ -5012,11 +5019,11 @@ DRBG Val# 2886 DSA Val#983 DRBG Val#868

      +

      SHS validation number 2886 DSA validation number 983 DRBG validation number 868

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH  (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
      [StaticUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

      -

      SHS Val# 2886 ECDSA Val#706 DRBG Val#868

      +

      SHS validation number 2886 ECDSA validation number 706 DRBG validation number 868

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64

      Version 10.0.10240

      @@ -5024,12 +5031,12 @@ DRBG Val#2373 DSA Val#855 DRBG Val#489

      +

      SHS validation number 2373 DSA validation number 855 DRBG validation number 489

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH  (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
      [StaticUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

      -

      SHS Val#2373 ECDSA Val#505 DRBG Val#489

      -

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

      +

      SHS validation number 2373 ECDSA validation number 505 DRBG validation number 489

      +

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

      Version 6.3.9600

      @@ -5037,18 +5044,18 @@ DRBG #1903 DSA Val#687 DRBG #258

      +SHS #1903 DSA validation number 687 DRBG #258

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration) SCHEMES [EphemeralUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
      [OnePassDH(No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256) (ED: P-384 SHA384) (EE: P-521 (SHA512, HMAC_SHA512)))]
      [StaticUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]

      -SHS #1903 ECDSA Val#341 DRBG #258

      +SHS #1903 ECDSA validation number 341 DRBG #258

      Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36

      KAS (SP 800–56A)

      key agreement

      -

      key establishment methodology provides 80 to 256 bits of encryption strength

      +

      key establishment methodology provides 80 bits to 256 bits of encryption strength

      Windows 7 and SP1, vendor-affirmed

      Windows Server 2008 R2 and SP1, vendor-affirmed

      @@ -5162,55 +5169,55 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF) CTR_Mode: (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32]))

      -KAS Val#128
      -DRBG Val#1556
      -MAC Val#3062 +KAS validation number 128
      +DRBG validation number 1556
      +MAC validation number 3062

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141

      Version 10.0.15063

      CTR_Mode: (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

      -KAS Val#127
      -AES Val#4624
      -DRBG Val#1555
      -MAC Val#3061 +KAS validation number 127
      +AES validation number 4624
      +DRBG validation number 1555
      +MAC validation number 3061

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140

      Version 10.0.15063

      CTR_Mode:  (Llength(Min20 Max64) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32]))

      -

      KAS Val#93 DRBG Val#1222 MAC Val#2661

      +

      KAS validation number 93 DRBG validation number 1222 MAC validation number 2661

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

      Version 10.0.14393

      CTR_Mode:  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

      -

      KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651

      +

      KAS validation number 92 AES validation number 4064 DRBG validation number 1217 MAC validation number 2651

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101

      Version 10.0.14393

      CTR_Mode:  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

      -

      KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381

      +

      KAS validation number 72 AES validation number 3629 DRBG validation number 955 MAC validation number 2381

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72

      Version 10.0.10586

      CTR_Mode:  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

      -

      KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233

      +

      KAS validation number 64 AES validation number 3497 RBG validation number 868 MAC validation number 2233

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66

      Version 10.0.10240

      CTR_Mode:  (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

      -

      DRBG Val#489 MAC Val#1773

      -

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

      +

      DRBG validation number 489 MAC validation number 1773

      +

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

      Version 6.3.9600

      CTR_Mode: (Llength(Min0 Max4) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

      -

      DRBG #258 HMAC Val#1345

      +

      DRBG #258 HMAC validation number 1345

      Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3 @@ -5855,14 +5862,14 @@ ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384)) SIG(gen) with SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))
      [RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.
       Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))
      -SHA Val#3790 +SHA validation number 3790

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524

      Version 10.0.15063

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
      -SHA Val#3790 +SHA validation number 3790

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523

      Version 10.0.15063

      @@ -5874,8 +5881,8 @@ SHA Val#3790
      -DRBG: Val# 1555 +SHA validation number 3790
      +DRBG: validation number 1555

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522

      Version 10.0.15063

      @@ -5887,65 +5894,65 @@ PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
      SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
      [RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) SIG(gen) with SHA-1 affirmed for use with protocols only.
       Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
      -SHA Val#3790 +SHA validation number 3790

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521

      Version 10.0.15063

      FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#3652
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

      +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3652
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3652, SHA-384validation number 3652, SHA-512validation number 3652
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3652, SHA-256validation number 3652, SHA-384validation number 3652, SHA-512validation number 3652

      FIPS186-4:
      ALG[ANSIX9.31]       Sig(Gen): (2048 SHA(1)) (3072 SHA(1))
      SIG(gen) with SHA-1 affirmed for use with protocols only.       Sig(Ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))
      ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
      -SHA Val#3652

      +SHA validation number 3652

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415

      Version 7.00.2872

      FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#3651
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

      +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3651
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3651, SHA-384validation number 3651, SHA-512validation number 3651
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3651, SHA-256validation number 3651, SHA-384validation number 3651, SHA-512validation number 3651

      FIPS186-4:
      ALG[ANSIX9.31]       Sig(Gen): (2048 SHA(1)) (3072 SHA(1))
      SIG(gen) with SHA-1 affirmed for use with protocols only.       Sig(Ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))
      ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
      -SHA Val#3651

      +SHA validation number 3651

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414

      Version 8.00.6246

      FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 4096, SHS: SHA-256Val# 3649, SHA-384Val# 3649, SHA-512Val# 3649
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val# 3649, SHA-256Val# 3649, SHA-384Val# 3649, SHA-512Val# 3649

      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3649, SHA-384validation number 3649, SHA-512validation number 3649
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3649, SHA-256validation number 3649, SHA-384validation number 3649, SHA-512validation number 3649

      FIPS186-4:
      186-4KEY(gen):       FIPS186-4_Fixed_e (10001);
      PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
      ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
      -SHA Val# 3649
      -DRBG: Val# 1430

      +SHA validation number 3649
      +DRBG: validation number 1430

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412

      Version 7.00.2872

      FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 4096, SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3648, SHA-384validation number 3648, SHA-512validation number 3648
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3648, SHA-256validation number 3648, SHA-384validation number 3648, SHA-512validation number 3648

      FIPS186-4:
      186-4KEY(gen):       FIPS186-4_Fixed_e (10001);
      PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
      ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
      -SHA Val#3648
      -DRBG: Val# 1429

      +SHA validation number 3648
      +DRBG: validation number 1429

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411

      Version 8.00.6246

      @@ -5955,7 +5962,7 @@ ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384)) SIG(gen) with SHA-1 SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))
      [RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.
      Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))

      -

      SHA Val# 3347

      +

      SHA validation number 3347

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

      Version 10.0.14393

      @@ -5963,14 +5970,14 @@ Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(

      FIPS186-4:
      186-4KEY(gen):       FIPS186-4_Fixed_e (10001);
      PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

      -

      SHA Val# 3347 DRBG: Val# 1217

      +

      SHA validation number 3347 DRBG: validation number 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195

      Version 10.0.14393

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val#3346

      +

      SHA validation number 3346

      soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194

      Version 10.0.14393

      @@ -5978,7 +5985,7 @@ ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 25

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
      SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val# 3347 DRBG: Val# 1217

      +

      SHA validation number 3347 DRBG: validation number 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193

      Version 10.0.14393

      @@ -5986,7 +5993,7 @@ ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384

      FIPS186-4:
      [RSASSA-PSS]: Sig(Gen):       (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

      Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

      -

      SHA Val# 3347 DRBG: Val# 1217

      +

      SHA validation number 3347 DRBG: validation number 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192

      Version 10.0.14393

      @@ -5994,14 +6001,14 @@ ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384

      FIPS186-4:
      186-4KEY(gen)      :  FIPS186-4_Fixed_e (10001);
      PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

      -

      SHA Val# 3047 DRBG: Val# 955

      +

      SHA validation number 3047 DRBG: validation number 955

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889

      Version 10.0.10586

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val#3048

      +

      SHA validation number 3048

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871

      Version 10.0.10586

      @@ -6009,7 +6016,7 @@ ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 25

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
      SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val# 3047

      +

      SHA validation number 3047

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888

      Version 10.0.10586

      @@ -6017,7 +6024,7 @@ ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384

      FIPS186-4:
      [RSASSA-PSS]: Sig(Gen)      : (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
      Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

      -

      SHA Val# 3047

      +

      SHA validation number 3047

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887

      Version 10.0.10586

      @@ -6025,21 +6032,21 @@ ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384

      FIPS186-4:
      186-4KEY(gen):       FIPS186-4_Fixed_e (10001);
      PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

      -

      SHA Val# 2886 DRBG: Val# 868

      +

      SHA validation number 2886 DRBG: validation number 868

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798

      Version 10.0.10240

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val#2871

      +

      SHA validation number 2871

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784

      Version 10.0.10240

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val#2871

      +

      SHA validation number 2871

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783

      Version 10.0.10240

      @@ -6047,7 +6054,7 @@ ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 25

      FIPS186-4:
      [RSASSA-PSS]:       Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
      Sig(Ver): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

      -

      SHA Val# 2886

      +

      SHA validation number 2886

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802

      Version 10.0.10240

      @@ -6055,14 +6062,14 @@ Sig(Ver): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen

      FIPS186-4:
      186-4KEY(gen):       FIPS186-4_Fixed_e;
      PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

      -

      SHA Val#2373 DRBG: Val# 489

      -

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

      +

      SHA validation number 2373 DRBG: validation number 489

      +

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

      Version 6.3.9600

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val#2373

      +

      SHA validation number 2373

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494

      Version 6.3.9600

      @@ -6070,16 +6077,16 @@ ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 25

      FIPS186-4:
      ALG[RSASSA-PKCS1_V1_5      ] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
      SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

      -

      SHA Val#2373

      -

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

      +

      SHA validation number 2373

      +

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

      Version 6.3.9600

      FIPS186-4:
      [RSASSA-PSS]:       Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
      Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

      -

      SHA Val#2373

      -

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

      +

      SHA validation number 2373

      +

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

      Version 6.3.9600

      @@ -6089,7 +6096,7 @@ SIG(Ver) (1024 SHA(1, 256, 384, 512-256)) (2048 SHA(1, 256, 384, 512-256)) (3072 [RSASSA-PSS]: Sig(Gen): (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
      Sig(Ver): (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512, 512))
      SHA #1903

      -

      Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.

      +

      Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1134.

      Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134 @@ -6104,166 +6111,166 @@ SHA #258
      ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
      SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132. +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1132. Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132 FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1774
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1774
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1774, SHA-384validation number 1774, SHA-512validation number 1774,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1774, SHA-256validation number 1774, SHA-384validation number 1774, SHA-512validation number 1774,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1052. Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052 FIPS186-2:
      -ALG[ANSIX9.31]:       Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: Val# 193
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051. +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: validation number 193
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1773, SHA-384validation number 1773, SHA-512validation number 1773,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1773, SHA-256validation number 1773, SHA-384validation number 1773, SHA-512validation number 1773,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1051. Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051 FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 568. Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568 FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
      +ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081
      +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 567. See Historical RSA List validation number 560.

      Windows Server 2008 R2 and SP1 CNG algorithms #567

      Windows 7 and SP1 CNG algorithms #560

      FIPS186-2:
      -ALG[ANSIX9.31]:       Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: Val# 23
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559. +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: validation number 23
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 559. Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559 FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 557. Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557 FIPS186-2:
      ALG[ANSIX9.31]:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 816, SHA-384validation number 816, SHA-512validation number 816,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 816, SHA-256validation number 816, SHA-384validation number 816, SHA-512validation number 816,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 395. Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395 FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#783
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 783
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 783, SHA-384validation number 783, SHA-512validation number 783,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 371. Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371 FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      -ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753, SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
      +ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753
      +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753, SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 358. See Historical RSA List validation number 357.

      Windows Server 2008 CNG algorithms #358

      Windows Vista SP1 CNG algorithms #357

      FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#753
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753, SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 355. See Historical RSA List validation number 354.

      Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355

      Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354

      FIPS186-2:
      ALG[ANSIX9.31]:       Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353. +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 353. Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353 FIPS186-2:
      -ALG[ANSIX9.31]:       Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 RNG: Val# 321
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258. +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 RNG: validation number 321
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 258. Windows Vista RSA key generation implementation #258 FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      -ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 618, SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
      +ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618
      +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 618, SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 257. Windows Vista CNG algorithms #257 FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 618, SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 255. Windows Vista Enhanced Cryptographic Provider (RSAENH) #255 FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#613
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 613
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 613, SHA-384validation number 613, SHA-512validation number 613,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 613, SHA-256validation number 613, SHA-384validation number 613, SHA-512validation number 613,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 245. Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245 FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#589
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 589
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 589, SHA-384validation number 589, SHA-512validation number 589,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 589, SHA-256validation number 589, SHA-384validation number 589, SHA-512validation number 589,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 230. Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230 FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#578
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 578
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 578, SHA-384validation number 578, SHA-512validation number 578,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 578, SHA-256validation number 578, SHA-384validation number 578, SHA-512validation number 578,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 222. Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222 FIPS186-2:
      ALG[RSASSA-PKCS1_V1_5]:
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#364
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81. +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 364
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 81. Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81 FIPS186-2:
      ALG[ANSIX9.31]:
      -SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#305
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
      -SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 305
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 305, SHA-384validation number 305, SHA-512validation number 305,
      +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 305, SHA-256validation number 305, SHA-384validation number 305, SHA-512validation number 305,
      +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 52. Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52

      FIPS186-2:

      -

      – PKCS#1 v1.5, signature generation and verification

      +

      – PKCS#1 v1.5, signature generation, and verification

      – Mod sizes: 1024, 1536, 2048, 3072, 4096

      – SHS: SHA–1/256/384/512

      Windows XP, vendor-affirmed

      @@ -6452,7 +6459,7 @@ Version 6.3.9600 SHA-256 (BYTE-only)
      SHA-384 (BYTE-only)
      SHA-512 (BYTE-only) -Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
      +Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
      Version 6.3.9600 @@ -6638,71 +6645,71 @@ Version 6.3.9600

      Version 10.0.16299

      -TECB(KO 1 e/d,); TCBC(KO 1 e/d,); TCFB8(KO 1 e/d,); TCFB64(KO 1 e/d,) +TECB(KO 1 e/d); TCBC(KO 1 e/d); TCFB8(KO 1 e/d); TCFB64(KO 1 e/d)

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459

      Version 10.0.15063

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,)

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d)

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384

      Version 8.00.6246

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,)

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d)

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383

      Version 8.00.6246

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,);

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d);

      CTR (int only)

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382

      Version 7.00.2872

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,)

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d)

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381

      Version 8.00.6246

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,);

      -

      TCFB8(KO 1 e/d,);

      -

      TCFB64(KO 1 e/d,)

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d);

      +

      TCFB8(KO 1 e/d);

      +

      TCFB64(KO 1 e/d)

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227

      Version 10.0.14393

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,);

      -

      TCFB8(KO 1 e/d,);

      -

      TCFB64(KO 1 e/d,)

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d);

      +

      TCFB8(KO 1 e/d);

      +

      TCFB64(KO 1 e/d)

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024

      Version 10.0.10586

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,);

      -

      TCFB8(KO 1 e/d,);

      -

      TCFB64(KO 1 e/d,)

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d);

      +

      TCFB8(KO 1 e/d);

      +

      TCFB64(KO 1 e/d)

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969

      Version 10.0.10240

      -

      TECB(KO 1 e/d,);

      -

      TCBC(KO 1 e/d,);

      -

      TCFB8(KO 1 e/d,);

      -

      TCFB64(KO 1 e/d,)

      -

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

      +

      TECB(KO 1 e/d);

      +

      TCBC(KO 1 e/d);

      +

      TCFB8(KO 1 e/d);

      +

      TCFB64(KO 1 e/d)

      +

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

      Version 6.3.9600

      @@ -6770,7 +6777,7 @@ Version 6.3.9600 -#### SP 800-132 Password Based Key Derivation Function (PBKDF) +#### SP 800-132 Password-Based Key Derivation Function (PBKDF) @@ -6824,7 +6831,7 @@ Version 6.3.9600

      Prerequisite: DRBG #489

      - @@ -6856,7 +6863,7 @@ Version 6.3.9600
    • Modulus Size: 2048 (bits)
      • - @@ -7265,7 +7272,7 @@ Version 10.0.14393

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
      Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
      Version 10.0.10586

      -

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
      +

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
      Version 6.3.9600

      @@ -7282,7 +7289,7 @@ Version 10.0.15063

      Version 10.0.14393

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
      Version 10.0.14393

      -

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
      +

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
      Version 10.0.10586

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
      Version  10.0.10240

      @@ -7335,10 +7342,7 @@ fips@microsoft.com ## References -\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules - -\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ - -\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised) - -\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths +* [FIPS 140-2, Security Requirements for Cryptographic Modules](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)) +* [Cryptographic Module Validation Program (CMVP) FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf) +* [SP 800-57 - Recommendation for Key Management – Part 1: General (Revised)](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final) +* [SP 800-131A - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf) diff --git a/windows/security/threat-protection/images/linux-mdatp-1.png b/windows/security/threat-protection/images/linux-mdatp-1.png new file mode 100644 index 0000000000..f8c9c07b16 Binary files /dev/null and b/windows/security/threat-protection/images/linux-mdatp-1.png differ diff --git a/windows/security/threat-protection/images/linux-mdatp.png b/windows/security/threat-protection/images/linux-mdatp.png new file mode 100644 index 0000000000..f8c9c07b16 Binary files /dev/null and b/windows/security/threat-protection/images/linux-mdatp.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md index a3d582510d..fd9d16d4b6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 11/18/2020 ms.reviewer: manager: dansimp --- @@ -37,15 +37,16 @@ The following broad categories of features can be configured: - Cloud-delivered protection - Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection -- How end-users interact with the client on individual endpoints +- How end users interact with the client on individual endpoints -The topics in this section describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). +The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each article includes instructions for the applicable configuration tool (or tools). -You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. +|Article |Description | +|---------|---------| +|[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Use cloud-delivered protection for advanced, fast, robust antivirus detection. | +|[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) |Enable behavior-based, heuristic, and real-time antivirus protection. | +|[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) | Configure how end users in your organization interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings. | + +> [!TIP] +> You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. -## In this section -Topic | Description -:---|:--- -[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection -[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection -[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)|Configure how end-users interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md index 8ee17ca054..1be93dc8a6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 07/08/2020 +ms.date: 11/18/2020 ms.reviewer: manager: dansimp --- @@ -62,7 +62,7 @@ The table below lists the services and their associated URLs. Make sure that the | Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
      `ussus1westprod.blob.core.windows.net`
      `usseu1northprod.blob.core.windows.net`
      `usseu1westprod.blob.core.windows.net`
      `ussuk1southprod.blob.core.windows.net`
      `ussuk1westprod.blob.core.windows.net`
      `ussas1eastprod.blob.core.windows.net`
      `ussas1southeastprod.blob.core.windows.net`
      `ussau1eastprod.blob.core.windows.net`
      `ussau1southeastprod.blob.core.windows.net` | | Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/`
      `http://www.microsoft.com/pkiops/certs`
      `http://crl.microsoft.com/pki/crl/products`
      `http://www.microsoft.com/pki/certs` | | Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | -| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
      `settings-win.data.microsoft.com`| +| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
      `settings-win.data.microsoft.com`| ## Validate connections between your network and the cloud @@ -85,8 +85,7 @@ For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun You can download a sample file that Microsoft Defender Antivirus will detect and block if you are properly connected to the cloud. -Download the file by visiting the following link: -- https://aka.ms/ioavtest +Download the file by visiting [https://aka.ms/ioavtest](https://aka.ms/ioavtest). >[!NOTE] >This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. @@ -105,11 +104,11 @@ You will also see a detection under **Quarantined threats** in the **Scan histor 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png) -3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware. +3. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware. > [!NOTE] > Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md). diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index 95de8ec073..725634e323 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -26,15 +26,16 @@ manager: dansimp You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. -This topic describes how to configure exclusion lists for the following: +This article describes how to configure exclusion lists. - +## Examples of exclusions + +|Exclusion | Example | +|---|---| +|Any file on the machine that is opened by any process with a specific file name | Specifying `test.exe` would exclude files opened by:
      `c:\sample\test.exe`
      `d:\internal\files\test.exe` | +|Any file on the machine that is opened by any process under a specific folder | Specifying `c:\test\sample\*` would exclude files opened by:
      `c:\test\sample\test.exe`
      `c:\test\sample\test2.exe`
      `c:\test\sample\utility.exe` | +|Any file on the machine that is opened by a specific process in a specific folder | Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe` | -Exclusion | Example ----|--- -Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by:
      • c:\sample\test.exe
      • d:\internal\files\test.exe
      -Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
      • c:\test\sample\test.exe
      • c:\test\sample\test2.exe
      • c:\test\sample\utility.exe
      -Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md). @@ -42,18 +43,16 @@ The exclusions only apply to [always-on real-time protection and monitoring](con Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists. -You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. +You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists. -You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. +You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists. -By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. +By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. ## Configure the list of exclusions for files opened by specified processes - - ### Use Microsoft Intune to exclude files that have been opened by specified processes from scans See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. @@ -74,14 +73,12 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...**. - 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes. + 3. Enter each process on its own line under the **Value name** column. See the example table for the different types of process exclusions. Enter **0** in the **Value** column for all processes. 5. Click **OK**. ![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png) - - ### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). @@ -94,11 +91,11 @@ The format for the cmdlets is: The following are allowed as the \: -Configuration action | PowerShell cmdlet ----|--- -Create or overwrite the list | `Set-MpPreference` -Add to the list | `Add-MpPreference` -Remove items from the list | `Remove-MpPreference` +|Configuration action | PowerShell cmdlet | +|---|---| +|Create or overwrite the list | `Set-MpPreference` | +|Add to the list | `Add-MpPreference` | +|Remove items from the list | `Remove-MpPreference` | >[!IMPORTANT] >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. @@ -109,7 +106,7 @@ For example, the following code snippet would cause Microsoft Defender AV scans Add-MpPreference -ExclusionProcess "c:\internal\test.exe" ``` -See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Microsoft Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. +For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve=true). ### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans @@ -121,33 +118,24 @@ ExclusionProcess The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. -See the following for more information and allowed parameters: - -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - - +For more information and allowed parameters, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx). ### Use the Windows Security app to exclude files that have been opened by specified processes from scans See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) for instructions. - - ## Use wildcards in the process exclusion list The use of wildcards in the process exclusion list is different from their use in other exclusion lists. -In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list. +In particular, you cannot use the question mark (`?`) wildcard, and the asterisk (`*`) wildcard can only be used at the end of a complete path. You can still use environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the process exclusion list. The following table describes how the wildcards can be used in the process exclusion list: -Wildcard | Use | Example use | Example matches ----|---|---|--- -\* (asterisk) | Replaces any number of characters |
      • C:\MyData\\*
      |
      • Any file opened by C:\MyData\file.exe
      -? (question mark) | Not available | \- | \- -Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
      • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
      |
      • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
      - - +|Wildcard | Example use | Example matches | +|:---|:---|:---| +|`*` (asterisk)

      Replaces any number of characters | `C:\MyData\*` | Any file opened by `C:\MyData\file.exe` | +|Environment variables

      The defined variable is populated as a path when the exclusion is evaluated | `%ALLUSERSPROFILE%\CustomLogFiles\file.exe` | Any file opened by `C:\ProgramData\CustomLogFiles\file.exe` | ## Review the list of exclusions diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 8139e27e9a..a7990f4bca 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -10,8 +10,8 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 01/31/2020 -ms.reviewer: +ms.date: 11/18/2020 +ms.reviewer: jesquive manager: dansimp --- @@ -28,7 +28,7 @@ In addition to standard on-premises or hardware configurations, you can also use See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support. -For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic. +For Azure-based virtual machines, see [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection). With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on. @@ -49,7 +49,7 @@ You can also download the whitepaper [Microsoft Defender Antivirus on Virtual De ## Set up a dedicated VDI file share -In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine — thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell. +In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine—thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell. ### Use Group Policy to enable the shared security intelligence feature: @@ -63,7 +63,7 @@ In Windows 10, version 1903, we introduced the shared security intelligence feat 5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears. -6. Enter `\\\wdav-update` (for what this will be, see [Download and unpackage](#download-and-unpackage-the-latest-updates)). +6. Enter `\\\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)). 7. Click **OK**. @@ -81,7 +81,7 @@ See the [Download and unpackage](#download-and-unpackage-the-latest-updates) sec ## Download and unpackage the latest updates -Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those). +Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts). ```PowerShell $vdmpathbase = 'c:\wdav-update\{00000000-0000-0000-0000-' @@ -98,7 +98,7 @@ cmd /c "cd $vdmpath & c: & mpam-fe.exe /x" ``` You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update. -We suggest starting with once a day — but you should experiment with increasing or decreasing the frequency to understand the impact. +We suggest starting with once a day—but you should experiment with increasing or decreasing the frequency to understand the impact. Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn’t advised because it will increase the network overhead on your management machine for no benefit. @@ -106,23 +106,25 @@ Security intelligence packages are typically published once every three to four 1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel. -2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**. +2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Select **New…** > **Daily**, and select **OK**. -3. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Click **OK**. +3. Go to the **Actions** tab. Select **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Select **OK**. 4. You can choose to configure additional settings if you wish. -5. Click **OK** to save the scheduled task. +5. Select **OK** to save the scheduled task. You can initiate the update manually by right-clicking on the task and clicking **Run**. ### Download and unpackage manually -If you would prefer to do everything manually, this what you would need to do to replicate the script’s behavior: +If you would prefer to do everything manually, here's what to do to replicate the script’s behavior: 1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`. -2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`; for example `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`. +2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}` + +Here's an example: `c:\wdav_update\{00000000-0000-0000-0000-000000000000}` > [!NOTE] > In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time. @@ -138,74 +140,99 @@ If you would prefer to do everything manually, this what you would need to do to Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md). -The start time of the scan itself is still based on the scheduled scan policy — ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Microsoft Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan. +The start time of the scan itself is still based on the scheduled scan policy (**ScheduleDay**, **ScheduleTime**, and **ScheduleQuickScanTime**). Randomization will cause Microsoft Defender Antivirus to start a scan on each machine within a 4-hour window from the time set for the scheduled scan. See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans. ## Use quick scans -You can specify the type of scan that should be performed during a scheduled scan. -Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. +You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. The following procedure describes how to set up quick scans using Group Policy. -1. Expand the tree to **Windows components > Windows Defender > Scan**. +1. In your Group Policy Editor, go to **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus** > **Scan**. -2. Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**. +2. Select **Specify the scan type to use for a scheduled scan** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Enabled**, and then under **Options**, select **Quick scan**. + +4. Select **OK**. + +5. Deploy your Group Policy object as you usually do. ## Prevent notifications -Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Microsoft Defender Antivirus user interface. +Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can lock down the Microsoft Defender Antivirus user interface. The following procedure describes how to suppress notifications with Group Policy. -1. Expand the tree to **Windows components > Windows Defender > Client Interface**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**. -2. Double-click **Suppress all notifications** and set the option to **Enabled**. +2. Select **Suppress all notifications** and then edit the policy settings. -3. Click **OK**. +3. Set the policy to **Enabled**, and then select **OK**. -This prevents notifications from Microsoft Defender AV appearing in the action center on Windows 10 when scans or remediation is performed. +4. Deploy your Group Policy object as you usually do. + +Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up in the Action Center on Windows 10 when scans are done or remediation actions are taken. However, your security operations team will see the results of the scan in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). + +> [!TIP] +> To open the Action Center on Windows 10, take one of the following steps: +> - On the right end of the taskbar, select the Action Center icon. +> - Press the Windows logo key button + A. +> - On a touchscreen device, swipe in from the right edge of the screen. ## Disable scans after an update -This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). +Disabling a scan after an update will prevent a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). > [!IMPORTANT] > Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image. -1. Expand the tree to **Windows components > Windows Defender > Signature Updates**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. -2. Double-click **Turn on scan after signature update** and set the option to **Disabled**. +2. Select **Turn on scan after security intelligence update** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Disabled**. -This prevents a scan from running immediately after an update. +4. Select **OK**. + +5. Deploy your Group Policy object as you usually do. + +This policy prevents a scan from running immediately after an update. ## Scan VMs that have been offline -1. Expand the tree to **Windows components > Windows Defender > Scan**. +1. In your Group Policy Editor, go to to **Windows components** > **Microsoft Defender Antivirus** > **Scan**. -2. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. +2. Select **Turn on catch-up quick scan** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Enabled**. -This forces a scan if the VM has missed two or more consecutive scheduled scans. +4. Select **OK**. + +5. Deploy your Group Policy Object as you usually do. + +This policy forces a scan if the VM has missed two or more consecutive scheduled scans. ## Enable headless UI mode -1. Double-click **Enable headless UI mode** and set the option to **Enabled**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**. -2. Click **OK**. +2. Select **Enable headless UI mode** and edit the policy. -This hides the entire Microsoft Defender AV user interface from users. +3. Set the policy to **Enabled**. + +4. Click **OK**. + +5. Deploy your Group Policy Object as you usually do. + +This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization. ## Exclusions Exclusions can be added, removed, or customized to suit your needs. -For more details, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md). +For more information, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md). ## Additional resources -- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( https://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s) +- [Tech Community Blog: Configuring Microsoft Defender Antivirus for non-persistent VDI machines](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/configuring-microsoft-defender-antivirus-for-non-persistent-vdi/ba-p/1489633) - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS) - [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md index 7e6ac508a9..0d113ddeb4 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Enable cloud-delivered protection in Microsoft Defender Antivirus -description: Enable cloud-delivered protection to benefit from fast and advanced protection features. +title: Turn on cloud-delivered protection in Microsoft Defender Antivirus +description: Turn on cloud-delivered protection to benefit from fast and advanced protection features. keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -9,16 +9,16 @@ ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb +ms.date: 11/13/2020 ms.reviewer: manager: dansimp ms.custom: nextgen --- -# Enable cloud-delivered protection +# Turn on cloud-delivered protection [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - Microsoft Defender Antivirus @@ -29,55 +29,60 @@ ms.custom: nextgen Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) -You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. +You can turn Microsoft Defender Antivirus cloud-delivered protection on or off in several ways: + +- Microsoft Intune +- Microsoft Endpoint Configuration Manager +- Group Policy +- PowerShell cmdlets. + + You can also turn it on or off in individual clients with the Windows Security app. See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for an overview of Microsoft Defender Antivirus cloud-delivered protection. -There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md) for more details. +For more information about the specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service, see [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md). > [!NOTE] -> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. +> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. For more information on what we collect, see the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839). -## Use Intune to enable cloud-delivered protection +## Use Intune to turn on cloud-delivered protection -1. Sign in to the [Azure portal](https://portal.azure.com). -2. Select **All services > Intune**. -3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**. +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. On the **Home** pane, select **Device configuration > Profiles**. +3. Select the **Device restrictions** profile type you want to configure. If you need to create a new **Device restrictions** profile type, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +4. Select **Properties** > **Configuration settings: Edit** > **Microsoft Defender Antivirus**. 5. On the **Cloud-delivered protection** switch, select **Enable**. -6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. -7. In the **Submit samples consent** dropdown, select one of the following: - - - **Send safe samples automatically** - - **Send all samples automatically** - - >[!NOTE] - > The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. - - > [!WARNING] - > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work. - -8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. +6. In the **Prompt users before sample submission** dropdown, select **Send all data automatically**. For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) -## Use Configuration Manager to enable cloud-delivered protection +## Use Microsoft Endpoint Configuration Manager to turn on cloud-delivered protection -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. Choose **Endpoint security** > **Antivirus**. +3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**. +5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following: + 1. **High**: Applies a strong level of detection. + 2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance). + 3. **Zero tolerance**: Blocks all unknown executables. +6. Select **Review + save**, then choose **Save**. -## Use Group Policy to enable cloud-delivered protection +For more information about configuring Microsoft Endpoint Configuration Manager, see [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service). -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +## Use Group Policy to turn on cloud-delivered protection -2. In the **Group Policy Management Editor** go to **Computer configuration**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. + +2. In the **Group Policy Management Editor**, go to **Computer configuration**. 3. Select **Administrative templates**. 4. Expand the tree to **Windows components > Microsoft Defender Antivirus > MAPS** -5. Double-click **Join Microsoft MAPS**. Ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**. +5. Double-click **Join Microsoft MAPS**. Ensure the option is turned on and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**. -6. Double-click **Send file samples when further analysis is required**. Ensure that the option is set to **Enabled** and that the other options are either of the following: +6. Double-click **Send file samples when further analysis is required**. Ensure that the first option is set to **Enabled** and that the other options are set to either: 1. **Send safe samples** (1) 2. **Send all samples** (3) @@ -88,18 +93,18 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht > [!WARNING] > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work. -7. Click **OK**. +7. Select **OK**. -## Use PowerShell cmdlets to enable cloud-delivered protection +## Use PowerShell cmdlets to turn on cloud-delivered protection -Use the following cmdlets to enable cloud-delivered protection: +The following cmdlets can turn on cloud-delivered protection: ```PowerShell Set-MpPreference -MAPSReporting Advanced Set-MpPreference -SubmitSamplesConsent SendAllSamples ``` -See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). +For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx). [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). >[!NOTE] > You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. @@ -107,7 +112,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u >[!WARNING] > Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work. -## Use Windows Management Instruction (WMI) to enable cloud-delivered protection +## Use Windows Management Instruction (WMI) to turn on cloud-delivered protection Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties: @@ -116,33 +121,31 @@ MAPSReporting SubmitSamplesConsent ``` -See the following for more information and allowed parameters: +For more information about allowed parameters, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - -## Enable cloud-delivered protection on individual clients with the Windows Security app +## Turn on cloud-delivered protection on individual clients with the Windows Security app > [!NOTE] > If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar, or by searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) 3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. ->[!NOTE] ->If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. +> [!NOTE] +> If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. -## Related topics +## Related articles - [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) - [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) - [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) - [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] - [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) -- [Utilize Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) +- [Use Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) - [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/mem-antivirus-scan-on-demand.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mem-antivirus-scan-on-demand.png new file mode 100644 index 0000000000..5a8def8136 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/mem-antivirus-scan-on-demand.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 964923be28..567fc845b6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -14,7 +14,7 @@ audience: ITPro author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 11/12/2020 +ms.date: 11/19/2020 --- # Protect security settings with tamper protection @@ -48,7 +48,7 @@ Tamper protection essentially locks Microsoft Defender Antivirus and prevents yo - Changing settings through PowerShell cmdlets - Editing or removing security settings through group policies -Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team. +Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; tamper protection is managed by your security team. ### What do you want to do? @@ -72,7 +72,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And, > > Once you’ve made this update, tamper protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors. -If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do this. +If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do change security settings, such as tamper protection. 1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**. @@ -93,7 +93,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal- 1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune: - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.) - - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.) + - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).) - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above). - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).) @@ -132,7 +132,7 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release > [!IMPORTANT] > The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure. -If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 by using tenant attach. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices. +If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices. 1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions). @@ -207,17 +207,6 @@ If you are an organization using [Microsoft Defender for Endpoint](https://www.m Your regular group policy doesn’t apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on. -> [!NOTE] -> A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection. - -To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior using GPO and allow tamper protection to protect your Microsoft Defender Antivirus settings. - -Some sample Microsoft Defender Antivirus settings: - -- *Turn off real-time protection*
      - Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\\
      - Value `DisableRealtimeMonitoring` = 0 - ### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only? Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization as well as to specific devices and user groups. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md index 04914ca837..6b709df330 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 11/13/2020 ms.reviewer: manager: dansimp --- @@ -20,49 +20,55 @@ manager: dansimp [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. - ## Quick scan versus full scan -Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. +Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. -> [!IMPORTANT] -> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share. +> [!IMPORTANT] +> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share. -Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. +Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they're opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. -In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection. +In most instances, a quick scan is adequate to find malware that wasn't picked up by real-time protection. -A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans. +A full scan can be useful on endpoints that have reported a malware threat. The scan can identify if there are any inactive components that require a more thorough clean-up. This is ideal if your organization is running on-demand scans. ->[!NOTE] ->By default, quick scans run on mounted removable devices, such as USB drives. +> [!NOTE] +> By default, quick scans run on mounted removable devices, such as USB drives. -## Use Configuration Manager to run a scan +## Use Microsoft Endpoint Configuration Manager to run a scan -See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using Microsoft Endpoint Configuration Manager (current branch) to run a scan. +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. Choose **Endpoint security** > **Antivirus**. +3. In the list of tabs, select **Windows 10 unhealthy endpoints**. +4. From the list of actions provided, select **Quick Scan** or **Full Scan**. + +[ ![IMAGE](images/mem-antivirus-scan-on-demand.png) ](images/mem-antivirus-scan-on-demand.png#lightbox) + +> [!TIP] +> For more information about using Microsoft Endpoint Manager to run a scan, see [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers). ## Use the mpcmdrun.exe command-line utility to run a scan Use the following `-scan` parameter: -```DOS +```console mpcmdrun.exe -scan -scantype 1 ``` -See [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths. + +For more information about how to use the tool and additional parameters, including starting a full scan, or defining paths, see [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md). ## Use Microsoft Intune to run a scan -1. In Intune, go to **Devices > All Devices** and select the device you want to scan. - -2. Select **...More** and then select **Quick Scan** or **Full Scan**. - +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. From the sidebar, select **Devices > All Devices** and choose the device you want to scan. +3. Select **...More**. From the options, select **Quick Scan** or **Full Scan**. ## Use the Windows Security app to run a scan @@ -75,15 +81,14 @@ Use the following cmdlet: ```PowerShell Start-MpScan ``` -See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. + +For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). ## Use Windows Management Instruction (WMI) to run a scan -Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/library/dn455324(v=vs.85).aspx#methods) class. - -See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) +Use the [**Start** method](https://docs.microsoft.com/previous-versions/windows/desktop/defender/start-msft-mpscan) of the **MSFT_MpScan** class. +For more information about which parameters are allowed, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md index b3a31baf6d..27c2c2db47 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -27,7 +27,7 @@ ms.custom: asr ## Is attack surface reduction (ASR) part of Windows? -ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10 version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions. +ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10, version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions. ## Do I need to have an enterprise license to run ASR rules? @@ -77,7 +77,7 @@ Keep the rule in audit mode for about 30 days to get a good baseline for how the ## I'm making the switch from a third-party security solution to Defender for Endpoint. Is there an "easy" way to export rules from another security solution to ASR? -In most cases, it's easier and better to start with the baseline recommendations suggested by [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Defender for Endpoint) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. +In most cases, it's easier and better to start with the baseline recommendations suggested by [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. The default configuration for most ASR rules, combined with Defender for Endpoint's real-time protection, will protect against a large number of exploits and vulnerabilities. @@ -127,7 +127,7 @@ Because many legitimate processes throughout a typical day will be calling on ls Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe. -## Related topics +## See also * [Attack surface reduction overview](attack-surface-reduction.md) * [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 0af0c2d391..3e1ede3c5e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -128,6 +128,11 @@ Once completed, you should see onboarded Windows servers in the portal within an After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). +> [!NOTE] +> - For onboarding via Azure Defender for Servers (previously Azure Security Center Standard Edition) to work as expected, the server must have an appropriate workspace and key configured within the Microsoft Monitoring Agent (MMA) settings. +> - Once configured, the appropriate cloud management pack is deployed on the machine and the sensor process (MsSenseS.exe) will be deployed and started. +> - This is also required if the server is configured to use an OMS Gateway server as proxy. + ### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender for Endpoint in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection). diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx index ded3b76626..37a6dacbe8 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md deleted file mode 100644 index b86fec795a..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md +++ /dev/null @@ -1,165 +0,0 @@ ---- -title: Enable Microsoft Defender for Endpoint Insider Device -description: Install and use Microsoft Defender for Endpoint (Mac). -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dansimp -author: dansimp -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint -ms.topic: conceptual ---- - -# Enable Microsoft Defender for Endpoint Insider Device - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - -To get preview features for Mac, you must set up your device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune). - -> [!IMPORTANT] -> Make sure you have enabled [Microsoft Defender for Endpoint (Mac)](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-for-endpoint-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md), and [manual deployment](mac-install-manually.md) instructions. - -## Enable the Insider program with Jamf - -1. Create configuration profile `com.microsoft.wdav.plist` with the following content: - - ```XML - - - - - edr - - earlyPreview - - - - - ``` - -1. From the JAMF console, navigate to  **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select  **Custom Settings**. - -1. Create an entry with `com.microsoft.wdav` as the preference domain and upload the `.plist` created earlier. - - > [!WARNING] - > You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product - -## Enable the Insider program with Intune - -1. Create configuration profile `com.microsoft.wdav.plist` with the following content: - - ```XML - - - - - PayloadUUID - C4E6A782-0C8D-44AB-A025-EB893987A295 - PayloadType - Configuration - PayloadOrganization - Microsoft - PayloadIdentifier - com.microsoft.wdav - PayloadDisplayName - Microsoft Defender ATP settings - PayloadDescription - Microsoft Defender ATP configuration settings - PayloadVersion - 1 - PayloadEnabled - - PayloadRemovalDisallowed - - PayloadScope - System - PayloadContent - - - PayloadUUID - 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 - PayloadType - com.microsoft.wdav - PayloadOrganization - Microsoft - PayloadIdentifier - com.microsoft.wdav - PayloadDisplayName - Microsoft Defender ATP configuration settings - PayloadDescription - - PayloadVersion - 1 - PayloadEnabled - - edr - - earlyPreview - - - - - - - ``` - -1. Open  **Manage > Device configuration**. Select  **Manage > Profiles > Create Profile**. - -1. Choose a name for the profile. Change  **Platform=macOS**  to  **Profile type=Custom**. Select  **Configure**. - -1. Save the `.plist` created earlier as com.microsoft.wdav.xml. - -1. Enter `com.microsoft.wdav` as the custom configuration profile name. - -1. Open the configuration profile and upload `com.microsoft.wdav.xml`. This file was created in step 1. - -1. Select  **OK**. - -1. Select  **Manage > Assignments**. In the  **Include**  tab, select  **Assign to All Users & All devices**. - - > [!WARNING] - > You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product. - -## Enable the Insider program manually on a single device - -In terminal, run: - -```bash - mdatp --edr --early-preview true -``` - -For versions earlier than 100.78.0, run: - -```bash - mdatp --edr --earlyPreview true -``` - -## Troubleshooting - -### Verify you are running the correct version - -To get the latest version of the Microsoft Defender for Endpoint (Mac), set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate). - -To verify you are running the correct version, run `mdatp --health` on the device. - -* The required version is 100.72.15 or later. -* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running `defaults read com.microsoft.autoupdate2` from the terminal. -* To change update settings, see [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1). -* If you are not using Office for Mac, download and run the AutoUpdate tool. - -### A device still does not appear on Microsoft Defender Security Center - -After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running `mdatp --connectivity-test`. - -* Check that you enabled the early preview flag. In the terminal, run `mdatp –health` and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”. - -If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment). diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index 137fc569cc..55bdffa21c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -97,8 +97,6 @@ Content-type: application/json "accountSid": "S-1-5-21-72051607-1745760036-109187956-93922", "firstSeen": "2019-12-18T08:02:54Z", "lastSeen": "2020-01-06T08:01:48Z", - "mostPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62", - "leastPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62", "logonTypes": "Interactive", "logOnMachinesCount": 8, "isDomainAdmin": true, diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions-table.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions-table.png new file mode 100644 index 0000000000..f62d8f66b6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions-table.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions.png new file mode 100644 index 0000000000..c4ae7c8318 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-after-exceptions.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel-device-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel-device-group.png new file mode 100644 index 0000000000..3227f3eb0c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel-device-group.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel-global-400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel-global-400.png new file mode 100644 index 0000000000..31e2ed052f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancel-global-400.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter.png new file mode 100644 index 0000000000..ebb2c93951 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter500.png new file mode 100644 index 0000000000..770141ad54 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-filter500.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-500.png new file mode 100644 index 0000000000..8532d279bc Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-500.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout-400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout-400.png new file mode 100644 index 0000000000..aa59d18577 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout-400.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout.png new file mode 100644 index 0000000000..92dd636c71 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-flyout.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-hover.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-hover.png new file mode 100644 index 0000000000..64f731a465 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-device-group-hover.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-edit-groups.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-edit-groups.png new file mode 100644 index 0000000000..64cfbd439f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-edit-groups.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-global.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-global.png new file mode 100644 index 0000000000..4cc8e84eeb Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-global.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png deleted file mode 100644 index 15d64d5abd..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-options.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-options.png new file mode 100644 index 0000000000..be0593bb84 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-options.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-permissions.png new file mode 100644 index 0000000000..748b97d6bb Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-permissions.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab.png new file mode 100644 index 0000000000..9147d3e4a8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab400.png new file mode 100644 index 0000000000..29c6618677 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-tab400.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-view.png new file mode 100644 index 0000000000..539ed966bb Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-view.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-selected-device-groups.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-selected-device-groups.png new file mode 100644 index 0000000000..d4f3f506e5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-selected-device-groups.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index e44fe3a67f..ad2a51ab8f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -24,26 +24,17 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -> [!IMPORTANT] -> **PUBLIC PREVIEW EDITION** -> -> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability. -> -> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments. +> [!NOTE] +> Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. +## Configure custom indicators -## Configure custom indicators -Defender for Endpoint for iOS enables admins to configure custom indicators on -iOS devices as well. Refer to [Manage -indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) -on how to configure custom indicators +Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. Refer to [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) on how to configure custom indicators. + +> [!NOTE] +> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains. ## Web Protection -By default, Defender for Endpoint for iOS includes and enables the web -protection feature. [Web -protection](web-protection-overview.md) helps -to secure devices against web threats and protect users from phishing attacks. ->[!NOTE] ->Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. +By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md index 31ee7b41b6..361ee24da1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md @@ -1,78 +1,96 @@ --- -title: Microsoft Defender ATP for iOS note on Privacy +title: Privacy information - Microsoft Defender for Endpoint for iOS ms.reviewer: -description: Describes the Microsoft Defender ATP for iOS Privacy -keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope, +description: Describes privacy information for Microsoft Defender for Endpoint for iOS +keywords: microsoft, defender, atp, ios, policy, overview search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: sunasing -author: sunasing +ms.author: macapara +author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual -hideEdit: true --- -# Microsoft Defender ATP for iOS - Privacy information +# Privacy information - Microsoft Defender for Endpoint for iOS **Applies to:** - [Microsoft Defender for Endpoint](microsoft-defender-atp-ios.md) ->[!NOTE] -> Defender for Endpoint for iOS uses a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. Microsoft or your organization **does not see your browsing activity**. +> [!NOTE] +> Defender for Endpoint for iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. **Microsoft or your organization, does not see your browsing activity.** -Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. +Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected, and to support the service. -Information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected and to support the service. +For more information about data storage, see [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md). -## Required data +## Required data -Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. Here's a list of the types of data being collected: +Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. -### Web page / Network information +Here is a list of the types of data being collected: -- Connection information -- Protocol type (such as HTTP, HTTPS, etc.) +### Web page or Network information -### Device and account information +- Connection information only when a malicious connection or web page is detected. -- Device information such as date & time, iOS version, CPU info, and Device identifier -- Device identifier is one of the below: - - Wi-Fi adapter MAC address - - Randomly generated globally unique identifier (GUID) +- Protocol type (such as HTTP, HTTPS, etc.) only when a malicious connection or web page is detected. -- Tenant, Device, and User information - - Azure Active Directory (AD) Device ID and Azure User ID: Uniquely identifies the device, User respectively at Azure Active directory. - - Azure tenant ID - GUID that identifies your organization within Azure Active Directory - - Microsoft Defender ATP org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted - - User Principal Name - Email ID of the user +### Device and account information -### Product and service usage data +- Device information such as date & time, iOS version, CPU info, and Device identifier, where Device identifier is one of the following: -- App package info, including name, version, and app upgrade status -- Actions performed in the app -- Crash report logs generated by iOS -- Memory usage data + - Wi-Fi adapter MAC address -## Optional data + - Randomly generated globally unique identifier (GUID) -Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself. +- Tenant, Device, and User information -Optional diagnostic data includes: + - Azure Active Directory (AD) Device ID and Azure User ID - Uniquely identifies the device, User respectively at Azure Active directory. -- App, CPU, and network usage -- Features configured by the admin + - Azure tenant ID - GUID that identifies your organization within Azure Active Directory. -**Feedback Data** is collected through in-app feedback provided by the user. + - Microsoft Defender for Endpoint org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify if there are issues affecting a select set of enterprises and the number of enterprises impacted. + + - User Principal Name - Email ID of the user. + +### Product and service usage data + +The following information is collected only for Microsoft Defender for Endpoint app installed on the device. + +- App package info, including name, version, and app upgrade status. + +- Actions done in the app. + +- Crash report logs generated by iOS. + +- Memory usage data. + +## Optional Data + +Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself. + +Optional diagnostic data includes: + +- App, CPU, and network usage for Defender for Endpoint. + +- Features configured by the admin for Defender for Endpoint. + +Feedback Data is collected through in-app feedback provided by the user. + +- The user's email address, if they choose to provide it. + +- Feedback type (smile, frown, idea) and any feedback comments submitted by the user. + +For more information, see [More on Privacy](https://aka.ms/mdatpiosprivacystatement). -- The user's email address, if they choose to provide it -- Feedback type (smile, frown, idea) and any feedback comments submitted by the user -[More on Privacy](https://aka.ms/mdatpiosprivacystatement) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md new file mode 100644 index 0000000000..fe7f0dbd32 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -0,0 +1,167 @@ +--- +title: How to schedule scans with Microsoft Defender for Endpoint (Linux) +description: Learn how to schedule an automatic scanning time for Microsoft Defender for Endpoint (Linux) to better protect your organization's assets. +keywords: microsoft, defender, atp, linux, scans, antivirus, microsoft defender for endpoint (linux) +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Schedule scans with Microsoft Defender for Endpoint (Linux) + +To run a scan for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). + +Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks. + +## Pre-requisite + +> [!NOTE] +> To get a list of all the time zones, run the following command: +> `timedatectl list-timezones`
      +> Examples for timezones: +> - `America/Los_Angeles` +> - `America/New_York` +> - `America/Chicago` +> - `America/Denver` + +## To set the Cron job +Use the following commands: + +**To backup crontab entries** + +`sudo crontab -l > /var/tmp/cron_backup_200919.dat` + +> [!NOTE] +> Where 200919 == YRMMDD + +> [!TIP] +> Do this before you edit or remove.
      + +To edit the crontab, and add a new job as a root user:
      +`sudo crontab -e` + +> [!NOTE] +> The default editor is VIM. + +You might see: + +0 * * * * /etc/opt/microsoft/mdatp/logrorate.sh + +Press “Insert” + +Add the following entries: + +CRON_TZ=America/Los_Angeles + +0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log + +> [!NOTE] +>In this example, we have set it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8). + +Press “Esc” + +Type “:wq” without the double quotes. + +> [!NOTE] +> w == write, q == quit + +To view your cron jobs, type `sudo crontab -l` + +:::image type="content" source="..\images\linux-mdatp-1.png" alt-text="linux mdatp"::: + +**To inspect cron job runs** + +`sudo grep mdatp /var/log/cron` + +**To inspect the mdatp_cron_job.log** + +`sudo nano mdatp_cron_job.log` + +## For those who use Ansible, Chef, or Puppet + +Use the following commands: +### To set cron jobs in Ansible + +`cron – Manage cron.d and crontab entries` + +See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information. + +### To set crontabs in Chef +`cron resource` + +See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) for more information. + +### To set cron jobs in Puppet +Resource Type: cron + +See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) for more information. + +Automating with Puppet: Cron jobs and scheduled tasks + +See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) for more information. + +## Additional information + +**To get help with crontab** + +`man crontab` + +**To get a list of crontab file of the current user** + +`crontab -l` + +**To get a list of crontab file of another user** + +`crontab -u username -l` + +**To backup crontab entries** + +`crontab -l > /var/tmp/cron_backup.dat` + +> [!TIP] +> Do this before you edit or remove.
      + +**To restore crontab entries** + +`crontab /var/tmp/cron_backup.dat` + +**To edit the crontab and add a new job as a root user** + +`sudo crontab -e` + +**To edit the crontab and add a new job** + +`crontab -e` + +**To edit other user’s crontab entries** + +`crontab -u username -e` + +**To remove all crontab entries** + +`crontab -r` + +**To remove other user’s crontab entries** + +`crontab -u username -r` + +**Explanation** + ++—————- minute (values: 0 – 59) (special characters: , – * /)
      +| +————- hour (values: 0 – 23) (special characters: , – * /)
      +| | +———- day of month (values: 1 – 31) (special characters: , – * / L W C)
      +| | | +——- month (values: 1 – 12) (special characters: ,- * / )
      +| | | | +—- day of week (values: 0 – 6) (Sunday=0 or 7) (special characters: , – * / L W C)
      +| | | | |*****command to be executed + + diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md index 960de74bcc..8714aeb2e1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md @@ -97,7 +97,9 @@ Then rerun step 2. 4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details. Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot. -5. Ensure that the daemon has executable permission. +5. If `/opt` directory is a symbolic link, create a bind mount for `/opt/microsoft`. + +6. Ensure that the daemon has executable permission. ```bash ls -l /opt/microsoft/mdatp/sbin/wdavdaemon ``` @@ -110,7 +112,7 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan ``` and retry running step 2. -6. Ensure that the file system containing wdavdaemon isn't mounted with "noexec". +7. Ensure that the file system containing wdavdaemon isn't mounted with "noexec". ## If mdatp service is running, but EICAR text file detection doesn't work diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md index 9b20ff2260..73bb94faf9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md @@ -150,13 +150,13 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender 4. After the certificate is created and installed to your device, run the following command from the Terminal to sign the file: ```bash - $ security cms -S -N "" -i /com.apple.webcontent-filter.mobileconfig -o /com.microsoft.network-extension.signed.mobileconfig + $ security cms -S -N "" -i /com.microsoft.network-extension.mobileconfig -o /com.microsoft.network-extension.signed.mobileconfig ``` For example, if the certificate name is **SigningCertificate** and the signed file is going to be stored in Documents: ```bash - $ security cms -S -N "SigningCertificate" -i ~/Documents/com.apple.webcontent-filter.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig + $ security cms -S -N "SigningCertificate" -i ~/Documents/com.microsoft.network-extension.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig ``` 5. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. Select `com.microsoft.network-extension.signed.mobileconfig` when prompted for the file. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index b40f3ea88c..336b9f1519 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -27,7 +27,7 @@ ms.topic: conceptual > On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md). > [!IMPORTANT] -> Extensive testing of MDE (Microsoft Defender for Endpoint) with new system extensions on macOS 11 (Big Sur) revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue. In the meantime, if you encounter such a kernel panic, please submit a feedback report to Apple through the Feedback Assistant app. +> With the agent version 101.13.75+, we released a change that removed conditions when Microsoft Defender for Endpoint was triggering the macOS Big Sur bug that manifests into a kernel panic. With that change Defender code path should no longer directly facilitate the kernel panic. ## 101.13.75 diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md deleted file mode 100644 index b5143827c8..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md +++ /dev/null @@ -1,92 +0,0 @@ ---- -title: Microsoft Defender ATP for iOS - Privacy information -ms.reviewer: -description: Describes privacy information for Microsoft Defender ATP for iOS -keywords: microsoft, defender, atp, ios, policy, overview -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint -ms.topic: conceptual ---- - -# Privacy information - Microsoft Defender for Endpoint for iOS - -> [!NOTE] -> Defender for Endpoint for iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. **Microsoft or your organization, does not see your browsing activity.** - -Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected, and to support the service. - -For more details about data storage, see [Microsoft Defender for Endpoint data storage and privacy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). - -## Required data - -Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. - -Here is a list of the types of data being collected: - -### Web page or Network information - -- Connection information only when a malicious connection or web page is detected. - -- Protocol type (such as HTTP, HTTPS, etc.) only when a malicious connection or web page is detected. - -### Device and account information - -- Device information such as date & time, iOS version, CPU info, and Device identifier, where Device identifier is one of the following: - - - Wi-Fi adapter MAC address - - - Randomly generated globally unique identifier (GUID) - -- Tenant, Device and User information - - - Azure Active Directory (AD) Device ID and Azure User ID - Uniquely identifies the device, User respectively at Azure Active directory. - - - Azure tenant ID - GUID that identifies your organization within Azure Active Directory. - - - Microsoft Defender ATP org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. - - - User Principal Name – Email ID of the user. - -### Product and service usage data - -The following information is collected only for Microsoft Defender for Endpoint app installed on the device. - -- App package info, including name, version, and app upgrade status. - -- Actions performed in the app. - -- Crash report logs generated by iOS. - -- Memory usage data. - -## Optional Data - -Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself. - -Optional diagnostic data includes: - -- App, CPU, and network usage for Defender for Endpoint. - -- Features configured by the admin for Defender for Endpoint. - -Feedback Data is collected through in-app feedback provided by the user. - -- The user’s email address, if they choose to provide it. - -- Feedback type (smile, frown, idea) and any feedback comments submitted by the user. - -For more information, see [More on Privacy](https://aka.ms/mdatpiosprivacystatement). - - diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md index 46b7669ddf..63eee7a042 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md @@ -24,38 +24,33 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - -> [!IMPORTANT] -> **PUBLIC PREVIEW EDITION** -> -> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability. -> -> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments. - - -The public preview of Defender for Endpoint for iOS will offer protection -against phishing and unsafe network connections from websites, emails, and apps. -All alerts will be available through a single pane of glass in the Microsoft -Defender Security Center. The portal gives security teams a centralized view of threats on +**Microsoft Defender for Endpoint for iOS** will offer protection against phishing and unsafe network connections from websites, emails, and apps. All alerts will be available through a single pane of glass in the Microsoft Defender Security Center. The portal gives security teams a centralized view of threats on iOS devices along with other platforms. +> [!CAUTION] +> Running other third-party endpoint protection products alongside Defender for Endpoint for iOS is likely to cause performance problems and unpredictable system errors. + ## Pre-requisites - **For End Users** -- Defender for Endpoint license assigned to the end user(s) of the app. Refer - [Assign licenses to - users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign) - for instructions on how to assign licenses. +- Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements) + +- Device(s) are [enrolled](https://docs.microsoft.com/mem/intune/user-help/enroll-your-device-in-intune-ios) via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license. + - Intune Company Portal app can be downloaded from [Apple App Store](https://apps.apple.com/us/app/intune-company-portal/id719171358). + +- For more information on how to assign licenses, see [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign). + **For Administrators** - Access to the Microsoft Defender Security Center portal + + > [!NOTE] + > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint for iOS. Currently only enrolled devices are supported for enforcing Defender for Endpoint for iOS related device compliance policies in Intune. - Access to [Microsoft Endpoint Manager admin - center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app - to enrolled user groups in your organization + center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization **System Requirements** @@ -64,6 +59,14 @@ iOS devices along with other platforms. - Device is enrolled with Intune Company Portal [app](https://apps.apple.com/us/app/intune-company-portal/id719171358) +> [!NOTE] +> **Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available on [Apple App Store](https://aka.ms/mdatpiosappstore).** + +## Installation instructions + +Deployment of Microsoft Defender for Endpoint for iOS is via Microsoft Intune (MDM) and both supervised and unsupervised devices are supported. +For more information, see [Deploy Microsoft Defender for Endpoint for iOS](ios-install.md). + ## Resources - Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index 873df4353b..87dd24a90d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -92,6 +92,10 @@ If you experience any installation failures, refer to [Troubleshooting installat After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. +- Audit framework (`auditd`) must be enabled. + >[!NOTE] + > System events captured by rules added to `audit.logs` will add to audit logs and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endopoint for Linux will be tagged with `mdatp` key. + ### Network connections The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index 44dd5225e9..e09cef38f1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -39,7 +39,7 @@ This topic describes how to install, configure, update, and use Defender for End > [!TIP] > If you have any feedback that you would like to share, submit it by opening Microsoft Defender for Endpoint for Mac on your device and navigating to **Help** > **Send feedback**. -To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender for Endpoint to be an "Insider" device. See [Enable Microsoft Defender for Endpoint Insider Device](endpoint-detection-response-mac-preview.md). +To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender for Endpoint to be an "Insider" device. ## How to install Microsoft Defender for Endpoint for Mac @@ -69,7 +69,7 @@ The three most recent major releases of macOS are supported. > On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md). > [!IMPORTANT] -> Extensive testing of MDE (Microsoft Defender for Endpoint) with new system extensions on macOS 11 (Big Sur) revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue. In the meantime, if you encounter such a kernel panic, please submit a feedback report to Apple through the Feedback Assistant app. +> With the agent version 101.13.75+, we released a change that removed conditions when Microsoft Defender for Endpoint was triggering the macOS Big Sur bug that manifests into a kernel panic. With that change Defender code path should no longer directly facilitate the kernel panic. - 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra) - Disk space: 1GB diff --git a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md index 928c6f6e42..23dd0567e1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md @@ -36,7 +36,7 @@ have committed to building security solutions not just *for* Microsoft, but also heterogenous environments. We're listening to customer feedback and partnering closely with our customers to build solutions that meet their needs. -With Defender for Endpoint, customers benefit from a unified view of all +With Microsoft Defender for Endpoint, customers benefit from a unified view of all threats and alerts in the Microsoft Defender Security Center, across Windows and non-Windows platforms, enabling them to get a full picture of what's happening in their environment, which empowers them to more quickly assess and respond to @@ -44,7 +44,7 @@ threats. ## Microsoft Defender for Endpoint for Mac -Microsoft Defender for Endpoint for Mac offers AV and EDR capabilities for the three +Microsoft Defender for Endpoint for Mac offers antivirus and endpoint detection and response (EDR) capabilities for the three latest released versions of macOS. Customers can deploy and manage the solution through Microsoft Endpoint Manager and Jamf. Just like with Microsoft Office applications on macOS, Microsoft Auto Update is used to manage Microsoft @@ -96,15 +96,15 @@ devices. Microsoft Defender for Endpoint is also available for purchase from a C Solution Provider (CSP). Customers can obtain Microsoft Defender for Endpoint for Mac through a standalone -MDefender for Endpoint license, as part of Microsoft 365 A5/E5, or Microsoft 365 +Microsoft Defender for Endpoint license, as part of Microsoft 365 A5/E5, or Microsoft 365 Security. -Recently announced capabilities of Microsoft Defender for Endpoint for Android and soon -iOS are included in the above mentioned offers as part of the five qualified +Recently announced capabilities of Microsoft Defender for Endpoint for Android and iOS +are included in the above mentioned offers as part of the five qualified devices for eligible licensed users. - Defender for Endpoint for Linux is available through the Defender for Endpoint -for Server SKU that is available for both commercial and education customers. +Defender for Endpoint on Linux is available through the Defender for Endpoint +Server SKU that is available for both commercial and education customers. Please contact your account team or CSP for pricing and additional eligibility requirements. diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md index 0027824386..1c87de1aa1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md @@ -104,12 +104,13 @@ needs.
      In the following section, you'll create a number of configuration policies. First is a configuration policy to select which groups of users or devices will -be onboarded to Defender for Endpoint. +be onboarded to Defender for Endpoint: + +- [Endpoint detection and response](#endpoint-detection-and-response) Then you will continue by creating several -different types of endpoint security policies. +different types of endpoint security policies: -- [Endpoint detection and response](#endpoint-detection-and-response) - [Next-generation protection](#next-generation-protection) - [Attack surface reduction](#attack-surface-reduction--attack-surface-reduction-rules) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md index fe74fafa7c..3af172dba7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md @@ -29,65 +29,112 @@ ms.topic: conceptual >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Sometimes, you may not be able to take the remediation steps suggested by a security recommendation. If that is the case, threat and vulnerability management gives you an avenue to create an exception. +As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. If your organization has device groups, you will be able to scope the exception to specific device groups. Exceptions can either be created for selected device groups, or for all device groups past and present. -When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and no longer shows up in the security recommendations list. +When an exception is created for a recommendation, the recommendation will not be active until the end of the exception duration. The recommendation state will change to **Full exception** or **Partial exception** (by device group). + +## Permissions + +Only users with “exceptions handling” permissions can manage exceptions (including creating or canceling). [Learn more about RBAC roles](user-roles.md). + +![View of exception handling permission.](images/tvm-exception-permissions.png) ## Create an exception -1. Go to the threat and vulnerability management navigation menu in the Microsoft Defender Security Center, and select [**Security recommendations**](tvm-security-recommendation.md). +Select a security recommendation you would like create an exception for, and then select **Exception options** and fill out the form. -2. Select a security recommendation you would like to create an exception for, and then **Exception options**. -![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-option.png) +![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-options.png) -3. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. +### Exception by device group - The following list details the justifications behind the exception options: +Apply the exception to all current device groups or choose specific device groups. Future device groups won't be included in the exception. Device groups that already have an exception will not be displayed in the list. If you only select certain device groups, the recommendation state will change from “active” to “partial exception.” The state will change to “full exception” if you select all the device groups. - - **Third party control** - A third party product or software already addresses this recommendation - - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced - - **Alternate mitigation** - An internal tool already addresses this recommendation - - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced - - **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive - - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization +![Showing device group dropdown.](images/tvm-exception-device-group-500.png) -4. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created. +#### Filtered views -## View your exceptions +If you have filtered by device group on any of the threat and vulnerability management pages, only your filtered device groups will appear as options. -When you file for an exception from the security recommendations page, you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). +This is the button to filter by device group on any of the threat and vulnerability management pages: -The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status. +![Showing selected device groups filter.](images/tvm-selected-device-groups.png) -![Example of the exception page and filter options.](images/tvm-exception-filters.png) +Exception view with filtered device groups: -### Exception actions and statuses +![Showing filtered device group dropdown.](images/tvm-exception-device-filter500.png) -Once an exception exists, you can cancel it at any time by going to the exception in the **Remediation** page and selecting **Cancel exception**. +#### Large number of device groups -The following statuses will be a part of an exception: +If your organization has more than 20 device groups, select **Edit** next to the filtered device group option. -- **Canceled** - The exception has been canceled and is no longer in effect -- **Expired** - The exception that you've filed is no longer in effect -- **In effect** - The exception that you've filed is in progress +![Showing how to edit large numbers of groups.](images/tvm-exception-edit-groups.png) -### Exception impact on scores +A flyout will appear where you can search and choose device groups you want included. Select the check mark icon below Search to check/uncheck all. -Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Microsoft Secure Score for Devices of your organization in the following manner: +![Showing large device group flyout.](images/tvm-exception-device-group-flyout-400.png) -- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores. -- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control. -- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Microsoft Secure Score for Devices results out of the exception option that you made. +### Global exceptions -The exception impact shows on both the Security recommendations page column and in the flyout pane. +If you have global administrator permissions (called Microsoft Defender ATP administrator), you will be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state will change from “active” to “full exception.” -![Screenshot identifying the impact sections which list score impacts in the full page security recommendations table, and the flyout.](images/tvm-exception-impact.png) +![Showing global exception option.](images/tvm-exception-global.png) -### View exceptions in other places +Some things to keep in mind: -Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. It will open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status. +- If a recommendation is under global exception, then newly created exceptions for device groups will be suspended until the global exception has expired or been cancelled. After that point, the new device group exceptions will go into effect until they expire. +- If a recommendation already has exceptions for specific device groups and a global exception is created, then the device group exception will be suspended until it expires or the global exception is cancelled before it expires. -![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard.](images/tvm-exception-dashboard.png) +### Justification + +Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. + +The following list details the justifications behind the exception options: + +- **Third party control** - A third party product or software already addresses this recommendation + - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced +- **Alternate mitigation** - An internal tool already addresses this recommendation + - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced +- **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive +- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization + +## View all exceptions + +Navigate to the **Exceptions** tab in the **Remediation** page. You can filter by justification, type, and status. + + Select an exception to open a flyout with more details. Exceptions per devices group will have a list of every device group the exception covers, which you can export. You can also view the related recommendation or cancel the exception. + + +![Showing the "Exceptions" tab in the Remediation page.](images/tvm-exception-view.png) + + +## How to cancel an exception + +To cancel an exception, navigate to the **Exceptions** tab in the **Remediation** page. Select the exception. To cancel the exception for all device groups, select the **Cancel exception** button. You can also cancel the exception for a specific device group. + +### Cancel the exception for a specific device group + +Select the specific device group to cancel the exception for it. A flyout will appear for the device group, and you can select **Cancel exception**. + +![Showing how to select a specific device group.](images/tvm-exception-device-group-hover.png) + + +### Cancel a global exception + +If it is a global exception, select an exception from the list and then select **Cancel exception** from the flyout. + +![Showing how to cancel the exception for a global exception.](images/tvm-exception-cancel-global-400.png) + +## View impact after exceptions are applied + +In the Security Recommendations page, select **Customize columns** and check the boxes for **Exposed devices (after exceptions)** and **Impact (after exceptions)**. + +![Showing customize columns options.](images/tvm-after-exceptions.png) + +The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. Exception justifications that affect the exposure include ‘third party control’ and ‘alternate mitigation’. Other justifications do not reduce the exposure of a device, and they are still considered exposed. + +The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include ‘third party control’ and ‘alternate mitigation.’ Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change. + +![Showing the columns in the table.](images/tvm-after-exceptions-table.png) ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 5cd211d354..45f7973943 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -49,46 +49,6 @@ The exposure score is broken down into the following levels: You can remediate the issues based on prioritized [security recommendations](tvm-security-recommendation.md) to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization. -## How the score is calculated - -The exposure score is continuously calculated on each device in the organization. It is scored & evaluated based on the following categories: - -- **Threats** - external and internal threats such as public exploit code and security alerts -- **Likelihood** - likelihood of the device to get breached given its current security posture -- **Value** - value of the device to the organization given its role and content - -**Device exposure score** = (Threats + Likelihood) x Value - -**Organization exposure score** = Avg (All device exposure scores) taking into account organization value multipliers - -### Threats - -Points are added based on whether the device has any vulnerabilities or misconfigurations, determined by the Common Vulnerability Scoring System (CVSS) base score. - -Further points are added based on: - -- Exploits availability and whether the exploit is verified or ranked -- A threat campaign is linked to the vulnerability or misconfiguration - -### Likelihood - -Points are added based on whether any of the following factors are true: - -- The device is internet facing -- Specific compensating controls are misconfigured -- An exploit attempt is linked directly to a threat spotted in the organization - -### Value - -Points are added based on whether any of the following factors are true for a device: - -- Contains high business impact (HBI) data -- Marked as a High Value Asset (HVA) or serves as an important server role (e.g. AD, DNS) -- Runs a business critical app (BCA) -- Used by a marked high value user (HVU) (e.g. domain admin, CEO) - -If a device is valuable to your organization, it should increase the total organization exposure score. - ## Reduce your threat and vulnerability exposure Lower your threat and vulnerability exposure by remediating [security recommendations](tvm-security-recommendation.md). Make the most impact to your exposure score by remediating the top security recommendations, which can be viewed in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 6d0138ffe6..edc7850d76 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -44,11 +44,13 @@ See [Use Intune to remediate vulnerabilities identified by Microsoft Defender fo 2. Select a security recommendation you would like to request remediation for, and then select **Remediation options**. -3. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices. +3. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. If you choose the "attention required" remediation option, selecting a due date will not be available since there is no specific action. -4. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment. +4. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices. -5. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request. +5. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment. + +6. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request. If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. @@ -63,6 +65,8 @@ Lower your organization's exposure from vulnerabilities and increase your securi When you submit a remediation request from the Security recommendations page, it kicks-off a remediation activity. A security task is created that can be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune. +If you chose the "attention required" remediation option, there will be no progress bar, ticket status, or due date since there is no actual action we can monitor. + Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete. ![Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and device remediation progress.](images/remediation_flyouteolsw.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index 43e52983d3..032da734d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -95,7 +95,7 @@ From the flyout, you can choose any of the following options: - **Open software page** - Open the software page to get more context on the software and how it's distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution. -- [**Remediation options**](tvm-remediation.md) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. +- [**Remediation options**](tvm-remediation.md) - Submit a remediation request to open a ticket in Microsoft Intune for your IT administrator to pick up and address. Track the remediation activity in the Remediation page. - [**Exception options**](tvm-exception.md) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet. @@ -104,6 +104,144 @@ From the flyout, you can choose any of the following options: ### Investigate changes in device exposure or impact +If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and configuration score, then that security recommendation is worth investigating. + +1. Select the recommendation and **Open software page** +2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md) +3. Decide how to address the increase or your organization's exposure, such as submitting a remediation request + +## Request remediation + +The threat and vulnerability management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune. + +### Enable Microsoft Intune connection + +To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**. + +See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. + +### Remediation request steps + +1. Select a security recommendation you would like to request remediation for, and then select **Remediation options**. + +2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices. + +3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment. + +4. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request. + +If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. + +>[!NOTE] +>If your request involves remediating more than 10,000 devices, we can only send 10,000 devices for remediation to Intune. + +## File for exception + +As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. Only users with “exceptions handling” permissions can add exception. [Learn more about RBAC roles](user-roles.md). If your organization has device groups, you will now be able to scope the exception to specific device groups. + +When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state will change to **Full exception** or **Partial exception** (by device group). + +### How to create an exception + +Select a security recommendation you would like create an exception for, and then select **Exception options**. + +![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-options.png) + +Choose the scope and justification, set a date for the exception duration, and submit. To view all your exceptions (current and past), navigate to the [Remediation](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and select the **Exceptions** tab. + +### Exception scope + +Exceptions can either be created for selected device groups, or for all device groups past and present. + +#### Exception by device group + +Apply the exception to all device groups or choose specific device groups. Device groups that already have an exception will not be displayed in the list. If you only select certain device groups, the recommendation state will change from “active” to “partial exception.” The state will change to “full exception” if you select all the device groups. + +![Showing device group dropdown.](images/tvm-exception-device-group-500.png) + +##### Filtered + +If you have filtered by device group on any of the threat and vulnerability management pages, only your filtered device groups will appear as options. + +Button to filter by device group on any of the threat and vulnerability management pages: + +![Showing selected device groups filter.](images/tvm-selected-device-groups.png) + +Exception view with filtered device groups: + +![Showing filtered device group dropdown.](images/tvm-exception-device-filter500.png) + +##### Large number of device groups + +If your organization has more than 20 device groups, select **Edit** next to the filtered device group option. + +![Showing how to edit large numbers of groups.](images/tvm-exception-edit-groups.png) + +A flyout will appear where you can search and choose device groups you want included. Select the check mark icon below Search to check/uncheck all. + +![Showing large device group flyout.](images/tvm-exception-device-group-flyout-400.png) + +#### Global exceptions + +If you have global administrator permissions (called Microsoft Defender ATP administrator), you will be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state will change from “active” to “full exception.” + +![Showing global exception option.](images/tvm-exception-global.png) + +Some things to keep in mind: + +- If a recommendation is under global exception, then newly created exceptions for device groups will be suspended until the global exception has expired or been cancelled. After that point, the new device group exceptions will go into effect until they expire. +- If a recommendation already has exceptions for specific device groups and a global exception is created, then the device group exception will be suspended until it expires or the global exception is cancelled before it expires. + +### Justification + +Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. + +The following list details the justifications behind the exception options: + +- **Third party control** - A third party product or software already addresses this recommendation + - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced +- **Alternate mitigation** - An internal tool already addresses this recommendation + - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced +- **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive +- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization + +### View all exceptions + +Navigate to the **Exceptions** tab in the **Remediation** page. + +![Showing the "Exceptions" tab in the Remediation page.](images/tvm-exception-tab400.png) + +Select an exception to open a flyout with more details. Exceptions per devices group will have a list of every device group the exception covers, which you can Export. You can also view the related recommendation or cancel the exception. + +### How to cancel an exception + +To cancel an exception, navigate to the **Exceptions** tab in the **Remediation** page. Select the exception. + +#### Cancel the exception for a specific device group + +If the exception is per device group, then you will need to select the specific device group to cancel the exception for it. + +![Showing how to select a specific device group.](images/tvm-exception-device-group-hover.png) + +A flyout will appear for the device group, and you can select **Cancel exception**. + +#### Cancel a global exception + +If it is a global exception, select an exception from the list and then select **Cancel exception** from the flyout. + +![Showing how to cancel the exception for a global exception.](images/tvm-exception-cancel-global-400.png) + +### View impact after exceptions are applied + +In the Security Recommendations page, select **Customize columns** and check the boxes for **Exposed devices (after exceptions)** and **Impact (after exceptions)**. + +![Showing customize columns options.](images/tvm-after-exceptions.png) + +The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. Exception justifications that affect the exposure include ‘third party control’ and ‘alternate mitigation’. Other justifications do not reduce the exposure of a device, and they are still considered exposed. + +The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include ‘third party control’ and ‘alternate mitigation.’ Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change. + +![Showing the columns in the table.](images/tvm-after-exceptions-table.png) If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and Microsoft Secure Score for Devices, then that security recommendation is worth investigating. 1. Select the recommendation and **Open software page** diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index c8bd26da4e..d18b376b49 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -57,7 +57,7 @@ Select the software that you want to investigate. A flyout panel will open with ### Software that isn't supported -Software that isn't currently supported by threat & vulnerability management is still present in the Software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section. +Software that isn't currently supported by threat & vulnerability management may be present in the Software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section. ![Unsupported software filter.](images/tvm-unsupported-software-filter.png) @@ -66,6 +66,7 @@ The following indicates that a software is not supported: - Weaknesses field shows "Not available" - Exposed devices field shows a dash - Informational text added in side panel and in software page +- The software page won't have the security recommendations, discovered vulnerabilities, or event timeline sections Currently, products without a CPE are not shown in the software inventory page, only in the device level software inventory. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md index be9573342b..e13fe57c34 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md @@ -84,10 +84,14 @@ Go to the security recommendation page and select a recommendation with a zero-d There will be a link to mitigation options and workarounds if they are available. Workarounds may help reduce the risk posed by this zero-day vulnerability until a patch or security update can be deployed. -Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose “update.” +Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. You won't be able to select a due date, since there is no specific action to perform. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose “update.” ![Zero day flyout example of Windows Server 2016 in the security recommendations page.](images/tvm-zero-day-software-flyout-400.png) +## Track zero-day remediation activities + +Go to the threat and vulnerability management [Remediation](tvm-remediation.md) page to view the remediation activity item. If you chose the "attention required" remediation option, there will be no progress bar, ticket status, or due date since there is no actual action we can monitor. You can filter by remediation type, such as "software update" or "attention required," to see all activity items in the same category. + ## Patching zero-day vulnerabilities When a patch is released for the zero-day, the recommendation will be changed to “Update” and a blue label next to it that says “New security update for zero day.” It will no longer consider as a zero-day, the zero-day tag will be removed from all pages. diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 48024183fa..9f908b83c8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -67,6 +67,8 @@ For more information preview features, see [Preview features](https://docs.micro - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
      Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions. +- [Device health and compliance report](machine-reports.md)
      The device health and compliance report provides high-level information about the devices in your organization. + ## October 2019 - [Indicators for IP addresses, URLs/Domains](manage-indicators.md)
      You can now allow or block URLs/domains using your own threat intelligence. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index 79a167e2a1..fc7de322fe 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -33,17 +33,17 @@ As of Windows 10, version 1703, you can use WDAC policies not only to control ap To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your 'master' policy (merging is described in the next section). -For example, to create a WDAC policy that allows **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization's enterprise resource planning (ERP) application, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable: +For example, to create a WDAC policy allowing **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization's enterprise resource planning (ERP) application, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable: ```powershell -$rule = New-CIPolicyRule -DriverFilePath '.\ERP1.exe' -Level FileName -AppID '.\temp\addin1.dll' -$rule += New-CIPolicyRule -DriverFilePath '.\ERP1.exe' -Level FileName -AppID '.\temp\addin2.dll' +$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe' +$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe' New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs ``` As another example, to create a WDAC policy that blocks **addin3.dll** from running in Microsoft Word, run the following command. You must include the `-Deny` option to block the specified add-ins in the specified application: ```powershell -$rule = New-CIPolicyRule -DriverFilePath '.\winword.exe' -Level FileName -Deny -AppID '.\temp\addin3.dll' +$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin3.dll' -Level FileName -Deny -AppID '.\winword.exe' New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs ``` diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 16214a5f59..637aa964d9 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -15,13 +15,10 @@ ms.reviewer: # Windows Sandbox configuration -Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or later. +Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or later. Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the `.wsb` file extension. -Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension. To use a configuration file, double-click it to open it in the sandbox. You can also invoke it via the command line as shown here: +A configuration file enables the user to control the following aspects of Windows Sandbox: -**C:\Temp> MyConfigFile.wsb** - - A configuration file enables the user to control the following aspects of Windows Sandbox: - **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP). - **Networking**: Enable or disable network access within the sandbox. - **Mapped folders**: Share folders from the host with *read* or *write* permissions. Note that exposing host directories may allow malicious software to affect the system or steal data. @@ -33,13 +30,39 @@ Windows Sandbox configuration files are formatted as XML and are associated with - **Clipboard redirection**: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth. - **Memory in MB**: The amount of memory, in megabytes, to assign to the sandbox. -**Keywords, values, and limits** +## Creating a configuration file -**vGPU**: Enables or disables GPU sharing. +To create a simple configuration file: + +1. Open a plain text editor or source code editor (e.g. Notepad, Visual Studio Code, etc.) +2. Insert the following lines: + + ```XML + + + ``` + +3. Add appropriate configuration text between the two lines. For details, see the correct syntax and the examples below. +4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, e.g. `"My config file.wsb"`. + +## Using a configuration file + +To use a configuration file, double-click it to start Windows Sandbox according to its settings. You can also invoke it via the command line as shown here: + +```batch +C:\Temp> MyConfigFile.wsb +``` + +## Keywords, values, and limits + +### vGPU + +Enables or disables GPU sharing. `value` Supported values: + - *Enable*: Enables vGPU support in the sandbox. - *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering, which may be slower than virtualized GPU. - *Default* This is the default value for vGPU support. Currently this means vGPU is disabled. @@ -47,7 +70,9 @@ Supported values: > [!NOTE] > Enabling virtualized GPU can potentially increase the attack surface of the sandbox. -**Networking**: Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox. +### Networking + +Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox. `value` @@ -58,7 +83,9 @@ Supported values: > [!NOTE] > Enabling networking can expose untrusted applications to the internal network. -**Mapped folders**: An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths are not supported. If no path is specified, the folder will be mapped to the container user's desktop. +### Mapped folders + +An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths are not supported. If no path is specified, the folder will be mapped to the container user's desktop. ```xml @@ -83,7 +110,9 @@ Supported values: > [!NOTE] > Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host. -**Logon command**: Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. +### Logon command + +Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. ```xml @@ -96,7 +125,9 @@ Supported values: > [!NOTE] > Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the *LogonCommand* directive. -**Audio input**: Enables or disables audio input to the sandbox. +### Audio input + +Enables or disables audio input to the sandbox. `value` @@ -108,7 +139,9 @@ Supported values: > [!NOTE] > There may be security implications of exposing host audio input to the container. -**Video input**: Enables or disables video input to the sandbox. +### Video input + +Enables or disables video input to the sandbox. `value` @@ -120,7 +153,9 @@ Supported values: > [!NOTE] > There may be security implications of exposing host video input to the container. -**Protected client**: Applies additional security settings to the sandbox Remote Desktop client, decreasing its attack surface. +### Protected client + +Applies additional security settings to the sandbox Remote Desktop client, decreasing its attack surface. `value` @@ -132,7 +167,9 @@ Supported values: > [!NOTE] > This setting may restrict the user's ability to copy/paste files in and out of the sandbox. -**Printer redirection**: Enables or disables printer sharing from the host into the sandbox. +### Printer redirection + +Enables or disables printer sharing from the host into the sandbox. `value` @@ -141,7 +178,9 @@ Supported values: - *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host. - *Default*: This is the default value for printer redirection support. Currently this means printer redirection is disabled. -**Clipboard redirection**: Enables or disables sharing of the host clipboard with the sandbox. +### Clipboard redirection + +Enables or disables sharing of the host clipboard with the sandbox. `value` @@ -149,16 +188,18 @@ Supported values: - *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted. - *Default*: This is the default value for clipboard redirection. Currently copy/paste between the host and sandbox are permitted under *Default*. -**Memory in MB**: Specifies the amount of memory that the sandbox can use in megabytes (MB). +### Memory in MB + +Specifies the amount of memory that the sandbox can use in megabytes (MB). `value` If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount. -***Example 1*** +## Example 1 The following config file can be used to easily test downloaded files inside the sandbox. To achieve this, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started. -*Downloads.wsb* +### Downloads.wsb ```xml @@ -177,7 +218,7 @@ The following config file can be used to easily test downloaded files inside the ``` -***Example 2*** +## Example 2 The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup. @@ -185,9 +226,9 @@ Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSC With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it. -*VSCodeInstall.cmd* +### VSCodeInstall.cmd -```console +```batch REM Download Visual Studio Code curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe @@ -195,7 +236,7 @@ REM Install and run Visual Studio Code C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes ``` -*VSCode.wsb* +### VSCode.wsb ```xml

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

      +

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

      Version 6.3.9600

      Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

      +

      Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

      Version 10.0.15063.674