Take action: Update Remote Desktop Services on older versions of Windows
Today, we released fixes for a critical wormable, remote code execution vulnerability ( CVE-2019-0708) in Remote Desktop Services—formerly known as Terminal Services. This vulnerability affects Windows 7, Windows Server 2008 R2, and earlier versions of Windows nearing end of support. It does not affect Windows 8, Windows Server 2012, or newer operating systems. While we have not observed attacks exploiting this vulnerability, affected systems should be patched with priority. Here is what you need to know:
Call to action:
@@ -107,7 +110,7 @@ If you are still unable to connect to Windows Update services due to this proble
Driver quality in the Windows ecosystem
Ensuring Windows 10 works great with all the devices and accessories our customers use is a top priority. We work closely with this broad mix of partners to test new drivers, monitor health characteristics over time, and make Windows and our ecosystem more resilient architecturally. Our goal is to ensure that all the updates and drivers we deliver to non-Insider populations are validated and at production quality (including monthly optional releases) before pushing drivers broadly to all. Explore the driver distribution chain and learn how we measure driver quality and prevent conflicts. | December 19, 2018
10:04 AM PT |
Introducing the Modern Desktop podcast series
In this new podcast series, we'll explore the good, the bad, and, yes, the ugly of servicing and delivery for Windows 10 and Office 365 ProPlus. We'll talk about modern desktop management through Enterprise Mobility, security, and cloud-attached and co-managed environments. Listen to the first episode, in which we discuss monthly quality updates fpr Windows 10, the Microsoft 365 Stay Current pilot program, and interview a real customer to see how they ingest monthly updates in their organization. | December 18, 2018
01:00 PM PT |
Measuring Delivery Optimization and its impact to your network
If you've familiarized yourself with the configuration options for Delivery Optimization in Windows 10, and have started to configure the settings you feel will be the best fit for your organization’s network topology, now is the time to see how well those settings are working. This article provides tips on how evaluate performance at the device level or organization level. | December 13, 2018
03:48 PM PT |
- Windows monthly security and quality updates overview
Today’s global cybersecurity threats are both dynamic and sophisticated, and new vulnerabilities are discovered almost every day. We focus on protecting customers from these security threats by providing security updates on a timely basis and with high quality. Find out how how we deliver these critical updates on a massive scale as a key component of our ongoing Windows as a service effort. | December 10, 2018
10:00 AM PT |
+ Windows monthly security and quality updates overview
Today’s global cybersecurity threats are both dynamic and sophisticated, and new vulnerabilities are discovered almost every day. We focus on protecting customers from these security threats by providing security updates on a timely basis and with high quality. Find out how we deliver these critical updates on a massive scale as a key component of our ongoing Windows as a service effort. | December 10, 2018
10:00 AM PT |
LTSC: What is it, and when should it be used?
With the Semi-Annual Channel, devices receive two feature updates per year, and benefit from the best performance, user experience, security, and stability. This servicing option continues to be our recommendation for managing Windows 10 updates; however, we acknowledge that certain devices and use cases (e.g. medical systems and industrial process controllers) dictate that functionality and features don’t change over time. Find out how we designed the Long-Term Servicing Channel (LTSC) with these types of use cases in mind, and what is offered through the LTSC. | November 29, 2018
07:02 PM PT |
Plan for change: Local Experience Packs: What are they and when should you use them?
When we released Windows 10, version 1803, we introduced Local Experience Packs (LXPs), which are modern language packs delivered through the Microsoft Store or Microsoft Store for Business. Learn about the biggest advantage to LXPs, and the retirement of legacy language packs (lp.cab) for all Language Interface Packs (LIP). | November 14, 2018
11:10 AM PT |
Windows 10 Quality approach for a complex ecosystem
While our measurements of quality show improving trends on aggregate for each successive Windows 10 release, if a single customer experiences an issue with any of our updates, we take it seriously. In this blog post, Windows CVP Mike Fortin shares an overview of how we work to continuously improve the quality of Windows and our Windows as a service approach. This blog will be the first in a series of more in-depth explanations of the work we do to deliver quality in our Windows releases. | November 13, 2018
10:00 AM PT |
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index d407ef1215..14b733039f 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -32,14 +32,12 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
- "uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
- "ms.author": "justinha",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.security",
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 65e1e3a384..4981294bac 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -2883,7 +2883,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
Well-Known SID/RID |
-S-1-5-21-<domain>-553 |
+S-1-5-32-<domain>-576 |
Type |
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index f7a788e6f8..d63ee0bd86 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -117,6 +117,74 @@ When enabling the Guest account, only grant limited rights and permissions. For
In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
+## HelpAssistant account (installed with a Remote Assistance session)
+
+
+The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
+
+HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user’s invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
+
+**Security considerations**
+
+The SIDs that pertain to the default HelpAssistant account include:
+
+- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services.
+
+- SID: S-1-5-<domain>-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
+
+For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.
+
+For details about the HelpAssistant account attributes, see the following table.
+
+**HelpAssistant account attributes**
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-<domain>-13 (Terminal Server User), S-1-5-<domain>-14 (Remote Interactive Logon) |
+
+
+Type |
+User |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+Domain Guests
+Guests |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Can be moved out, but we do not recommend it. |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+
### DefaultAccount
@@ -125,7 +193,7 @@ The DSMA is a well-known user account type.
It is a user neutral account that can be used to run processes that are either multi-user aware or user-agnostic.
The DSMA is disabled by default on the desktop SKUs (full windows SKUs) and WS 2016 with the Desktop.
-The DSMA has a well-known RID of 503. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: S-1-5-21--503
+The DSMA has a well-known RID of 503. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: S-1-5-21-\-503
The DSMA is a member of the well-known group **System Managed Accounts Group**, which has a well-known SID of S-1-5-32-581.
@@ -447,7 +515,7 @@ The following table shows the Group Policy settings that are used to deny networ
2. Double-click **Deny log on through Remote Desktop Services**.
- 3. Click **Add User or Group**, type type **Local account and member of Administrators group**, and > **OK**.
+ 3. Click **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**.
8. Link the GPO to the first **Workstations** OU as follows:
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index 576e8b4fd0..d8db3e63d2 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -283,6 +283,14 @@ The following table describes changes in SID implementation in the Windows opera
| Most of the operating system files are owned by the TrustedInstaller security identifier (SID)| Windows Server 2008, Windows Vista| The purpose of this change is to prevent a process that is running as an administrator or under the LocalSystem account from automatically replacing the operating system files. |
| Restricted SID checks are implemented| Windows Server 2008, Windows Vista| When restricting SIDs are present, Windows performs two access checks. The first is the normal access check, and the second is the same access check against the restricting SIDs in the token. Both access checks must pass to allow the process to access the object. |
+## Capability SIDs
+
+Capability Security Identifiers (SIDs) are used to uniquely and immutably identify capabilities. Capabilities represent an unforgeable token of authority that grants access to resources (Examples: documents, camera, locations etc...) to Universal Windows Applications. An App that “has” a capability is granted access to the resource the capability is associated with, and one that “does not have” a capability is denied access to the resource.
+
+All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location.
+
+All Capability SIDs are prefixed by S-1-15-3
+
## See also
- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index 8713d91370..978d72142a 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -83,7 +83,7 @@ The special identity groups are described in the following tables:
- [This Organization](#this-organization)
-- [Window Manager\\Window Manager Group](#window-manager-window-manager-group)
+- [Window Manager\\Window Manager Group](#window-managerwindow-manager-group)
## Anonymous Logon
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 93d0011f35..c67ea0ab51 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -334,7 +334,7 @@ write-host "There are no issuance policies which are not mapped to groups"
Save the script file as set-IssuancePolicyToGroupLink.ps1.
-``` syntax
+```powershell
#######################################
## Parameters to be defined ##
## by the user ##
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 15e3791181..57524af4a3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -1,6 +1,6 @@
---
-title: Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments
-description: Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments
+title: Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments
+description: Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: w10
ms.mktglfcycl: deploy
@@ -16,34 +16,44 @@ localizationpriority: medium
ms.date: 08/20/2018
ms.reviewer:
---
-# Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments
+# Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments
**Applies to**
-- Windows 10, version 1702 or later
+- Windows 10, version 1703 or later
+- Windows Server, versions 2016 and 2019
- Hybrid or On-Premises deployment
- Key trust
+> [!NOTE]
+>There was an issue with key trust on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044).
+
## How many is adequate
-How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 includes the KDC AS Requests performance counter. You can use these counters to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication--it remains unchanged.
+
+How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2019 includes the KDC AS Requests performance counter. You can use this counter to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication - it remains unchanged.
-Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 domain controller.
+
+Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2019 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2019 domain controller.
-Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario:
+
+Determining an adequate number of Windows Server 2019 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2019) to a deployment of existing domain controllers (Windows Server 2008R2, Windows Server 2012R2 or Windows Server 2016) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario:
+
Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following:
-The environment changes. The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following:
+
+The environment changes. The first change includes DC1 upgraded to Windows Server 2019 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following:
-The Windows Server 2016 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2- 10 only support password and certificate trust authentication; only a Windows Server 2016 domain controller supports authentication public key trust authentication. The Windows Server 2016 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will be bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 domain controller is added, but without deploying Windows Hello for Business to anymore clients?
+The Windows Server 2019 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2 - 10 only support password and certificate trust authentication; only a Windows Server 2019 domain controller supports public key trust authentication. The Windows Server 2019 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will bear more of the authentication load, and easily become overloaded. What if another Windows Server 2019 domain controller is added, but without deploying Windows Hello for Business to any more clients?
+
-Upgrading another Windows Server 2016 domain controller distributes the public key trust authentication across two domain controllers--each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2016 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016, but the number of WHFB clients remains the same.
+Upgrading another Windows Server 2019 domain controller distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2019, but the number of WHFB clients remains the same.
@@ -51,7 +61,7 @@ Domain controllers 1 through 5 now share the public key trust authentication loa
-You'll notice the distribution did not change. Each Windows Server 2016 domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentication decreased across the older domain controllers.
+You'll notice the distribution did not change. Each Windows Server 2019 domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume of 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentications decreased across the older domain controllers.
There are several conclusions here:
* Upgrading domain controllers changes the distribution of new authentication, but doesn't change the distribution of older authentication.
@@ -62,6 +72,8 @@ There are several conclusions here:
The preceding was an example to show why it's unrealistic to have a "one-size-fits-all" number to describe what "an adequate amount" means. In the real world, authentication is not evenly distributed across domain controllers.
+
+
## Determining total AS Request load
Each organization needs to have a baseline of the AS request load that occurs in their environment. Windows Server provides the KDC AS Requests performance counter that helps you determine this.
@@ -83,13 +95,15 @@ Add the number of authentications for each domain controller for the median time
Review the distribution of authentication. Hopefully, none of these are above 70 percent. It's always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller are to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business.
## Monitoring Authentication
-Using the same methods previously described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. This gives you a baseline for your environment from which you can form a statement such as
+
+Using the same methods described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2019. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. It gives you a baseline for your environment to where you can form a statement such as:
+
```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."```
Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment.
-Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 domain controllers. If there is only one Windows Server 2016 domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible.
+Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2019 domain controllers. If there is only one Windows Server 2019 domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible.
Increasing the number of domain controllers distributes the volume of authentication, but doesn't change it. Therefore, as you add more domain controllers, the burden of authentication, for which each domain controller is responsible, decreases. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 3d74e8a3b3..8d6b7d474a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -151,7 +151,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
### Windows Server 2012 or later Domain Controllers
-Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section.
+Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section.
Sign-in the federation server with _domain administrator_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
index ec2e495b92..6865d59384 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
@@ -182,7 +182,7 @@ The User Portal and Mobile Application web services need to communicate with the
1. Open **Active Directory Users and Computers**.
2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**.
-3. In the **New Object – User** dialog box, type **PFWSDK_** in the **First name** and **User logon name** boxes, where ** is the name of the primary MFA server running the Web Services SDK. Click **Next**.
+3. In the **New Object – User** dialog box, type **PFWSDK_\** in the **First name** and **User logon name** boxes, where *\* is the name of the primary MFA server running the Web Services SDK. Click **Next**.
4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account.
#### Add the MFA SDK user account to the Phonefactor Admins group
@@ -192,7 +192,7 @@ Adding the WebServices SDK user account to the Phonefactor Admins group provides
1. Open **Active Directory Users and Computers**.
2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactor Admins** security group and select Properties.
3. Click the Members tab.
-4. Click **Add**. Click **Object Types..** Type the PFWSDK_ user name in the **Enter the object names to select** box and then click **OK**.
+4. Click **Add**. Click **Object Types..** Type the PFWSDK_\ user name in the **Enter the object names to select** box and then click **OK**.
* The computer account for the primary MFA Server
* The Webservices SDK user account
* Group or user account that will manage the User Portal server.
@@ -507,7 +507,7 @@ Sign in the primary AD FS server with _local administrator_ equivalent credentia
Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
+Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **\** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
### Run the AD FS Adapter PowerShell cmdlet
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
index c4ffbeb3a0..58616c9d65 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
@@ -27,9 +27,6 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
[Hybrid Azure AD joined in Managed environments](#hybrid-azure-ad-joined-in-managed-environments)
[Hybrid Azure AD joined in Federated environments](#hybrid-azure-ad-joined-in-federated-environments)
-
-
-
## Azure AD joined in Managed environments
@@ -44,7 +41,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|G | The application sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
|H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the process continues with MDM enrollment.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
## Azure AD joined in Federated environments
@@ -60,7 +57,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|H | The application sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
|I | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the process continues with MDM enrollment.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
## Hybrid Azure AD joined in Managed environments
@@ -75,7 +72,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|G | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then updates the device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
|H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
## Hybrid Azure AD joined in Federated environments
@@ -89,4 +86,4 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|F | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client. Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.|
|G | If Azure AD Connect device write-back is enabled, Azure AD Connect requests updates from Azure Active Directory at its next synchronization cycle (device write-back is required for hybrid deployment using certificate trust). Azure Active Directory correlates the device object with a matching synchronized computer object. Azure AD Connect receives the device object that includes the object GUID and computer SID and writes the device object to Active Directory.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index b11a86b51d..eea5f3c2e7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -74,7 +74,6 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#windows-hello-for-business-provisioning)
-
## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment
@@ -84,7 +83,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services (or a third party MFA service) provides the second factor of authentication.
The on-premises STS server issues a enterprise token on successful MFA. The application sends the token to Azure Active Directory.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
| B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration. |
-| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys. |
+| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys. |
| E | The registration authority validates the public key in the certificate request matches a registered key for the user.
If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.
After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate. |
| F | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application. |
| G | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning. |
@@ -112,7 +111,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA server (or a third party MFA service) provides the second factor of authentication.
The on-premises STS server issues a enterprise DRS token on successful MFA.|
| B| After receiving a EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
-|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.|
+|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys.|
|E | The registration authority validates the public key in the certificate request matches a registered key for the user.
After validating the public key, the registration authority signs the certificate request using its enrollment agent certificate.|
|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
|G | The application receives the newly issued certificate and installs it into the Personal store of the user. This signals the end of provisioning.|
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
index ca78d68e98..ef7fb31fff 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
@@ -22,9 +22,9 @@ ms.reviewer:
- Windows 10
Windows Hello for Business authentication works through collection of components and infrastructure working together. You can group the infrastructure and components in three categories:
-- [Registration](#Registration)
-- [Provisioning](#Provisioning)
-- [Authentication](#Authentication)
+- [Registration](#registration)
+- [Provisioning](#provisioning)
+- [Authentication](#authentication)
## Registration
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index fbb7791800..24f1ffb00b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -90,7 +90,7 @@ Steps you will perform include:
- [Configure Internet Information Services to host CRL distribution point](#configure-internet-information-services-to-host-crl-distribution-point)
- [Prepare a file share to host the certificate revocation list](#prepare-a-file-share-to-host-the-certificate-revocation-list)
-- [Configure the new CRL distribution point in the issuing certificate authority](#Configure-the-new-crl-distribution-point-in-the-issuing-certificate-authority)
+- [Configure the new CRL distribution point and Publishing location in the issuing certificate authority](#configure-the-new-crl-distribution-point-and-publishing-location-in-the-issuing-certificate-authority)
- [Publish CRL](#publish-a-new-crl)
- [Reissue domain controller certificates](#reissue-domain-controller-certificates)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 4dc8b49caf..8a74c77ed5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -29,6 +29,9 @@ Your environment is federated and you are ready to configure device registration
> [!IMPORTANT]
> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.
+>[!TIP]
+>Refer to the [Tutorial: Configure hybrid Azure Active Directory join for federated domains](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-federated-domains) to learn more about setting up Azure Active Directory Connect for a simplified join flow for Azure AD device registration.
+
Use this three-phased approach for configuring device registration.
1. [Configure devices to register in Azure](#configure-azure-for-device-registration)
2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization)
@@ -42,6 +45,9 @@ Use this three-phased approach for configuring device registration.
>
> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/azure/active-directory/device-management-introduction)
+>[!IMPORTANT]
+> To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594).
+
## Configure Azure for Device Registration
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
@@ -66,7 +72,7 @@ To locate the schema master role holder, open and command prompt and type:
-The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role.
+The command should return the name of the domain controller where you need to run adprep.exe. Update the schema locally on the domain controller hosting the Schema master role.
#### Updating the Schema
@@ -130,7 +136,6 @@ If your AD FS farm is not already configured for Device Authentication (you can
The above PSH creates the following objects:
-
- RegisteredDevices container under the AD domain partition
- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration
@@ -278,7 +283,8 @@ The definition helps you to verify whether the values are present or if you need
**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.
- @RuleName = "Issue account type with the value User when its not a computer"
+ @RuleName = "Issue account type with the value User when it is not a computer"
+
NOT EXISTS(
[
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
@@ -473,6 +479,7 @@ The following script helps you with the creation of the issuance transform rules
Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString
+
#### Remarks
- This script appends the rules to the existing rules. Do not run the script twice because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again.
@@ -512,7 +519,6 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
> [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
-
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 4e0e71aa57..eaf63601ae 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -66,6 +66,9 @@ After a successful key registration, Windows creates a certificate request using
The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
+> [!NOTE]
+> In order for AD FS to verify the key used in the certificate request, it needs to be able to access the https://enterpriseregistration.windows.net endpoint.
+
The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index d3ab610a58..c4d3011a16 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -28,6 +28,9 @@ The Windows Server 2016 Active Directory Federation Server Certificate Registrat
The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.
+> [!NOTE]
+> In order for AD FS to verify user certificate requests for Windows Hello for Business, it needs to be able to access the https://enterpriseregistration.windows.net endpoint.
+
### Configure the Registration Authority
Sign-in the AD FS server with *Domain Admin* equivalent credentials.
@@ -36,7 +39,7 @@ Sign-in the AD FS server with *Domain Admin* equivalent credentials.
2. Type the following command
```PowerShell
- Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication
+ Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true
```
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 6e3126b3c7..3a8ba5db87 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -55,7 +55,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
8. Close the console.
-#### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template
+#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
@@ -77,6 +77,9 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
+>[!NOTE]
+>The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail.
+
### Enrollment Agent certificate template
Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate life-cycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
@@ -183,6 +186,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise
4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
+
### Section Review
> [!div class="checklist"]
> * Domain Controller certificate template
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index b826287e64..c8c3fee1a5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -29,14 +29,14 @@ Windows Hello for Business involves configuring distributed technologies that ma
* [Active Directory](#active-directory)
* [Public Key Infrastructure](#public-key-infrastructure)
* [Azure Active Directory](#azure-active-directory)
-* [Active Directory Federation Services](#active-directory-federation-services)
+* [Multifactor Authentication Services](#multifactor-authentication-services)
New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) section to prepare your Windows Hello for Business deployment by configuring directory synchronization.
The new installation baseline begins with a basic Active Directory deployment and enterprise PKI.
-## Active Directory ##
+## Active Directory
This document expects you have Active Directory deployed with an _adequate_ number of Windows Server 2016 domain controllers for each site. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal.
@@ -83,7 +83,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store.
> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based URL.
-### Section Review ###
+### Section Review
> [!div class="checklist"]
> * Minimum Windows Server 2012 Certificate Authority.
@@ -92,7 +92,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> * Root certificate authority certificate (Azure AD Joined devices).
> * Highly available certificate revocation list (Azure AD Joined devices).
-## Azure Active Directory ##
+## Azure Active Directory
You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities.
The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization.
@@ -104,12 +104,13 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h
> * Create an Azure Active Directory Tenant.
> * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary.
-## Multifactor Authentication Services ##
+## Multifactor Authentication Services
Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA or a third-party MFA adapter
Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works.
-### Azure Multi-Factor Authentication (MFA) Cloud ###
+### Azure Multi-Factor Authentication (MFA) Cloud
+
> [!IMPORTANT]
> As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are:
> * Azure Multi-Factor Authentication
@@ -118,16 +119,16 @@ Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.co
>
> If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section.
-#### Azure MFA Provider ####
+#### Azure MFA Provider
If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant.
-#### Configure Azure MFA Settings ####
+#### Configure Azure MFA Settings
Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
-#### Azure MFA User States ####
+#### Azure MFA User States
After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.
-### Azure MFA via ADFS ###
+### Azure MFA via ADFS
Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section.
### Section Review
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 07bcd4e0ba..d1342ab11f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -28,13 +28,14 @@ Hybrid environments are distributed systems that enable organizations to use on-
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
* [Directories](#directories)
-* [Public Key Infrastructure](#public-key-infastructure)
+* [Public Key Infrastructure](#public-key-infrastructure)
* [Directory Synchronization](#directory-synchronization)
-* [Federation](#federation)
+* [Federation](#federation-with-azure)
* [MultiFactor Authentication](#multifactor-authentication)
* [Device Registration](#device-registration)
-## Directories ##
+## Directories
+
Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
@@ -43,7 +44,7 @@ You can deploy Windows Hello for Business in any environment with Windows Server
Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs.
-### Section Review ###
+### Section Review
> [!div class="checklist"]
> * Active Directory Domain Functional Level
@@ -54,7 +55,7 @@ Review these requirements and those from the Windows Hello for Business planning
-## Public Key Infrastructure ##
+## Public Key Infrastructure
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller.
Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
@@ -65,7 +66,7 @@ The minimum required enterprise certificate authority that can be used with Wind
* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name).
* The certificate Key Usage section must contain Digital Signature and Key Encipherment.
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
-* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1).
+* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
* The certificate template must have an extension that has the BMP data value "DomainController".
* The domain controller certificate must be installed in the local computer's certificate store.
@@ -83,7 +84,8 @@ The minimum required enterprise certificate authority that can be used with Wind
-## Directory Synchronization ##
+## Directory Synchronization
+
The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory.
Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect.
@@ -96,17 +98,20 @@ Organizations using older directory synchronization technology, such as DirSync
-## Federation with Azure ##
-You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2.
+## Federation with Azure
+
+You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/whatis-phs) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2.
+
+### Section Review
-### Section Review ###
> [!div class="checklist"]
> * Non-federated environments
> * Federated environments
-## Multifactor Authentication ##
+## Multifactor Authentication
+
Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication.
Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD.
@@ -119,17 +124,20 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth
-## Device Registration ##
+## Device Registration
+
Organizations wanting to deploy hybrid key trust need their domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory.
-### Section Checklist ###
+### Section Checklist
+
> [!div class="checklist"]
> * Device Registration with Azure Device Registration
-### Next Steps ###
+### Next Steps
+
Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**.
For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Synchronization**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 0c6d6de655..bda944c54a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -77,6 +77,8 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
+>[!NOTE]
+>The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail.
### Publish Certificate Templates to a Certificate Authority
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 969530cb43..161f924588 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -67,6 +67,9 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO�**
3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
+>[!IMPORTANT]
+>If you don't find options in GPO, you have to load the [PolicyDefinitions folder](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra).
+
### Windows Hello for Business Group Policy
The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 83bb883504..ba1e004510 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -26,7 +26,7 @@ Windows Hello addresses the following problems with passwords:
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
-- Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
+- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing).
>[!div class="mx-tdBreakAll"]
>| | | |
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 13cf3b5a0e..0c493ddc5d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -150,7 +150,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
### Windows Server 2016, 2012 R2 or later Domain Controllers
-Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section.
+Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section.
Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
1. Start **Server Manager**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
index fd1a237822..eb46ba61fe 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
@@ -174,7 +174,7 @@ Update the server using Windows Update until the server has no required or optio
#### Configure the IIS Server’s Certificate
-To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section.
+To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-servers-certificate) section.
#### Create WebServices SDK user account
@@ -182,7 +182,7 @@ The User Portal and Mobile Application web services need to communicate with the
1. Open **Active Directory Users and Computers**.
2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**.
-3. In the **New Object – User** dialog box, type **PFWSDK_** in the **First name** and **User logon name** boxes, where ** is the name of the primary MFA server running the Web Services SDK. Click **Next**.
+3. In the **New Object – User** dialog box, type **PFWSDK_\** in the **First name** and **User logon name** boxes, where *\* is the name of the primary MFA server running the Web Services SDK. Click **Next**.
4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account.
#### Add the MFA SDK user account to the Phonefactor Admins group
@@ -192,7 +192,7 @@ Adding the WebServices SDK user account to the Phonefactor Admins group provides
1. Open **Active Directory Users and Computers**.
2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties.
3. Click the Members tab.
-4. Click **Add**. Click **Object Types..** Type the PFWSDK_ user name in the **Enter the object names to select** box and then click **OK**.
+4. Click **Add**. Click **Object Types..** Type the PFWSDK_\ user name in the **Enter the object names to select** box and then click **OK**.
* The computer account for the primary MFA Server
* The Webservices SDK user account
* Group or user account that will manage the User Portal server.
@@ -507,7 +507,7 @@ Sign in the primary AD FS server with _local administrator_ equivalent credentia
Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
+Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **\** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
### Run the AD FS Adapter PowerShell cmdlet
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index d7b76ad3f5..cd6424eb47 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -53,9 +53,9 @@ Windows stores biometric data that is used to implement Windows Hello securely o
## The difference between Windows Hello and Windows Hello for Business
-- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, however it is not backed by asymmetric (public/private key) or certificate-based authentication.
+- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, but can use a simple password hash depending on an individual's account type. This configuration is referred to as Windows Hello convenience PIN and it is not backed by asymmetric (public/private key) or certificate-based authentication.
-- Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, uses key-based or certificate-based authentication.
+- **Windows Hello for Business**, which is configured by Group Policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This makes it much more secure than **Windows Hello convenience PIN**.
## Benefits of Windows Hello
@@ -95,7 +95,6 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
-
## Learn more
[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft)
diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md
index b9cdc2e5ae..0cfc09e68c 100644
--- a/windows/security/identity-protection/hello-for-business/reset-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md
@@ -24,7 +24,7 @@ ms.reviewer:
>This operation will wipe everything from your security key and reset it to factory defaults. **All data and credentials will be cleared.**
-A [Microsoft-compatible security key](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key) can be reset via Settings app ( Settings > Accounts > Sign-in options > Security key ).
+A [Microsoft-compatible security key](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key) can be reset via Settings app ( Settings > Accounts > Sign-in options > Security key ).
Follow the instructions in the Settings app and look for specific instructions based on your security key manufacturer below:
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 10a0b0a26c..33bbc7b730 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -82,7 +82,7 @@ Credential providers must be registered on a computer running Windows, and they
## Smart card subsystem architecture
-Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](https://www.pcscworkgroup.com/). Each smart card must have a Credential Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware.
+Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](https://www.pcscworkgroup.com/). Each smart card must have a Cryptographic Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware.
### Base CSP and smart card minidriver architecture
@@ -334,7 +334,7 @@ The following properties are supported in versions of Windows designated in the
### Implications for CSPs in Windows
-Credential Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach is not recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES.
+Cryptographic Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach is not recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES.
If a smart card is registered by a CSP and a smart card minidriver, the one that was installed most recently will be used to communicate with the smart card.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 2a808c73fa..e3226ec136 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -1713,7 +1713,7 @@ In **Configure user storage of BitLocker recovery information**, select whether
Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you cannot specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
-In **Save BitLocker recovery information to Active Directory Doman Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS.
+In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS.
Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
For more information about the BitLocker repair tool, see [Repair-bde](https://technet.microsoft.com/library/ff829851.aspx).
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index a5e58c1e6b..8dd40cf580 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -101,7 +101,7 @@ To install the role using Windows PowerShell, use the following command:
Install-WindowsFeature WDS-Deployment
```
-You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Doman Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
+You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
### Confirm the WDS Service is running
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index fb326e7977..b89ced627d 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -22,6 +22,10 @@ The ideal for BitLocker management is to eliminate the need for IT admins to set
Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers.
+
+>[!IMPORTANT]
+> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities will be offered from [SCCM in on-prem scenarios](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/viewing-mbam-25-reports-for-the-configuration-manager-integration-topology) in the future.
+
## Managing domain-joined computers and moving to cloud
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
@@ -132,8 +136,10 @@ PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpace
+
+
-**Powershell**
+# **PowerShell**
[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell)
diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index a251c95b5e..7f618aa9ba 100644
--- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -43,7 +43,7 @@ It is important to note that this binding to PCR values also includes the hashin
## What happens when PCR banks are switched?
-When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. For the same input, each hash algorithm will return a different cryptographic signature for the same inputs.
+When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs.
As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR banks to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows 10 will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index c808dfe356..b058f905a9 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -70,7 +70,9 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
> [!NOTE]
-> TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
+> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
+
+> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/en-us/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
## Discrete, Integrated or Firmware TPM?
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index 1478ec896f..c3f0286d24 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -89,11 +89,11 @@ Some things that you can check on the device are:
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
- [Details on the TPM standard](https://www.microsoft.com/en-us/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM)
-- [TPM Base Services Portal](https://docs.microsoft.com/en-us/windows/desktop/TBS/tpm-base-services-portal)
-- [TPM Base Services API](https://docs.microsoft.com/en-us/windows/desktop/api/_tbs/)
+- [TPM Base Services Portal](https://docs.microsoft.com/windows/desktop/TBS/tpm-base-services-portal)
+- [TPM Base Services API](https://docs.microsoft.com/windows/desktop/api/_tbs/)
- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
-- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/en-us/blog/device-provisioning-identity-attestation-with-tpm/)
-- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/en-us/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/)
+- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/)
+- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/)
- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx)
- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx)
diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
index d251a04493..dff04d8807 100644
--- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -165,7 +165,7 @@ Use Windows Event Forwarding to collect and aggregate your WIP audit events. You
2. In the console tree under **Application and Services Logs\Microsoft\Windows**, click **EDP-Audit-Regular** and **EDP-Audit-TCB**.
## Collect WIP audit logs using Azure Monitor
-You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.](https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs)
+You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs)
**To view the WIP events in Azure Monitor**
1. Use an existing or create a new Log Analytics workspace.
@@ -179,7 +179,7 @@ You can collect audit logs using Azure Monitor. See [Windows event log data sour
>[!NOTE]
>If using Windows Events Logs, the event log names can be found under Properties of the event in the Events folder (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB).
-3. Download Microsoft [Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation).
+3. Download Microsoft [Monitoring Agent](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation).
4. To get MSI for Intune installation as stated in the Azure Monitor article, extract: MMASetup-.exe /c /t:
Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index fef2b942c2..47cc545f94 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -565,7 +565,7 @@ After you create and deploy your WIP policy to your employees, Windows begins to
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings.
-
+
**Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index c65af63ce9..6edaaf0f7d 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -1,88 +1,118 @@
----
-title:
-# Fine-tune Windows Information Policy (WIP) with WIP Learning
-description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
-ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
-ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning
-ms.prod: w10
-ms.mktglfcycl:
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: dulcemontemayor
-ms.author: dolmont
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 02/26/2019
----
-
-# Fine-tune Windows Information Protection (WIP) with WIP Learning
-**Applies to:**
-
-- Windows 10, version 1703 and later
-- Windows 10 Mobile, version 1703 and later
-
-With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune.
-
-The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
-
-In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list.
-
-## Access the WIP Learning reports
-
-1. Open the [Azure portal](http://portal.azure.com/).
-
-1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**.
-
-1. Click **Intune** > **Client apps** > **App protection status** > **Reports**.
-
- 
-
-1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**.
-
- 
-
-Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies.
-
-## Use the WIP section of Device Health
-
-You can use Device Health to adjust your WIP protection policy. See [Using Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-using#windows-information-protection) to learn more.
-
-If you want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
-
-Once you have WIP policies in place, by using the WIP section of Device Health, you can:
-
-- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
-- Tune WIP rules by confirming that certain apps are allowed or denied by current policy.
-
-## Use Device Health and Intune to adjust WIP protection policy
-
-The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
-
-1. In **Device Health** click the app you want to add to your policy and copy the publisher information.
-
-2. In Intune, click **App protection policies** and then choose the app policy you want to add an application to.
-
-3. Click **Protected apps**, and then click **Add Apps**.
-
-4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).
-
- 
-
-5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above.
-
- 
-
-6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**).
-
-7. Copy the name of the executable (for example, snippingtool.exe) and paste it in **FILE** (required).
-
-8. Type the version number of the app into **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
-
-When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+---
+title:
+# Fine-tune Windows Information Policy (WIP) with WIP Learning
+description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
+ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
+ms.reviewer:
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: stephow-MSFT
+ms.author: stephow
+manager: laurawi
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 02/26/2019
+---
+
+# Fine-tune Windows Information Protection (WIP) with WIP Learning
+**Applies to:**
+
+- Windows 10, version 1703 and later
+- Windows 10 Mobile, version 1703 and later
+
+With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune.
+
+The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
+
+In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list.
+
+## Access the WIP Learning reports
+
+1. Open the [Azure portal](http://portal.azure.com/).
+
+1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**.
+
+1. Click **Intune** > **Client apps** > **App protection status** > **Reports**.
+
+ 
+
+1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**.
+
+ 
+
+Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies.
+
+## Use the WIP section of Device Health
+
+You can use Device Health to adjust your WIP protection policy. See [Using Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-using#windows-information-protection) to learn more.
+
+If you want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
+
+Once you have WIP policies in place, by using the WIP section of Device Health, you can:
+
+- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
+- Tune WIP rules by confirming that certain apps are allowed or denied by current policy.
+
+## Use Device Health and Intune to adjust WIP protection policy
+
+The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
+
+1. In **Device Health** click the app you want to add to your policy and copy the **WipAppId**.
+
+ For example, if the app is Google Chrome, the WipAppId is:
+
+ `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108`
+
+ In the steps below, you separate the WipAppId by back slashes into the **PUBLISHER**, **PRODUCT NAME**, and **FILE** fields.
+
+2. In Intune, click **App protection policies** and then choose the app policy you want to add an application to.
+
+3. Click **Protected apps**, and then click **Add Apps**.
+
+4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).
+
+ 
+
+5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above.
+
+ For example, if the WipAppId is
+
+ `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108`
+
+ the text before the first back slash is the publisher:
+
+ `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US`
+
+ 
+
+6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**).
+
+ For example, if the WipAppId is
+
+ `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108`
+
+ the text between the first and second back slashes is the product name:
+
+ `GOOGLE CHROME`
+
+7. Copy the name of the executable (for example, snippingtool.exe) and paste it in **FILE** (required).
+
+ For example, if the WipAppId is
+
+ `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108`
+
+ the text between the second and third back slashes is the file:
+
+ `CHROME.EXE`
+
+8. Type the version number of the app into **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
+
+When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 6b91654209..9535492f02 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -72,6 +72,7 @@
#### [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
##### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
+#####[Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
#### [Secure score](microsoft-defender-atp/overview-secure-score.md)
@@ -420,6 +421,11 @@
#### [Troubleshoot Microsoft Defender ATP service issues](microsoft-defender-atp/troubleshoot-mdatp.md)
##### [Check service health](microsoft-defender-atp/service-status.md)
+
+#### [Troubleshoot live response issues]()
+##### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md)
+
+
####Troubleshoot attack surface reduction
##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
@@ -515,7 +521,7 @@
##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
-###### [How to list XML elements in ](auditing/how-to-list-xml-elements-in-eventdata.md)
+###### [How to list XML elements in \](auditing/how-to-list-xml-elements-in-eventdata.md)
###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)
@@ -849,8 +855,8 @@
####### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md)
####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md)
###### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
-###### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md)
-###### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md)
+###### [Registry (Global Object Access Auditing)](auditing/registry-global-object-access-auditing.md)
+###### [File System (Global Object Access Auditing)](auditing/file-system-global-object-access-auditing.md)
@@ -1033,11 +1039,11 @@
##### [Security Compliance Toolkit](windows-security-configuration-framework/security-compliance-toolkit-10.md)
##### [Get support](windows-security-configuration-framework/get-support-for-security-baselines.md)
#### [Windows security configuration framework](windows-security-configuration-framework/windows-security-configuration-framework.md)
-##### [Level 5 enterprise security](windows-security-configuration-framework/level-5-enterprise-security.md)
-##### [Level 4 enterprise high security](windows-security-configuration-framework/level-4-enterprise-high-security.md)
-##### [Level 3 enterprise VIP security](windows-security-configuration-framework/level-3-enterprise-vip-security.md)
-##### [Level 2 enterprise dev/ops workstation](windows-security-configuration-framework/level-2-enterprise-devops-security.md)
-##### [Level 1 enterprise administrator workstation](windows-security-configuration-framework/level-1-enterprise-administrator-security.md)
+##### [Level 1 enterprise basic security](windows-security-configuration-framework/level-1-enterprise-basic-security.md)
+##### [Level 2 enterprise enhanced security](windows-security-configuration-framework/level-2-enterprise-enhanced-security.md)
+##### [Level 3 enterprise high security](windows-security-configuration-framework/level-3-enterprise-high-security.md)
+##### [Level 4 enterprise dev/ops workstation](windows-security-configuration-framework/level-4-enterprise-devops-security.md)
+##### [Level 5 enterprise administrator workstation](windows-security-configuration-framework/level-5-enterprise-administrator-security.md)
### [MBSA removal and alternatives](mbsa-removal-and-guidance.md)
diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md
index 72efcaeaae..d454c05905 100644
--- a/windows/security/threat-protection/auditing/event-4697.md
+++ b/windows/security/threat-protection/auditing/event-4697.md
@@ -114,11 +114,11 @@ This event generates when new service was installed in the system.
| 0x2 | File System Driver | A file system driver, which is also a Kernel device driver. |
| 0x8 | Recognizer Driver | A file system driver used during startup to determine the file systems present on the system. |
| 0x10 | Win32 Own Process | A Win32 program that can be started by the Service Controller and that obeys the service control protocol. This type of Win32 service runs in a process by itself (this is the most common). |
-| 0x20 | Win32 Share Process | A Win32 service that can share a process with other Win32 services.
(see: |
-| 0x110 | Interactive Own Process | A service that should be run as a standalone process and can communicate with the desktop.
(see: ) |
+| 0x20 | Win32 Share Process | A Win32 service that can share a process with other Win32 services.
(see: |
+| 0x110 | Interactive Own Process | A service that should be run as a standalone process and can communicate with the desktop.
(see: ) |
| 0x120 | Interactive Share Process | A service that can share address space with other services of the same type and can communicate with the desktop. |
-- **Service Start Type** \[Type = HexInt32\]: The service start type can have one of the following values (see: :
+- **Service Start Type** \[Type = HexInt32\]: The service start type can have one of the following values (see: :
| Value | Service Type | Description |
|-------|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
index 41c866e704..74e6e22b45 100644
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@@ -219,7 +219,7 @@ The most common values:
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided.
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. |
| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. |
-| 0x1B | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. |
+| 0x1D | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. |
| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. |
| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. |
| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.
If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. |
diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md
index 55bc44dda3..9722578bab 100644
--- a/windows/security/threat-protection/auditing/event-5065.md
+++ b/windows/security/threat-protection/auditing/event-5065.md
@@ -20,7 +20,7 @@ ms.author: dansimp
- Windows Server 2016
-This event generates in [BCryptConfigureContext](https://msdn.microsoft.com/es-es/vstudio/aa375379)() function. This is a Cryptographic Next Generation (CNG) function.
+This event generates in [BCryptConfigureContext](https://msdn.microsoft.com/vstudio/aa375379)() function. This is a Cryptographic Next Generation (CNG) function.
This event generates when configuration information was changed for existing CNG context.
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
index 1ea71b62ad..910939ae7e 100644
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -161,7 +161,7 @@ For example, this custom profile allows installation and usage of USB devices wi
-Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
+Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
For a SyncML example that allows installation of specific device IDs, see [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceids). To allow specific device classes, see [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdevicesetupclasses).
Allowing installation of specific devices requires also enabling [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings).
diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 184de5418f..991a843fa3 100644
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -1,26 +1,26 @@
---
-title: Device Guard is the combination of Windows Defender Application Control and virtualization-based protection of code integrity (Windows 10)
-description: Device Guard consists of both hardware and software system integrity hardening capabilites that can be deployed separately or in combination.
-keywords: virtualization, security, malware
+title: Windows Defender Application Control and virtualization-based protection of code integrity (Windows 10)
+description: Hardware and software system integrity hardening capabilites that can be deployed separately or in combination.
+keywords: virtualization, security, malware, device guard
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
author: dansimp
-ms.date: 09/07/2018
+ms.date: 07/01/2019
ms.reviewer:
manager: dansimp
ms.author: dansimp
---
-# Device Guard: Windows Defender Application Control and virtualization-based protection of code integrity
+# Windows Defender Application Control and virtualization-based protection of code integrity
**Applies to**
- Windows 10
- Windows Server 2016
-Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI).
+Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI).
-Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices. This combined "configuration state" of configurable code integrity and HVCI has been referred to as Windows Defender Device Guard.
+Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices.
Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions:
@@ -29,28 +29,22 @@ Using configurable code integrity to restrict devices to only authorized apps ha
3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
-## (Re-)Introducing Windows Defender Application Control
+## Windows Defender Application Control
-When we originally designed the configuration state that we have referred to as Windows Defender Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between the two main OS features of the Device Guard configuration, configurable code integrity and HVCI, we intentionally focused our discussion around the Device Guard lockdown state you achieve when deploying them together.
+When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either.
-However, the use of the term Device Guard to describe this configuration state has unintentionally left an impression for many IT professionals that the two features were inexorably linked and could not be deployed separately.
-Additionally, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet.
-
-As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either.
-But configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
+Configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control).
We hope this change will help us better communicate options for adopting application control within an organization.
-Does this mean Windows Defender Device Guard configuration state is going away? Not at all. The term Device Guard will continue to be used as a way to describe the fully locked down state achieved through the use of Windows Defender Application Control (WDAC), HVCI, and hardware and firmware security features. It also allows us to work with our OEM partners to identify specifications for devices that are “Device Guard capable” so that our joint customers can easily purchase devices that meet all of the hardware and firmware requirements of the original "Device Guard" locked down scenario for Windows 10 based devices.
-
## Related topics
[Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control)
-[Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
+[Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
-[Driver compatibility with Windows Defender Device Guard in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
+[Driver compatibility with Windows Defender in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
[Code integrity](https://technet.microsoft.com/library/dd348642.aspx)
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 39593c240a..ac3e78109d 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -1,172 +1,172 @@
----
-title: FIPS 140 Validation
-description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140.
-ms.prod: w10
-audience: ITPro
-author: dulcemontemayor
-ms.author: dolmont
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/03/2018
-ms.reviewer:
----
-
-
-# FIPS 140 Validation
-
-On this page
-
- - [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo)
- - [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd)
- - [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd)
- - [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve)
- - [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac)
- - [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac)
- - [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac)
- - [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg)
-
-Updated: March 2018
-
-
-
-## Introduction
-
-This document provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard, *Federal Information Processing Standard (FIPS) 140 – Security Requirements for Cryptographic Modules* \[FIPS 140\].
-
-### Audience
-
-This document is primarily focused on providing information for three parties:
-
-[Procurement Officer](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Responsible for verifying that Microsoft products (or even third-party applications) are either FIPS 140 validated or utilize a Microsoft FIPS 140 validated cryptographic module.
-
-[System Integrator](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Responsible for ensuring that Microsoft Products are configured properly to use only FIPS 140 validated cryptographic modules.
-
-[Software Developer](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Responsible for building software products that utilize Microsoft FIPS 140 validated cryptographic modules.
-
-### Document Map
-
-This document is broken into seven major sections:
-
-[FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_overview) – Provides an overview of the FIPS 140 standard as well as provides some historical information about the standard.
-
-[Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Provides information on how Microsoft products are FIPS 140 validated.
-
-[Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Describes how to configure and verify that Microsoft Products are being used in a manner consistent with the product’s FIPS 140 Security Policy.
-
-[Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Identifies how developers can leverage the Microsoft FIPS 140 validated cryptographic modules.
-
-[FAQ](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_faq) – Frequently Asked Questions.
-
-[Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) – Explains Microsoft cryptographic architecture and identifies specific modules that are FIPS 140 validated.
-
-[Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#_cryptographic_algorithms) – Lists the cryptographic algorithm, modes, states, key sizes, Windows versions, and corresponding cryptographic algorithm validation certificates.
-
-## FIPS 140 Overview
-
-### FIPS 140 Standard
-
-FIPS 140 is a US government and Canadian government standard that defines a minimum set of the security requirements for products that implement cryptography. This standard is designed for cryptographic modules that are used to secure sensitive but unclassified information. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the US National Institute of Standards and Technology (NIST) and the Communications Security Establishment of Canada (CSEC).
-
-The current standard defines four-levels of increasing security, 1 through 4. Most software products (including all Microsoft products) are tested against the Level 1 security requirements.
-
-### Applicability of the FIPS standard
-
-Within the US Federal government, the FIPS 140 standard applies to any security system (whether hardware, firmware, software, or a combination thereof) to be used by agencies for protecting sensitive but unclassified information. Some agencies have expanded its use by requiring that the modules to be procured for secret systems also meet the FIPS 140 requirements.
-
-The FIPS 140 standard has also been used by different standards bodies, specification groups, nations, and private institutions as a requirement or guideline for those products (e.g. – Digital Cinema Systems Specification).
-
-### History of 140-1
-
-FIPS 140-1 is the original working version of the standard made official on January 11, 1994. The standard remained in effect until FIPS 140-2 became mandatory for new products on May 25, 2002.
-
-### FIPS 140-2
-
-FIPS 140-2 is currently the active version of the standard.
-
-### Microsoft FIPS Support Policy
-
-Microsoft actively maintains FIPS 140 validation for its cryptographic modules.
-
-### FIPS Mode of Operation
-
-The common term “FIPS mode” is used in this document and Security Policy documents. When a cryptographic module contains both FIPS-approved and non-FIPS approved security methods, it must have a "FIPS mode of operation" to ensure only FIPS-approved security methods may be used. When a module is in "FIPS mode", a non-FIPS approved method cannot be used instead of a FIPS-approved method.
-
-## Microsoft Product Validation (Information for Procurement Officers and Auditors)
-
-This section provides information for Procurement Officers and Auditors who are responsible for ensuring that Microsoft products with FIPS 140 validated cryptographic modules are used in their organization. The goal of this section is to provide an overview of the Microsoft developed products and modules and explain how the validated cryptographic modules are used.
-
-### Microsoft Product Relationship with CNG and CAPI libraries
-
-Rather than validate individual components and products, Microsoft chooses to validate only the underlying cryptographic modules. Subsequently, many Windows components and Microsoft products are built to rely on the Cryptographic API: Next Generation (CNG) and legacy Cryptographic API (CAPI) FIPS 140 validated cryptographic modules. Windows components and Microsoft products use the documented application programming interfaces (APIs) for each of the modules to access various cryptographic services.
-
-The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic modules:
-
- - Schannel Security Package
- - Remote Desktop Protocol (RDP) Client
- - Encrypting File System (EFS)
- - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
- - BitLocker® Drive Full-volume Encryption
- - IPsec Settings of Windows Firewall
-
-## Information for System Integrators
-
-This section provides information for System Integrators and Auditors who are responsible for deploying Microsoft products in a manner consistent with the product’s FIPS 140 Security Policy.
-
-There are two steps to ensure that Microsoft products operate in FIPS mode:
-
-1. Selecting/Installing FIPS 140 validated cryptographic modules
-2. Setting FIPS local/group security policy flag.
-
-### Step 1 – Selecting/Installing FIPS 140 Validated Cryptographic Modules
-
-Systems Integrators must ensure that all cryptographic modules installed are, in fact, FIPS 140 validated. This can be accomplished by cross-checking the version number of the installed module with the list of validated binaries. The list of validated CAPI binaries is identified in the [CAPI Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_capi_validated_cryptographic) section below and the list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section below. There are similar sections for all other validated cryptographic modules.
-
-The version number of the installed binary is found by right-clicking the module file and clicking on the Version or Details tab. Cryptographic modules are stored in the "windows\\system32" or "windows\\system32\\drivers" directory.
-
-### Step 2 – Setting FIPS Local/Group Security Policy Flag
-
-The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, which is used by many Microsoft products to determine whether to operate in a FIPS-approved mode. When this policy is set, the validated cryptographic modules in Windows will also operate in a FIPS-approved mode.
-
-**Note** – There is no enforcement of the FIPS policy by the operating system or the validated cryptographic modules. Instead, each individual application must check this flag and enforce the Security Policy of the validated cryptographic modules.
-
-#### Instructions on Setting the FIPS Local/Group Security Policy Flag
-
-While there are alternative methods for setting the FIPS local/group security policy flag, the following method is included as a guide to users with Administrative privileges. This description is for the Local Security Policy, but the Group Security Policy may be set in a similar manner.
-
-1. Open the 'Run' menu by pressing the combination 'Windows Key + R'.
-2. Type 'secpol.msc' and press 'Enter' or click the 'Ok' button.
-3. In the Local Security Policy management console window that opens, use the left tab to navigate to the Local Policies -\> Security Options.
-4. Scroll down the right pane and double-click 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'.
-5. In the properties window, select the 'Enabled' option and click the 'Apply' button.
-
-#### Microsoft Components and Products That Utilize FIPS Local/Group Security Policy
-
-The following list details some of the Microsoft components that use the cryptographic functionality implemented by either CNG or legacy CAPI. When the FIPS Local/Group Security Policy is set, the following components will enforce the validated module Security Policy.
-
- - Schannel Security Package
- - Remote Desktop Protocol (RDP) Client
- - Encrypting File System (EFS)
- - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
- - BitLocker® Drive Full-volume Encryption
- - IPsec Settings of Windows Firewall
-
-#### Effects of Setting FIPS Local/Group Security Policy Flag
-
-When setting the FIPS local/group security policy flag, the behavior of several Microsoft components and products are affected. The most noticeable difference will be that the components enforcing this setting will only use those algorithms approved or allowed in FIPS mode. The specific changes to the products listed above are:
-
+---
+title: FIPS 140 Validation
+description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140.
+ms.prod: w10
+audience: ITPro
+author: dulcemontemayor
+ms.author: dolmont
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 04/03/2018
+ms.reviewer:
+---
+
+
+# FIPS 140 Validation
+
+On this page
+
+ - [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo)
+ - [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd)
+ - [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd)
+ - [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve)
+ - [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac)
+ - [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac)
+ - [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac)
+ - [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg)
+
+Updated: March 2018
+
+
+
+## Introduction
+
+This document provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard, *Federal Information Processing Standard (FIPS) 140 – Security Requirements for Cryptographic Modules* \[FIPS 140\].
+
+### Audience
+
+This document is primarily focused on providing information for three parties:
+
+[Procurement Officer](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Responsible for verifying that Microsoft products (or even third-party applications) are either FIPS 140 validated or utilize a Microsoft FIPS 140 validated cryptographic module.
+
+[System Integrator](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Responsible for ensuring that Microsoft Products are configured properly to use only FIPS 140 validated cryptographic modules.
+
+[Software Developer](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Responsible for building software products that utilize Microsoft FIPS 140 validated cryptographic modules.
+
+### Document Map
+
+This document is broken into seven major sections:
+
+[FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_overview) – Provides an overview of the FIPS 140 standard as well as provides some historical information about the standard.
+
+[Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Provides information on how Microsoft products are FIPS 140 validated.
+
+[Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Describes how to configure and verify that Microsoft Products are being used in a manner consistent with the product’s FIPS 140 Security Policy.
+
+[Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Identifies how developers can leverage the Microsoft FIPS 140 validated cryptographic modules.
+
+[FAQ](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_faq) – Frequently Asked Questions.
+
+[Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) – Explains Microsoft cryptographic architecture and identifies specific modules that are FIPS 140 validated.
+
+[Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#_cryptographic_algorithms) – Lists the cryptographic algorithm, modes, states, key sizes, Windows versions, and corresponding cryptographic algorithm validation certificates.
+
+## FIPS 140 Overview
+
+### FIPS 140 Standard
+
+FIPS 140 is a US government and Canadian government standard that defines a minimum set of the security requirements for products that implement cryptography. This standard is designed for cryptographic modules that are used to secure sensitive but unclassified information. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the US National Institute of Standards and Technology (NIST) and the Communications Security Establishment of Canada (CSEC).
+
+The current standard defines four-levels of increasing security, 1 through 4. Most software products (including all Microsoft products) are tested against the Level 1 security requirements.
+
+### Applicability of the FIPS standard
+
+Within the US Federal government, the FIPS 140 standard applies to any security system (whether hardware, firmware, software, or a combination thereof) to be used by agencies for protecting sensitive but unclassified information. Some agencies have expanded its use by requiring that the modules to be procured for secret systems also meet the FIPS 140 requirements.
+
+The FIPS 140 standard has also been used by different standards bodies, specification groups, nations, and private institutions as a requirement or guideline for those products (e.g. – Digital Cinema Systems Specification).
+
+### History of 140-1
+
+FIPS 140-1 is the original working version of the standard made official on January 11, 1994. The standard remained in effect until FIPS 140-2 became mandatory for new products on May 25, 2002.
+
+### FIPS 140-2
+
+FIPS 140-2 is currently the active version of the standard.
+
+### Microsoft FIPS Support Policy
+
+Microsoft actively maintains FIPS 140 validation for its cryptographic modules.
+
+### FIPS Mode of Operation
+
+The common term “FIPS mode” is used in this document and Security Policy documents. When a cryptographic module contains both FIPS-approved and non-FIPS approved security methods, it must have a "FIPS mode of operation" to ensure only FIPS-approved security methods may be used. When a module is in "FIPS mode", a non-FIPS approved method cannot be used instead of a FIPS-approved method.
+
+## Microsoft Product Validation (Information for Procurement Officers and Auditors)
+
+This section provides information for Procurement Officers and Auditors who are responsible for ensuring that Microsoft products with FIPS 140 validated cryptographic modules are used in their organization. The goal of this section is to provide an overview of the Microsoft developed products and modules and explain how the validated cryptographic modules are used.
+
+### Microsoft Product Relationship with CNG and CAPI libraries
+
+Rather than validate individual components and products, Microsoft chooses to validate only the underlying cryptographic modules. Subsequently, many Windows components and Microsoft products are built to rely on the Cryptographic API: Next Generation (CNG) and legacy Cryptographic API (CAPI) FIPS 140 validated cryptographic modules. Windows components and Microsoft products use the documented application programming interfaces (APIs) for each of the modules to access various cryptographic services.
+
+The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic modules:
+
+ - Schannel Security Package
+ - Remote Desktop Protocol (RDP) Client
+ - Encrypting File System (EFS)
+ - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
+ - BitLocker® Drive Full-volume Encryption
+ - IPsec Settings of Windows Firewall
+
+## Information for System Integrators
+
+This section provides information for System Integrators and Auditors who are responsible for deploying Microsoft products in a manner consistent with the product’s FIPS 140 Security Policy.
+
+There are two steps to ensure that Microsoft products operate in FIPS mode:
+
+1. Selecting/Installing FIPS 140 validated cryptographic modules
+2. Setting FIPS local/group security policy flag.
+
+### Step 1 – Selecting/Installing FIPS 140 Validated Cryptographic Modules
+
+Systems Integrators must ensure that all cryptographic modules installed are, in fact, FIPS 140 validated. This can be accomplished by cross-checking the version number of the installed module with the list of validated binaries. The list of validated CAPI binaries is identified in the [CAPI Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_capi_validated_cryptographic) section below and the list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section below. There are similar sections for all other validated cryptographic modules.
+
+The version number of the installed binary is found by right-clicking the module file and clicking on the Version or Details tab. Cryptographic modules are stored in the "windows\\system32" or "windows\\system32\\drivers" directory.
+
+### Step 2 – Setting FIPS Local/Group Security Policy Flag
+
+The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, which is used by many Microsoft products to determine whether to operate in a FIPS-approved mode. When this policy is set, the validated cryptographic modules in Windows will also operate in a FIPS-approved mode.
+
+**Note** – There is no enforcement of the FIPS policy by the operating system or the validated cryptographic modules. Instead, each individual application must check this flag and enforce the Security Policy of the validated cryptographic modules.
+
+#### Instructions on Setting the FIPS Local/Group Security Policy Flag
+
+While there are alternative methods for setting the FIPS local/group security policy flag, the following method is included as a guide to users with Administrative privileges. This description is for the Local Security Policy, but the Group Security Policy may be set in a similar manner.
+
+1. Open the 'Run' menu by pressing the combination 'Windows Key + R'.
+2. Type 'secpol.msc' and press 'Enter' or click the 'Ok' button.
+3. In the Local Security Policy management console window that opens, use the left tab to navigate to the Local Policies -\> Security Options.
+4. Scroll down the right pane and double-click 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'.
+5. In the properties window, select the 'Enabled' option and click the 'Apply' button.
+
+#### Microsoft Components and Products That Utilize FIPS Local/Group Security Policy
+
+The following list details some of the Microsoft components that use the cryptographic functionality implemented by either CNG or legacy CAPI. When the FIPS Local/Group Security Policy is set, the following components will enforce the validated module Security Policy.
+
+ - Schannel Security Package
+ - Remote Desktop Protocol (RDP) Client
+ - Encrypting File System (EFS)
+ - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
+ - BitLocker® Drive Full-volume Encryption
+ - IPsec Settings of Windows Firewall
+
+#### Effects of Setting FIPS Local/Group Security Policy Flag
+
+When setting the FIPS local/group security policy flag, the behavior of several Microsoft components and products are affected. The most noticeable difference will be that the components enforcing this setting will only use those algorithms approved or allowed in FIPS mode. The specific changes to the products listed above are:
+
- Schannel Security Package forced to negotiate sessions using TLS. The following supported Cipher Suites are disabled:
-
+
- - TLS\_RSA\_WITH\_RC4\_128\_SHA
- TLS\_RSA\_WITH\_RC4\_128\_MD5
- SSL\_CK\_RC4\_128\_WITH\_MD5
- SSL\_CK\_DES\_192\_EDE3\_CBC\_WITH\_MD5
- TLS\_RSA\_WITH\_NULL\_MD5
- TLS\_RSA\_WITH\_NULL\_SHA
-
+
- The set of cryptographic algorithms that a Remote Desktop Protocol (RDP) server will use is scoped to:
-
+
- - CALG\_RSA\_KEYX - RSA public key exchange algorithm
- CALG\_3DES - Triple DES encryption algorithm
- CALG\_AES\_128 - 128 bit AES
@@ -175,6916 +175,6916 @@ When setting the FIPS local/group security policy flag, the behavior of several
- CALG\_SHA\_256 - 256 bit SHA hashing algorithm
- CALG\_SHA\_384 - 384 bit SHA hashing algorithm
- CALG\_SHA\_512 - 512 bit SHA hashing algorithm
-
+
- Any Microsoft .NET Framework applications, such as Microsoft ASP.NET or Windows Communication Foundation (WCF), only allow algorithm implementations that are validated to FIPS 140, meaning only classes that end in "CryptoServiceProvider" or "Cng" can be used. Any attempt to create an instance of other cryptographic algorithm classes or create instances that use non-allowed algorithms will cause an InvalidOperationException exception.
-
+
- Verification of ClickOnce applications fails unless the client computer has .NET Framework 2.0 SP1 or later service pack installed or .NET Framework 3.5 or later installed.
-
+
- On Windows Vista and Windows Server 2008 and later, BitLocker Drive Encryption switches from AES-128 using the elephant diffuser to using the approved AES-256 encryption. Recovery passwords are not created or backed up. Instead, backup a recovery key on a local drive or on a network share. To use the recovery key, put the key on a USB device and plug the device into the computer.
-
-Please be aware that selection of FIPS mode can limit product functionality (See ).
-
-## Information for Software Developers
-
-This section is targeted at developers who wish to build their own applications using the FIPS 140 validated cryptographic modules.
-
-Each of the validated cryptographic modules defines a series of rules that must be followed. The security rules for each validated cryptographic module are specified in the Security Policy document. Links to each of the Security Policy documents is provided in the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section below. Generally, the restriction in Microsoft validated cryptographic modules is limiting the use of cryptography to only FIPS Approved cryptographic algorithms, modes, and key sizes.
-
-### Using Microsoft Cryptographic Modules in a FIPS mode of operation
-
-No matter whether developing with native languages or using .NET, it is important to first check whether the CNG modules for the target system are FIPS validated. The list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section.
-
-When developing using CNG directly, it is the responsibility of the developer to follow the security rules outlined in the FIPS 140 Security Policy for each module. The security policy for each module is provided on the CMVP website. Links to each of the Security Policy documents is provided in the tables below. It is important to remember that setting the FIPS local/group security policy Flag (discussed above) does not affect the behavior of the modules when used for developing custom applications.
-
-If you are developing your application using .NET instead of using the native libraries, then setting the FIPS local policy flag will generate an exception when an improper .NET class is used for cryptography (i.e. the cryptographic classes whose names end in "Managed"). The names of these allowed classes end with "Cng", which use the CNG binaries or "CryptoServiceProvider", which use the legacy CAPI binaries.
-
-### Key Strengths and Validity Periods
-
-NIST Special Publication 800-131A Revision 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, dated November 2015, \[[SP 800-131A](http://dx.doi.org/10.6028/nist.sp.800-131ar1)\], offers guidance for moving to stronger cryptographic keys and algorithms. This does not replace NIST SP 800-57, Recommendation for Key Management Part 1: General, \[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\], but gives more specific guidance. One of the most important topics discussed in these publications deals with the key strengths of FIPS Approved algorithms and their validity periods. When developing applications that use FIPS Approved algorithms, it is also extremely important to select appropriate key sizes based on the security lifetimes recommended by NIST.
-
-## FIPS 140 FAQ
-
-The following are answers to commonly asked questions for the FIPS 140-2 validation of Microsoft products.
-
-1. How does FIPS 140 relate to the Common Criteria?
- **Answer:** These are two separate security standards with different, but complementary, purposes. FIPS 140 is a standard designed specifically for validating product modules that implement cryptography. On the other hand, Common Criteria is designed to help evaluate security functions in IT products.
- In many cases, Common Criteria evaluations will rely on FIPS 140 validations to provide assurance that cryptographic functionality is implemented properly.
-2. How does FIPS 140 relate to Suite B?
- **Answer:** Suite B is simply a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information.
- The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140 standard.
-3. There are so many modules listed on the NIST website for each release, how are they related and how do I tell which one applies to me?
- **Answer:** Microsoft strives to validate all releases of its cryptographic modules. Each module provides a different set of cryptographic algorithms. If you are required to use only FIPS validated cryptographic modules, you simply need to verify that the version being used appears on the validation list.
- Please see the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140)section for a complete list of Microsoft validated modules.
-4. My application links against crypt32.dll, cryptsp.dll, advapi32.dll, bcrypt.dll, bcryptprimitives.dll, or ncrypt.dll. What do I need to do to assure I’m using FIPS 140 validated cryptographic modules?
- **Answer:** crypt32.dll, cryptsp.dll, advapi32.dll, and ncrypt.dll are intermediary libraries that will offload all cryptographic operations to the FIPS validated cryptographic modules. Bcrypt.dll itself is a validated cryptographic module for Windows Vista and Windows Server 2008. For Windows 7 and Windows Server 2008 R2 and later, bcryptprimitives.dll is the validated module, but bcrypt.dll remains as one of the libraries to link against.
- You must first verify that the underlying CNG cryptographic module is validated. Once verified, you'll need to confirm that you're using the module correctly in FIPS mode (See [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) section for details).
-5. What does "When operated in FIPS mode" mean on certificates?
- **Answer:** This caveat identifies that a required configuration and security rules must be followed in order to use the cryptographic module in a manner consistent with its FIPS 140 Security Policy. The security rules are defined in the Security Policy for the module and usually revolve around using only FIPS Approved cryptographic algorithms and key sizes. Please see the Security Policy for the specific security rules for each cryptographic module (See [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section for links to each policy).
-6. Which FIPS validated module is called when Windows 7 or Windows 8 is configured to use the FIPS setting in the wireless configuration?
- **Answer:** CNG is used. This setting tells the wireless driver to call FIPS 140-2 validated cryptographic modules instead of using the driver’s own cryptography, if any.
-7. Is BitLocker to Go FIPS 140-2 validated?
- **Answer:** There are two separate parts for BitLocker to Go. One part is simply a native feature of BitLocker and as such, it uses FIPS 140-2 validated cryptographic modules. The other part is the BitLocker to Go Reader application for down-level support of older operating systems such as Windows XP and Windows Vista. The Reader application does not use FIPS 140-2 validated cryptographic modules.
-8. Are applications FIPS 140-2 validated?
- **Answer:** Microsoft only has low-level cryptographic modules in Windows FIPS 140-2 validated, not high-level applications. A better question is whether a certain application calls a FIPS 140-2 validated cryptographic module in the underlying Windows OS. That question needs to be directed to the company/product group that created the application of interest.
-9. How can Systems Center Operations Manager 2012 be configured to use FIPS 140-2 validated cryptographic modules?
- **Answer:** See [http://technet.microsoft.com/library/hh914094.aspx](https://technet.microsoft.com/library/hh914094.aspx)
-
-## Microsoft FIPS 140 Validated Cryptographic Modules
-
-### Modules By Operating System
-
-The following tables identify the Cryptographic Modules for an operating system.
-
-#### Windows
-
-##### Windows 10 Creators Update (Version 1703)
-
-Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
-
-
-
-
-\[1\] Applies only to Home, Pro, Enterprise, Education and S
-
-\[2\] Applies only to Pro, Enterprise, Education, S, Mobile and Surface Hub
-
-\[3\] Applies only to Pro, Enterprise Education and S
-
-##### Windows 10 Anniversary Update (Version 1607)
-
-Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
-10.0.14393 |
-#2937 |
-FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886) |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-10.0.14393 |
-#2936 |
-FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887) |
-
-
-| Boot Manager |
-10.0.14393 |
-#2931 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)
-Other algorithms: MD5; PBKDF (non-compliant); VMK KDF |
-
-
-| BitLocker® Windows OS Loader (winload) |
-10.0.14393 |
-#2932 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: NDRNG; MD5 |
-
-
-| BitLocker® Windows Resume (winresume)[1] |
-10.0.14393 |
-#2933 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (dumpfve.sys)[2] |
-10.0.14393 |
-#2934 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064) |
-
-
-| Code Integrity (ci.dll) |
-10.0.14393 |
-#2935 |
-FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: AES (non-compliant); MD5
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888) |
-
-
-| Secure Kernel Code Integrity (skci.dll)[3] |
-10.0.14393 |
-#2938 |
-FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
-
-Other algorithms: MD5
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888) |
-
-
-
-
-
-\[1\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
-
-\[2\] Applies only to Pro, Enterprise, Enterprise LTSB and Mobile
-
-\[3\] Applies only to Pro, Enterprise and Enterprise LTSB
-
-##### Windows 10 November 2015 Update (Version 1511)
-
-Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
-10.0.10586 |
-#2606 |
-FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664) |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-10.0.10586 |
-#2605 |
-FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663) |
-
-
-| Boot Manager[4] |
-10.0.10586 |
-#2700 |
-FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
-
-
-| BitLocker® Windows OS Loader (winload)[5] |
-10.0.10586 |
-#2701 |
-FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
-
-Other algorithms: MD5; NDRNG |
-
-
-| BitLocker® Windows Resume (winresume)[6] |
-10.0.10586 |
-#2702 |
-FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (dumpfve.sys)[7] |
-10.0.10586 |
-#2703 |
-FIPS Approved algorithms: AES (Certs. #3653) |
-
-
-| Code Integrity (ci.dll) |
-10.0.10586 |
-#2604 |
-FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
-
-Other algorithms: AES (non-compliant); MD5
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665) |
-
-
-| Secure Kernel Code Integrity (skci.dll)[8] |
-10.0.10586 |
-#2607 |
-FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
-
-Other algorithms: MD5
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665) |
-
-
-
-
-
-\[4\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
-
-\[5\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
-
-\[6\] Applies only to Home, Pro and Enterprise
-
-\[7\] Applies only to Pro, Enterprise, Mobile and Surface Hub
-
-\[8\] Applies only to Enterprise and Enterprise LTSB
-
-##### Windows 10 (Version 1507)
-
-Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
-10.0.10240 |
-#2606 |
-FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575) |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-10.0.10240 |
-#2605 |
-FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576) |
-
-
-| Boot Manager[9] |
-10.0.10240 |
-#2600 |
-FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
-
-
-| BitLocker® Windows OS Loader (winload)[10] |
-10.0.10240 |
-#2601 |
-FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
-
-Other algorithms: MD5; NDRNG |
-
-
-| BitLocker® Windows Resume (winresume)[11] |
-10.0.10240 |
-#2602 |
-FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (dumpfve.sys)[12] |
-10.0.10240 |
-#2603 |
-FIPS Approved algorithms: AES (Certs. #3497 and #3498) |
-
-
-| Code Integrity (ci.dll) |
-10.0.10240 |
-#2604 |
-FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
-
-Other algorithms: AES (non-compliant); MD5
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572) |
-
-
-| Secure Kernel Code Integrity (skci.dll)[13] |
-10.0.10240 |
-#2607 |
-FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
-
-Other algorithms: MD5
-Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572) |
-
-
-
-
-
-\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
-
-\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
-
-\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
-
-\[12\] Applies only to Pro, Enterprise and Enterprise LTSB
-
-\[13\] Applies only to Enterprise and Enterprise LTSB
-
-##### Windows 8.1
-
-Validated Editions: RT, Pro, Enterprise, Phone, Embedded
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
-6.3.9600 6.3.9600.17031 |
-#2357 |
-FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323) |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-6.3.9600 6.3.9600.17042 |
-#2356 |
-FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
-Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289) |
-
-
-| Boot Manager |
-6.3.9600 6.3.9600.17031 |
-#2351 |
-FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
-
-
-| BitLocker® Windows OS Loader (winload) |
-6.3.9600 6.3.9600.17031 |
-#2352 |
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
-
-Other algorithms: MD5; NDRNG |
-
-
-| BitLocker® Windows Resume (winresume)[14] |
-6.3.9600 6.3.9600.17031 |
-#2353 |
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (dumpfve.sys) |
-6.3.9600 6.3.9600.17031 |
-#2354 |
-FIPS Approved algorithms: AES (Cert. #2832)
-
-Other algorithms: N/A |
-
-
-| Code Integrity (ci.dll) |
-6.3.9600 6.3.9600.17031 |
-#2355#2355 |
-FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
-
-Other algorithms: MD5
-Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289) |
-
-
-
-
-
-\[14\] Applies only to Pro, Enterprise, and Embedded 8.
-
-##### Windows 8
-
-Validated Editions: RT, Home, Pro, Enterprise, Phone
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
-6.2.9200 |
-#1892 |
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert. ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
-
- |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-6.2.9200 |
-#1891 |
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RNG (Cert. ); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) |
-
-
-| Boot Manager |
-6.2.9200 |
-#1895 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Windows OS Loader (WINLOAD) |
-6.2.9200 |
-#1896 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG |
-
-
-| BitLocker® Windows Resume (WINRESUME)[15] |
-6.2.9200 |
-#1898 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (DUMPFVE.SYS) |
-6.2.9200 |
-#1899 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198)
-
-Other algorithms: N/A |
-
-
-| Code Integrity (CI.DLL) |
-6.2.9200 |
-#1897 |
-FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5 |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) |
-6.2.9200 |
-#1893 |
-FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert. ); Triple-DES MAC (Triple-DES Cert. , vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. , key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-| Enhanced Cryptographic Provider (RSAENH.DLL) |
-6.2.9200 |
-#1894 |
-FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
-
-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-
-
-
-\[15\] Applies only to Home and Pro
-
-**Windows 7**
-
-Validated Editions: Windows 7, Windows 7 SP1
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
-6.1.7600.16385
-6.1.7601.17514 |
-1329 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-6.1.7600.16385
-6.1.7600.16915
-6.1.7600.21092
-6.1.7601.17514
-6.1.7601.17725
-6.1.7601.17919
-6.1.7601.21861
-6.1.7601.22076 |
-1328 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 |
-
-
-| Boot Manager |
-6.1.7600.16385
-6.1.7601.17514 |
-1319 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
-
-Other algorithms: MD5#1168 and ); HMAC (Cert. ); RSA (Cert. ); SHS (Cert. )
-
-Other algorithms: MD5 |
-
-
-| Winload OS Loader (winload.exe) |
-6.1.7600.16385
-6.1.7600.16757
-6.1.7600.20897
-6.1.7600.20916
-6.1.7601.17514
-6.1.7601.17556
-6.1.7601.21655
-6.1.7601.21675 |
-1326 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
-
-Other algorithms: MD5 |
-
-
-| BitLocker™ Drive Encryption |
-6.1.7600.16385
-6.1.7600.16429
-6.1.7600.16757
-6.1.7600.20536
-6.1.7600.20873
-6.1.7600.20897
-6.1.7600.20916
-6.1.7601.17514
-6.1.7601.17556
-6.1.7601.21634
-6.1.7601.21655
-6.1.7601.21675 |
-1332 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
-
-Other algorithms: Elephant Diffuser |
-
-
-| Code Integrity (CI.DLL) |
-6.1.7600.16385
-6.1.7600.17122
-6.1.7600.21320
-6.1.7601.17514
-6.1.7601.17950
-6.1.7601.22108 |
-1327 |
-FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
-
-Other algorithms: MD5 |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) |
-6.1.7600.16385
-(no change in SP1) |
-1331 |
-FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4 |
-
-
-| Enhanced Cryptographic Provider (RSAENH.DLL) |
-6.1.7600.16385
-(no change in SP1) |
-1330 |
-FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-
-
-
-##### Windows Vista SP1
-
-Validated Editions: Ultimate Edition
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Boot Manager (bootmgr) |
-6.0.6001.18000 and 6.0.6002.18005 |
-978 |
-FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753) |
-
-
-| Winload OS Loader (winload.exe) |
-6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596 |
-979 |
-FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
-
-Other algorithms: MD5 |
-
-
-| Code Integrity (ci.dll) |
-6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005 |
-980 |
-FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
-
-Other algorithms: MD5 |
-
-
-| Kernel Mode Security Support Provider Interface (ksecdd.sys) |
-6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.22869 |
-1000 |
-FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and ); ECDSA (Cert. ); HMAC (Cert. ); RNG (Cert. and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-| Cryptographic Primitives Library (bcrypt.dll) |
-6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.22872 |
-1001 |
-FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength) |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005 |
-1002 |
-FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 |
-1003 |
-FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 |
-
-
-
-
-
-##### Windows Vista
-
-Validated Editions: Ultimate Edition
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-6.0.6000.16386 |
-893 |
-FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-6.0.6000.16386 |
-894 |
-FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 |
-
-
-| BitLocker™ Drive Encryption |
-6.0.6000.16386 |
-947 |
-FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
-
-Other algorithms: Elephant Diffuser |
-
-
-| Kernel Mode Security Support Provider Interface (ksecdd.sys) |
-6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067 |
-891 |
-FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
-
-Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5 |
-
-
-
-
-
-##### Windows XP SP3
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Kernel Mode Cryptographic Module (FIPS.SYS) |
-5.1.2600.5512 |
-997 |
-FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)
-Other algorithms: DES; MD5; HMAC MD5 |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-5.1.2600.5507 |
-990 |
-FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)
-Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4 |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-5.1.2600.5507 |
-989 |
-FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)
-Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits) |
-
-
-
-
-
-##### Windows XP SP2
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| DSS/Diffie-Hellman Enhanced Cryptographic Provider |
-5.1.2600.2133 |
-240 |
-FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)
-Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement) |
-
-
-| Microsoft Enhanced Cryptographic Provider |
-5.1.2600.2161 |
-238 |
-FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)
-Other algorithms: DES (Cert. #156); RC2; RC4; MD5 |
-
-
-
-
-
-##### Windows XP SP1
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Microsoft Enhanced Cryptographic Provider |
-5.1.2600.1029 |
-238 |
-FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)
-Other algorithms: DES (Cert. #156); RC2; RC4; MD5 |
-
-
-
-
-
-##### Windows XP
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Kernel Mode Cryptographic Module |
-5.1.2600.0 |
-241 |
-FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)
-Other algorithms: DES (Cert. #89) |
-
-
-
-
-
-##### Windows 2000 SP3
-
-
-
-
-##### Windows 2000 SP2
-
-
-
-
-##### Windows 2000 SP1
-
-
-
-
-##### Windows 2000
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider |
-5.0.2150.1 |
-76 |
-FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)
-Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) |
-
-
-
-
-
-##### Windows 95 and Windows 98
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider |
-5.0.1877.6 and 5.0.1877.7 |
-75 |
-FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)
-Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) |
-
-
-
-
-
-##### Windows NT 4.0
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Base Cryptographic Provider |
-5.0.1877.6 and 5.0.1877.7 |
-68 |
-FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
-
-Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) |
-
-
-
-
-
-#### Windows Server
-
-##### Windows Server 2016
-
-Validated Editions: Standard, Datacenter, Storage Server
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
-10.0.14393 |
-2937 |
-FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt) |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-10.0.14393 |
-2936 |
-FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt) |
-
-
-| Boot Manager |
-10.0.14393 |
-2931 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)
-Other algorithms: MD5; PBKDF (non-compliant); VMK KDF |
-
-
-| BitLocker® Windows OS Loader (winload) |
-10.0.14393 |
-2932 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: NDRNG; MD5 |
-
-
-| BitLocker® Windows Resume (winresume) |
-10.0.14393 |
-2933 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (dumpfve.sys) |
-10.0.14393 |
-2934 |
-FIPS Approved algorithms: AES (Certs. #4061 and #4064) |
-
-
-| Code Integrity (ci.dll) |
-10.0.14393 |
-2935 |
-FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: AES (non-compliant); MD5 |
-
-
-| Secure Kernel Code Integrity (skci.dll) |
-10.0.14393 |
-2938 |
-FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
-
-Other algorithms: MD5 |
-
-
-
-
-
-##### Windows Server 2012 R2
-
-Validated Editions: Server, Storage Server,
-
-**StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2**
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
-6.3.9600 6.3.9600.17031 |
-2357 |
-FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-6.3.9600 6.3.9600.17042 |
-2356 |
-FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) |
-
-
-| Boot Manager |
-6.3.9600 6.3.9600.17031 |
-2351 |
-FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
-
-
-| BitLocker® Windows OS Loader (winload) |
-6.3.9600 6.3.9600.17031 |
-2352 |
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
-
-Other algorithms: MD5; NDRNG |
-
-
-| BitLocker® Windows Resume (winresume)[16] |
-6.3.9600 6.3.9600.17031 |
-2353 |
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (dumpfve.sys)[17] |
-6.3.9600 6.3.9600.17031 |
-2354 |
-FIPS Approved algorithms: AES (Cert. #2832)
-
-Other algorithms: N/A |
-
-
-| Code Integrity (ci.dll) |
-6.3.9600 6.3.9600.17031 |
-2355 |
-FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
-
-Other algorithms: MD5 |
-
-
-
-
-
-\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
-
-\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
-
-**Windows Server 2012**
-
-Validated Editions: Server, Storage Server
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
-6.2.9200 |
-1892 |
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert. ); HMAC (Cert. #); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-6.2.9200 |
-1891 |
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) |
-
-
-| Boot Manager |
-6.2.9200 |
-1895 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Windows OS Loader (WINLOAD) |
-6.2.9200 |
-1896 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG |
-
-
-| BitLocker® Windows Resume (WINRESUME) |
-6.2.9200 |
-1898 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5 |
-
-
-| BitLocker® Dump Filter (DUMPFVE.SYS) |
-6.2.9200 |
-1899 |
-FIPS Approved algorithms: AES (Certs. #2196 and #2198)
-
-Other algorithms: N/A |
-
-
-| Code Integrity (CI.DLL) |
-6.2.9200 |
-1897 |
-FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5 |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) |
-6.2.9200 |
-1893 |
-FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-| Enhanced Cryptographic Provider (RSAENH.DLL) |
-6.2.9200 |
-1894 |
-FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
-
-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-
-
-
-##### Windows Server 2008 R2
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Boot Manager (bootmgr) |
-6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.17514 |
-1321 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
-
-Other algorithms: MD5 |
-
-
-| Winload OS Loader (winload.exe) |
-6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675 |
-1333 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
-
-Other algorithms: MD5 |
-
-
-| Code Integrity (ci.dll) |
-6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.22108 |
-1334 |
-FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
-
-Other algorithms: MD5 |
-
-
-| Kernel Mode Cryptographic Primitives Library (cng.sys) |
-6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076 |
-1335 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
--Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 |
-
-
-| Cryptographic Primitives Library (bcryptprimitives.dll) |
-66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.17514 |
-1336 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4 |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-6.1.7600.16385 |
-1337 |
-FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-6.1.7600.16385 |
-1338 |
-FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4 |
-
-
-| BitLocker™ Drive Encryption |
-6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675 |
-1339 |
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
-
-Other algorithms: Elephant Diffuser |
-
-
-
-
-
-##### Windows Server 2008
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Boot Manager (bootmgr) |
-6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.22497 |
-1004 |
-FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
-
-Other algorithms: N/A |
-
-
-| Winload OS Loader (winload.exe) |
-6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596 |
-1005 |
-FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
-
-Other algorithms: MD5 |
-
-
-| Code Integrity (ci.dll) |
-6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 |
-1006 |
-FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
-
-Other algorithms: MD5 |
-
-
-| Kernel Mode Security Support Provider Interface (ksecdd.sys) |
-6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.22869 |
-1007 |
-FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
-
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert. ); RNG (Cert. and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-| Cryptographic Primitives Library (bcrypt.dll) |
-6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.22872 |
-1008 |
-FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
-
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength) |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 |
-1009 |
-FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
-
--Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005 |
-1010 |
-FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-
-
-
-##### Windows Server 2003 SP2
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-5.2.3790.3959 |
-875 |
-FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)
-Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4 |
-
-
-| Kernel Mode Cryptographic Module (FIPS.SYS) |
-5.2.3790.3959 |
-869 |
-FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)
-Other algorithms: DES; HMAC-MD5 |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-5.2.3790.3959 |
-868 |
-FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)
-Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
-
-
-
-
-
-##### Windows Server 2003 SP1
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Kernel Mode Cryptographic Module (FIPS.SYS) |
-5.2.3790.1830 [SP1] |
-405 |
-FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])
-Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)
-[1] x86
-[2] SP1 x86, x64, IA64 |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-5.2.3790.1830 [Service Pack 1]) |
-382 |
-FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])
-Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5
-[1] x86
-[2] SP1 x86, x64, IA64 |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-5.2.3790.1830 [Service Pack 1] |
-381 |
-FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)
-Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40
-[1] x86
-[2] SP1 x86, x64, IA64 |
-
-
-
-
-
-##### Windows Server 2003
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Kernel Mode Cryptographic Module (FIPS.SYS) |
-5.2.3790.0 |
-405 |
-FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])
-Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)
-[1] x86
-[2] SP1 x86, x64, IA64 |
-
-
-| Enhanced Cryptographic Provider (RSAENH) |
-5.2.3790.0 |
-382 |
-FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])
-Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5
-[1] x86
-[2] SP1 x86, x64, IA64 |
-
-
-| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
-5.2.3790.0 |
-381 |
-FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)
-Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40
-[1] x86
-[2] SP1 x86, x64, IA64 |
-
-
-
-
-
-#### Other Products
-
-##### Windows Embedded Compact 7 and Windows Embedded Compact 8
-
-
-
-
-
-##### Windows CE 6.0 and Windows Embedded Compact 7
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Enhanced Cryptographic Provider |
-6.00.1937 [1] and 7.00.1687 [2] |
-825 |
-FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])
-Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES |
-
-
-
-
-
-##### Outlook Cryptographic Provider
-
-
-
-
-
-
-
-
-
-
-| Cryptographic Module |
-Version (link to Security Policy) |
-FIPS Certificate # |
-Algorithms |
-
-
-| Outlook Cryptographic Provider (EXCHCSP) |
-SR-1A (3821)SR-1A (3821) |
-110 |
-FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)
-Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5 |
-
-
-
-
-
-
-### Cryptographic Algorithms
-
-The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate.
-
-### Advanced Encryption Standard (AES)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- AES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CFB128:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CTR:
-
-- Counter Source: Internal
-- Key Lengths: 128, 192, 256 (bits)
- - AES-OFB:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- |
-Microsoft Surface Hub Virtual TPM Implementations #4904
-Version 10.0.15063.674 |
-
-
-
-- AES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CFB128:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CTR:
-
-- Counter Source: Internal
-- Key Lengths: 128, 192, 256 (bits)
- - AES-OFB:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903
-Version 10.0.16299 |
-
-
-
-- AES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CCM:
-
-- Key Lengths: 128, 192, 256 (bits)
-- Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
-- IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
-- Plain Text Length: 0-32
-- AAD Length: 0-65536
- - AES-CFB128:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CFB8:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CMAC:
-
-- Generation:
-
-- AES-128:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-192:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-256:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - Verification:
-
-- AES-128:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-192:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-256:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-CTR:
-
-- Counter Source: Internal
-- Key Lengths: 128, 192, 256 (bits)
- - AES-ECB:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-GCM:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
-- Tag Lengths: 96, 104, 112, 120, 128 (bits)
-- Plain Text Lengths: 0, 8, 1016, 1024 (bits)
-- AAD Lengths: 0, 8, 1016, 1024 (bits)
-- 96 bit IV supported
- - AES-XTS:
-
-- Key Size: 128:
-
-- Modes: Decrypt, Encrypt
-- Block Sizes: Full
- - Key Size: 256:
-
-- Modes: Decrypt, Encrypt
-- Block Sizes: Full
- |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #4902
-Version 10.0.15063.674 |
-
-
-
-- AES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CCM:
-
-- Key Lengths: 128, 192, 256 (bits)
-- Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
-- IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
-- Plain Text Length: 0-32
-- AAD Length: 0-65536
- - AES-CFB128:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CFB8:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CMAC:
-
-- Generation:
-
-- AES-128:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-192:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-256:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - Verification:
-
-- AES-128:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-192:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-256:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-CTR:
-
-- Counter Source: Internal
-- Key Lengths: 128, 192, 256 (bits)
- - AES-ECB:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-GCM:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
-- Tag Lengths: 96, 104, 112, 120, 128 (bits)
-- Plain Text Lengths: 0, 8, 1016, 1024 (bits)
-- AAD Lengths: 0, 8, 1016, 1024 (bits)
-- 96 bit IV supported
- - AES-XTS:
-
-- Key Size: 128:
-
-- Modes: Decrypt, Encrypt
-- Block Sizes: Full
- - Key Size: 256:
-
-- Modes: Decrypt, Encrypt
-- Block Sizes: Full
- |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4901
-Version 10.0.15254 |
-
-
-
-- AES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CCM:
-
-- Key Lengths: 128, 192, 256 (bits)
-- Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
-- IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
-- Plain Text Length: 0-32
-- AAD Length: 0-65536
- - AES-CFB128:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CFB8:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-CMAC:
-
-- Generation:
-
-- AES-128:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-192:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-256:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - Verification:
-
-- AES-128:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-192:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-256:
-
-- Block Sizes: Full, Partial
-- Message Length: 0-65536
-- Tag Length: 16-16
- - AES-CTR:
-
-- Counter Source: Internal
-- Key Lengths: 128, 192, 256 (bits)
- - AES-ECB:
-
-- Modes: Decrypt, Encrypt
-- Key Lengths: 128, 192, 256 (bits)
- - AES-GCM:
-
-- Modes: Decrypt, Encrypt
-- IV Generation: External
-- Key Lengths: 128, 192, 256 (bits)
-- Tag Lengths: 96, 104, 112, 120, 128 (bits)
-- Plain Text Lengths: 0, 8, 1016, 1024 (bits)
-- AAD Lengths: 0, 8, 1016, 1024 (bits)
-- 96 bit IV supported
- - AES-XTS:
-
-- Key Size: 128:
-
-- Modes: Decrypt, Encrypt
-- Block Sizes: Full
- - Key Size: 256:
-
-- Modes: Decrypt, Encrypt
-- Block Sizes: Full
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897
-Version 10.0.16299 |
-
-
-AES-KW:
-
-- Modes: Decrypt, Encrypt
-- CIPHK transformation direction: Forward
-- Key Lengths: 128, 192, 256 (bits)
-- Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
-
-AES Val#4902 |
-Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900
-Version 10.0.15063.674 |
-
-
-AES-KW:
-
-- Modes: Decrypt, Encrypt
-- CIPHK transformation direction: Forward
-- Key Lengths: 128, 192, 256 (bits)
-- Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
-
-AES Val#4901 |
-Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899
-Version 10.0.15254 |
-
-
-AES-KW:
-
-- Modes: Decrypt, Encrypt
-- CIPHK transformation direction: Forward
-- Key Lengths: 128, 192, 256 (bits)
-- Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
-
-AES Val#4897 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898
-Version 10.0.16299 |
-
-
-AES-CCM:
-
-- Key Lengths: 256 (bits)
-- Tag Lengths: 128 (bits)
-- IV Lengths: 96 (bits)
-- Plain Text Length: 0-32
-- AAD Length: 0-65536
-
-AES Val#4902 |
-Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896
-Version 10.0.15063.674 |
-
-
-AES-CCM:
-
-- Key Lengths: 256 (bits)
-- Tag Lengths: 128 (bits)
-- IV Lengths: 96 (bits)
-- Plain Text Length: 0-32
-- AAD Length: 0-65536
-
-AES Val#4901 |
-Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895
-Version 10.0.15254 |
-
-
-AES-CCM:
-
-- Key Lengths: 256 (bits)
-- Tag Lengths: 128 (bits)
-- IV Lengths: 96 (bits)
-- Plain Text Length: 0-32
-- AAD Length: 0-65536
-
-AES Val#4897 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894
-Version 10.0.16299 |
-
-
-CBC ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-OFB ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627
-Version 10.0.15063 |
-
-
-KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
-AES Val#4624 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626
-Version 10.0.15063 |
-
-
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
-AES Val#4624
- |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625
-Version 10.0.15063 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported
-GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624
-Version 10.0.15063 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 ); |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434
-Version 7.00.2872 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 ); |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433
-Version 8.00.6246 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431
-Version 7.00.2872 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430
-Version 8.00.6246 |
-
-
-CBC ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-OFB ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074
-Version 10.0.14393 |
-
-
-ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
-GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064
-Version 10.0.14393 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
- |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
-Version 10.0.14393 |
-
-
-KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )
-AES Val#4064 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062
-Version 10.0.14393 |
-
-
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
-AES Val#4064 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061
-Version 10.0.14393 |
-
-
-KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
-AES Val#3629 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652
-Version 10.0.10586 |
-
-
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
-AES Val#3629 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653
-Version 10.0.10586 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
- |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
-Version 10.0.10586 |
-
-
-ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
-GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
-
-
-Version 10.0.10586 |
-
-
-KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
-AES Val#3497 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507
-Version 10.0.10240 |
-
-
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
-AES Val#3497 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498
-Version 10.0.10240 |
-
-
-ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
-GMAC_Supported
-XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
-Version 10.0.10240 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
- |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
-Version 10.0.10240 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
- |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853
-Version 6.3.9600 |
-
-
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
-AES Val#2832 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848
-Version 6.3.9600 |
-
-
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
-GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported ;
-OtherIVLen_Supported
-GMAC_Supported |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832
-Version 6.3.9600 |
-
-
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-AES Val#2197
-CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
-AES Val#2197
-GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
-GMAC_Supported |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216 |
-
-
-CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
-AES Val#2196 |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
-CFB128 ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
- |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196 |
-
-
-CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-AES Val#1168 |
-Windows Server 2008 R2 and SP1 CNG algorithms #1187
-Windows 7 Ultimate and SP1 CNG algorithms #1178 |
-
-
-CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
-AES Val#1168 |
-Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 );
- |
-Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 |
-
-
-GCM
-GMAC |
-Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed |
-
-
-| CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
-Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760 |
-
-
-| CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) |
-Windows Server 2008 CNG algorithms #757
-Windows Vista Ultimate SP1 CNG algorithms #756 |
-
-
-CBC ( e/d; 128 , 256 );
-CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
-Windows Vista Ultimate BitLocker Drive Encryption #715
-Windows Vista Ultimate BitLocker Drive Encryption #424 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CFB8 ( e/d; 128 , 192 , 256 ); |
-Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739
-Windows Vista Symmetric Algorithm Implementation #553 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 );
-CTR ( int only; 128 , 192 , 256 ) |
-Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023 |
-
-
-ECB ( e/d; 128 , 192 , 256 );
-CBC ( e/d; 128 , 192 , 256 ); |
-Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818
-Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781
-Windows 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #548
-Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #516
-Windows CE and Windows Mobile 6, 6.1, and 6.5 Enhanced Cryptographic Provider (RSAENH) #507
-Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #290
-Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider (RSAENH) #224
-Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #80
-Windows XP, SP1, and SP2 Enhanced Cryptographic Provider (RSAENH) #33 |
-
-
-
-
-
-Deterministic Random Bit Generator (DRBG)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- Counter:
-
-- Modes: AES-256
-- Derivation Function States: Derivation Function not used
-- Prediction Resistance Modes: Not Enabled
-
-Prerequisite: AES #4904 |
-Microsoft Surface Hub Virtual TPM Implementations #1734
-Version 10.0.15063.674 |
-
-
-
-- Counter:
-
-- Modes: AES-256
-- Derivation Function States: Derivation Function not used
-- Prediction Resistance Modes: Not Enabled
-
-Prerequisite: AES #4903 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733
-Version 10.0.16299 |
-
-
-
-- Counter:
-
-- Modes: AES-256
-- Derivation Function States: Derivation Function used
-- Prediction Resistance Modes: Not Enabled
-
-Prerequisite: AES #4902 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #1732
-Version 10.0.15063.674 |
-
-
-
-- Counter:
-
-- Modes: AES-256
-- Derivation Function States: Derivation Function used
-- Prediction Resistance Modes: Not Enabled
-
-Prerequisite: AES #4901 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1731
-Version 10.0.15254 |
-
-
-
-- Counter:
-
-- Modes: AES-256
-- Derivation Function States: Derivation Function used
-- Prediction Resistance Modes: Not Enabled
-
-Prerequisite: AES #4897 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730
-Version 10.0.16299 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ] |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556
-Version 10.0.15063 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ] |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555
-Version 10.0.15063 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ] |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433
-Version 7.00.2872 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ] |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432
-Version 8.00.6246 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ] |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430
-Version 7.00.2872 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ] |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429
-Version 8.00.6246 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ] |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222
-Version 10.0.14393 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ] |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217
-Version 10.0.14393 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ] |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955
-Version 10.0.10586 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ] |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868
-Version 10.0.10240 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ] |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489
-Version 6.3.9600 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] |
-Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193 |
-
-
-| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] |
-Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23 |
-
-
-| DRBG (SP 800–90) |
-Windows Vista Ultimate SP1, vendor-affirmed |
-
-
-
-
-
-#### Digital Signature Algorithm (DSA)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- DSA:
-
-- 186-4:
-
-- PQGGen:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - PQGVer:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - SigGen:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - SigVer:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - KeyPair:
-
-- L = 2048, N = 256
-- L = 3072, N = 256
-
-Prerequisite: SHS #4011, DRBG #1732 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #1303
-Version 10.0.15063.674 |
-
-
-
-- DSA:
-
-- 186-4:
-
-- PQGGen:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - PQGVer:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - SigGen:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - SigVer:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - KeyPair:
-
--
--
-- L = 2048, N = 256
-- L = 3072, N = 256
-
-Prerequisite: SHS #4010, DRBG #1731 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1302
-Version 10.0.15254 |
-
-
-
-- DSA:
-
-- 186-4:
-
-- PQGGen:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - PQGVer:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - SigGen:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - SigVer:
-
-- L = 2048, N = 256 SHA: SHA-256
-- L = 3072, N = 256 SHA: SHA-256
- - KeyPair:
-
-- L = 2048, N = 256
-- L = 3072, N = 256
-
-Prerequisite: SHS #4009, DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301
-Version 10.0.16299 |
-
-
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SHS: Val#3790
-DRBG: Val# 1555 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223
-Version 10.0.15063 |
-
-
-FIPS186-4:
-PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SHS: Val# 3649 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188
-Version 7.00.2872 |
-
-
-FIPS186-4:
-PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SHS: Val#3648 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187
-Version 8.00.6246 |
-
-
-FIPS186-4:
-PQG(gen)PARMS TESTED: [
-(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256)
-SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SHS: Val# 3347
-DRBG: Val# 1217 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098
-Version 10.0.14393 |
-
-
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
-KeyPairGen: [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SHS: Val# 3047
-DRBG: Val# 955 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024
-Version 10.0.10586 |
-
-
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SHS: Val# 2886
-DRBG: Val# 868 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983
-Version 10.0.10240 |
-
-
-FIPS186-4:
-PQG(gen)PARMS TESTED: [
-(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256)
-SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SHS: Val# 2373
-DRBG: Val# 489 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855
-Version 6.3.9600 |
-
-
-FIPS186-2:
-PQG(ver) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: #1903
-DRBG: #258
-FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SHS: #1903
-DRBG: #258
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687. |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687 |
-
-
-FIPS186-2:
-PQG(ver) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: #1902
-DRBG: #258
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686. |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 1773
-DRBG: Val# 193
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645. |
-Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 1081
-DRBG: Val# 23
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386. |
-Windows Server 2008 R2 and SP1 CNG algorithms #391
-Windows 7 Ultimate and SP1 CNG algorithms #386 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 1081
-RNG: Val# 649
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385. |
-Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390
-Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 753
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283. |
-Windows Server 2008 CNG algorithms #284
-Windows Vista Ultimate SP1 CNG algorithms #283 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 753
-RNG: Val# 435
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281. |
-Windows Server 2008 Enhanced DSS (DSSENH) #282
-Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 618
-RNG: Val# 321
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226. |
-Windows Vista CNG algorithms #227
-Windows Vista Enhanced DSS (DSSENH) #226 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 784
-RNG: Val# 448
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292. |
-Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292 |
-
-
-FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 783
-RNG: Val# 447
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291. |
-Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291 |
-
-
-FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: Val# 611
-RNG: Val# 314 |
-Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221 |
-
-
-FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: Val# 385 |
-Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146 |
-
-
-FIPS186-2:
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: Val# 181
-
- |
-Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95 |
-
-
-FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SHS: SHA-1 (BYTE)
-SIG(ver) MOD(1024);
-SHS: SHA-1 (BYTE) |
-Windows 2000 DSSENH.DLL #29
-Windows 2000 DSSBASE.DLL #28
-Windows NT 4 SP6 DSSENH.DLL #26
-Windows NT 4 SP6 DSSBASE.DLL #25 |
-
-
-FIPS186-2: PRIME;
-FIPS186-2:
-KEYGEN(Y):
-SHS: SHA-1 (BYTE)
-SIG(gen):
-SIG(ver) MOD(1024);
-SHS: SHA-1 (BYTE) |
-Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17 |
-
-
-
-
-
-#### Elliptic Curve Digital Signature Algorithm (ECDSA)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384, P-521
-- Generation Methods: Extra Random Bits
- - Public Key Validation:
-
-- Curves: P-256, P-384, P-521
- - Signature Generation:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
- - Signature Verification:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: SHS #2373, DRBG #489 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263
-Version 6.3.9600 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384
-- Generation Methods: Testing Candidates
-
-Prerequisite: SHS #4011, DRBG #1734 |
-Microsoft Surface Hub Virtual TPM Implementations #1253
-Version 10.0.15063.674 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384
-- Generation Methods: Testing Candidates
-
-Prerequisite: SHS #4009, DRBG #1733 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252
-Version 10.0.16299 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384, P-521
-- Generation Methods: Extra Random Bits
- - Public Key Validation:
-
-- Curves: P-256, P-384, P-521
- - Signature Generation:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
- - Signature Verification:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: SHS #4011, DRBG #1732 |
-Microsoft Surface Hub MsBignum Cryptographic Implementations #1251
-Version 10.0.15063.674 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384, P-521
-- Generation Methods: Extra Random Bits
- - Public Key Validation:
-
-- Curves: P-256, P-384, P-521
- - Signature Generation:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
- - Signature Verification:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: SHS #4011, DRBG #1732 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #1250
-Version 10.0.15063.674 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384, P-521
-- Generation Methods: Extra Random Bits
- - Public Key Validation:
-
-- Curves: P-256, P-384, P-521
- - Signature Generation:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
- - Signature Verification:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: SHS #4010, DRBG #1731 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1249
-Version 10.0.15254 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384, P-521
-- Generation Methods: Extra Random Bits
- - Public Key Validation:
-
-- Curves: P-256, P-384, P-521
- - Signature Generation:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
- - Signature Verification:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: SHS #4010, DRBG #1731 |
-Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1248
-Version 10.0.15254 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384, P-521
-- Generation Methods: Extra Random Bits
- - Public Key Validation:
-
-- Curves: P-256, P-384, P-521
- - Signature Generation:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
- - Signature Verification:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: SHS #4009, DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247
-Version 10.0.16299 |
-
-
-
-- ECDSA:
-
-- 186-4:
-
-- Key Pair Generation:
-
-- Curves: P-256, P-384, P-521
-- Generation Methods: Extra Random Bits
- - Public Key Validation:
-
-- Curves: P-256, P-384, P-521
- - Signature Generation:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
- - Signature Verification:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: SHS #4009, DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246
-Version 10.0.16299 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 TestingCandidates )
-SHS: Val#3790
-DRBG: Val# 1555 |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136
-Version 10.0.15063 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#3790
-DRBG: Val# 1555 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135
-Version 10.0.15063 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#3790
-DRBG: Val# 1555 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133
-Version 10.0.15063 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
-SHS:Val# 3649
-DRBG:Val# 1430 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073
-Version 7.00.2872 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
-SHS:Val#3648
-DRBG:Val# 1429 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072
-Version 8.00.6246 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 TestingCandidates )
-PKV: CURVES( P-256 P-384 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )
-SHS: Val# 3347
-DRBG: Val# 1222 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920
-Version 10.0.14393 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val# 3347
-DRBG: Val# 1217 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911
-Version 10.0.14393 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val# 3047
-DRBG: Val# 955 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760
-Version 10.0.10586 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val# 2886
-DRBG: Val# 868 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706
-Version 10.0.10240 |
-
-
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#2373
-DRBG: Val# 489 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505
-Version 6.3.9600 |
-
-
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: #1903
-DRBG: #258
-SIG(ver):CURVES( P-256 P-384 P-521 )
-SHS: #1903
-DRBG: #258
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: #1903
-DRBG: #258
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341. |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341 |
-
-
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#1773
-DRBG: Val# 193
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#1773
-DRBG: Val# 193
-FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#1773
-DRBG: Val# 193
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295. |
-Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295 |
-
-
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#1081
-DRBG: Val# 23
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#1081
-DRBG: Val# 23
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141. |
-Windows Server 2008 R2 and SP1 CNG algorithms #142
-Windows 7 Ultimate and SP1 CNG algorithms #141 |
-
-
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#753
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#753
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82. |
-Windows Server 2008 CNG algorithms #83
-Windows Vista Ultimate SP1 CNG algorithms #82 |
-
-
-FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#618
-RNG: Val# 321
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#618
-RNG: Val# 321
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60. |
-Windows Vista CNG algorithms #60 |
-
-
-
-
-
-#### Keyed-Hash Message Authentication Code (HMAC)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- HMAC-SHA-1:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-256:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-384:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
-
-Prerequisite: SHS #4011 |
-Microsoft Surface Hub Virtual TPM Implementations #3271
-Version 10.0.15063.674 |
-
-
-
-- HMAC-SHA-1:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-256:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-384:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
-
-Prerequisite: SHS #4009 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270
-Version 10.0.16299 |
-
-
-
-- HMAC-SHA-1:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-256:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-384:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-512:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
-
-Prerequisite: SHS #4011 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #3269
-Version 10.0.15063.674 |
-
-
-
-- HMAC-SHA-1:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-256:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-384:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-512:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
-
-Prerequisite: SHS #4010 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #3268
-Version 10.0.15254 |
-
-
-
-- HMAC-SHA-1:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-256:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-384:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
- - HMAC-SHA2-512:
-
-- Key Sizes < Block Size
-- Key Sizes > Block Size
-- Key Sizes = Block Size
-
-Prerequisite: SHS #4009 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267
-Version 10.0.16299 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062
-Version 10.0.15063 |
-
-
-HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061
-Version 10.0.15063 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652 |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946
-Version 7.00.2872 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651 |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945
-Version 8.00.6246 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943
-Version 7.00.2872 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942
-Version 8.00.6246 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
-SHS Val# 3347
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
-SHS Val# 3347
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
-SHS Val# 3347 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661
-Version 10.0.14393 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651
-Version 10.0.14393 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
-SHS Val# 3047
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
-SHS Val# 3047
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
-SHS Val# 3047
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
-SHS Val# 3047 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381
-Version 10.0.10586 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
-SHSVal# 2886
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
-SHSVal# 2886
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
- SHSVal# 2886
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
-SHSVal# 2886 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233
-Version 10.0.10240 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
-SHS Val#2373
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
-SHS Val#2373
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
-SHS Val#2373
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
-SHS Val#2373 |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773
-Version 6.3.9600 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764 |
-Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122
-Version 5.2.29344 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902
-HMAC-SHA256 ( Key Size Ranges Tested: KS#1902 |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902 |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
-SHS#1903
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
-SHS#1903
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
-SHS#1903
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
-SHS#1903 |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
-Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773 |
-Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774 |
-Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081 |
-Windows Server 2008 R2 and SP1 CNG algorithms #686
-Windows 7 and SP1 CNG algorithms #677
-Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687
-Windows 7 Enhanced Cryptographic Provider (RSAENH) #673 |
-
-
-HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081 |
-Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816 |
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753 |
-Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753 |
-Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408
-Windows Vista Enhanced Cryptographic Provider (RSAENH) #407 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
-Windows Vista Enhanced Cryptographic Provider (RSAENH) #297 |
-
-
-| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785 |
-Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429
-Windows XP, vendor-affirmed |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783 |
-Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613 |
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289 |
-
-
-| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610 |
-Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753 |
-Windows Server 2008 CNG algorithms #413
-Windows Vista Ultimate SP1 CNG algorithms #412 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737 |
-Windows Vista Ultimate BitLocker Drive Encryption #386 |
-
-
-HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
-Windows Vista CNG algorithms #298 |
-
-
-HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589 |
-Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267 |
-
-
-HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578 |
-Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260 |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495
-HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495 |
-Windows Vista BitLocker Drive Encryption #199 |
-
-
-| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364 |
-Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99
-Windows XP, vendor-affirmed |
-
-
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305
-HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305
-HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305
-HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305 |
-Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31 |
-
-
-
-
-
-#### Key Agreement Scheme (KAS)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- KAS ECC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
-- Schemes:
-
-- Full Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- KDFs: Concatenation
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
-
-Prerequisite: SHS #4011, ECDSA #1253, DRBG #1734 |
-Microsoft Surface Hub Virtual TPM Implementations #150
-Version 10.0.15063.674 |
-
-
-
-- KAS ECC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
-- Schemes:
-
-- Full Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- KDFs: Concatenation
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
-
-Prerequisite: SHS #4009, ECDSA #1252, DRBG #1733 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149
-Version 10.0.16299 |
-
-
-
-- KAS ECC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
-- Schemes:
-
-- Ephemeral Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- KDFs: Concatenation
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
- - One Pass DH:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
- - Static Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
-
-Prerequisite: SHS #4011, ECDSA #1250, DRBG #1732
-
-- KAS FFC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
-- Schemes:
-
-- dhEphem:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
- - dhOneFlow:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
- - dhStatic:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
-
-Prerequisite: SHS #4011, DSA #1303, DRBG #1732 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #148
-Version 10.0.15063.674 |
-
-
-
-- KAS ECC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
-- Schemes:
-
-- Ephemeral Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- KDFs: Concatenation
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
- - One Pass DH:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
- - Static Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
-
-Prerequisite: SHS #4010, ECDSA #1249, DRBG #1731
-
-- KAS FFC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
-- Schemes:
-
-- dhEphem:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
- - dhOneFlow:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
- - dhStatic:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
-
-Prerequisite: SHS #4010, DSA #1302, DRBG #1731 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #147
-Version 10.0.15254 |
-
-
-
-- KAS ECC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
-- Schemes:
-
-- Ephemeral Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- KDFs: Concatenation
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
- - One Pass DH:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
- - Static Unified:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- EC:
-
-- Curve: P-256
-- SHA: SHA-256
-- MAC: HMAC
- - ED:
-
-- Curve: P-384
-- SHA: SHA-384
-- MAC: HMAC
- - EE:
-
-- Curve: P-521
-- SHA: SHA-512
-- MAC: HMAC
-
-Prerequisite: SHS #4009, ECDSA #1246, DRBG #1730
-
-- KAS FFC:
-
-- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
-- Schemes:
-
-- dhEphem:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
- - dhOneFlow:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
- - dhStatic:
-
-- Key Agreement Roles: Initiator, Responder
-- Parameter Sets:
-
-- FB:
-
-- SHA: SHA-256
-- MAC: HMAC
- - FC:
-
-- SHA: SHA-256
-- MAC: HMAC
-
-Prerequisite: SHS #4009, DSA #1301, DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146
-Version 10.0.16299 |
-
-
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
-SHS Val#3790
-DSA Val#1135
-DRBG Val#1556 |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128
-Version 10.0.15063 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val#3790
-DSA Val#1223
-DRBG Val#1555
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-
-SHS Val#3790
-ECDSA Val#1133
-DRBG Val#1555 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127
-Version 10.0.15063 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val# 3649
-DSA Val#1188
-DRBG Val#1430
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ] |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115
-Version 7.00.2872 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhHybridOneFlow ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val#3648
-DSA Val#1187
-DRBG Val#1429
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-
-SHS Val#3648
-ECDSA Val#1072
-DRBG Val#1429 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114
-Version 8.00.6246 |
-
-
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration )
-SCHEMES [ FullUnified ( No_KC < KARole(s): Initiator / Responder > < KDF: CONCAT > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
-SHS Val# 3347 ECDSA Val#920 DRBG Val#1222 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93
-Version 10.0.14393 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation )
-SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic (No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val# 3347 DSA Val#1098 DRBG Val#1217
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92
-Version 10.0.14393 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val# 3047 DSA Val#1024 DRBG Val#955
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-SHS Val# 3047 ECDSA Val#760 DRBG Val#955 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72
-Version 10.0.10586 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val# 2886 DSA Val#983 DRBG Val#868
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-SHS Val# 2886 ECDSA Val#706 DRBG Val#868 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64
-Version 10.0.10240 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val#2373 DSA Val#855 DRBG Val#489
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-SHS Val#2373 ECDSA Val#505 DRBG Val#489 |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47
-Version 6.3.9600 |
-
-
-FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS #1903 DSA Val#687 DRBG #258
-ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-
-SHS #1903 ECDSA Val#341 DRBG #258 |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36 |
-
-
-KAS (SP 800–56A)
-key agreement
-key establishment methodology provides 80 to 256 bits of encryption strength |
-Windows 7 and SP1, vendor-affirmed
-Windows Server 2008 R2 and SP1, vendor-affirmed |
-
-
-
-
-
-SP 800-108 Key-Based Key Derivation Functions (KBKDF)
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- Counter:
-
-- MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
-
-MAC prerequisite: HMAC #3271
-
-
-- Counter Location: Before Fixed Data
-- R Length: 32 (bits)
-- SPs used to generate K: SP 800-56A, SP 800-90A
-
- K prerequisite: DRBG #1734, KAS #150 |
-Microsoft Surface Hub Virtual TPM Implementations #161
-Version 10.0.15063.674 |
-
-
-
-- Counter:
-
-- MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
-
-MAC prerequisite: HMAC #3270
-
-
-- Counter Location: Before Fixed Data
-- R Length: 32 (bits)
-- SPs used to generate K: SP 800-56A, SP 800-90A
-
- K prerequisite: DRBG #1733, KAS #149 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160
-Version 10.0.16299 |
-
-
-
-- Counter:
-
-- MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
-
-MAC prerequisite: AES #4902, HMAC #3269
-
-
-- Counter Location: Before Fixed Data
-- R Length: 32 (bits)
-- SPs used to generate K: SP 800-56A, SP 800-90A
-- K prerequisite: KAS #148
-
- |
-Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #159
-Version 10.0.15063.674 |
-
-
-
-- Counter:
-
-- MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
-
-MAC prerequisite: AES #4901, HMAC #3268
-
-
-- Counter Location: Before Fixed Data
-- R Length: 32 (bits)
-- SPs used to generate K: SP 800-56A, SP 800-90A
-
- K prerequisite: KAS #147 |
-Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #158
-Version 10.0.15254 |
-
-
-
-- Counter:
-
-- MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
-
-MAC prerequisite: AES #4897, HMAC #3267
-
-
-- Counter Location: Before Fixed Data
-- R Length: 32 (bits)
-- SPs used to generate K: SP 800-56A, SP 800-90A
-
- K prerequisite: KAS #146 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157
-Version 10.0.16299 |
-
-
-CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-
-KAS Val#128
-DRBG Val#1556
-MAC Val#3062 |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141
-Version 10.0.15063 |
-
-
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-
-KAS Val#127
-AES Val#4624
-DRBG Val#1555
-MAC Val#3061 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140
-Version 10.0.15063 |
-
-
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-KAS Val#93 DRBG Val#1222 MAC Val#2661 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102
-Version 10.0.14393 |
-
-
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101
-Version 10.0.14393 |
-
-
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72
-Version 10.0.10586 |
-
-
-CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66
-Version 10.0.10240 |
-
-
-CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-DRBG Val#489 MAC Val#1773 |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30
-Version 6.3.9600 |
-
-
-CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-DRBG #258 HMAC Val#1345 |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3 |
-
-
-
-
-
-Random Number Generator (RNG)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-FIPS 186-2 General Purpose
-[ (x-Original); (SHA-1) ] |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110 |
-
-
-FIPS 186-2
-[ (x-Original); (SHA-1) ] |
-Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060
-Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292
-Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286
-Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66 |
-
-
-FIPS 186-2
-[ (x-Change Notice); (SHA-1) ]
-FIPS 186-2 General Purpose
-[ (x-Change Notice); (SHA-1) ] |
-Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649
-Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435
-Windows Vista RNG implementation #321 |
-
-
-FIPS 186-2 General Purpose
-[ (x-Change Notice); (SHA-1) ] |
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470
-Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449
-Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #316
-Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313 |
-
-
-FIPS 186-2
-[ (x-Change Notice); (SHA-1) ] |
-Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448
-Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314 |
-
-
-
-
-
-#### RSA
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-RSA:
-
-- 186-4:
-
-- Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
- - Signature Verification PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-
-Prerequisite: SHS #4011, DRBG #1734 |
-Microsoft Surface Hub Virtual TPM Implementations #2677
-Version 10.0.15063.674 |
-
-
-RSA:
-
-- 186-4:
-
-- Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 240 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
- - Signature Verification PSS:
-
-- Mod 1024:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
- - Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-
-Prerequisite: SHS #4009, DRBG #1733 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676
-Version 10.0.16299 |
-
-
-RSA:
-
-- 186-4:
-
-- Key Generation:
-- Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-
-Prerequisite: SHS #4011, DRBG #1732 |
-Microsoft Surface Hub RSA32 Algorithm Implementations #2675
-Version 10.0.15063.674 |
-
-
-RSA:
-
-- 186-4:
-
-- Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-
-Prerequisite: SHS #4009, DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674
-Version 10.0.16299 |
-
-
-RSA:
-
-- 186-4:
-
-- Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-
-Prerequisite: SHS #4010, DRBG #1731 |
-Windows 10 Mobile (version 1709) RSA32 Algorithm Implementations #2673
-Version 10.0.15254 |
-
-
-RSA:
-
-- 186-4:
-
-- Key Generation:
-
-- Public Key Exponent: Fixed (10001)
-- Provable Primes with Conditions:
-
-- Mod lengths: 2048, 3072 (bits)
-- Primality Tests: C.3
- - Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Verification PSS:
-
-- Mod 1024:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 496 (bits)
- - Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
-
-Prerequisite: SHS #4011, DRBG #1732 |
-Microsoft Surface Hub MsBignum Cryptographic Implementations #2672
-Version 10.0.15063.674 |
-
-
-RSA:
-
-- 186-4:
-
-- Key Generation:
-
-- Probable Random Primes:
-
-- Mod lengths: 2048, 3072 (bits)
-- Primality Tests: C.2
- - Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Verification PSS:
-
-- Mod 1024:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 496 (bits)
- - Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
-
-Prerequisite: SHS #4011, DRBG #1732 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #2671
-Version 10.0.15063.674 |
-
-
-RSA:
-
-- 186-4:
-
-- Key Generation:
-
-- Probable Random Primes:
-
-- Mod lengths: 2048, 3072 (bits)
-- Primality Tests: C.2
- - Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Verification PSS:
-
-- Mod 1024:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 496 (bits)
- - Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
-
-Prerequisite: SHS #4010, DRBG #1731 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2670
-Version 10.0.15254 |
-
-
-RSA:
-
-- 186-4:
-
-- Key Generation:
-
-- Public Key Exponent: Fixed (10001)
-- Provable Primes with Conditions:
-
-- Mod lengths: 2048, 3072 (bits)
-- Primality Tests: C.3
- - Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Verification PSS:
-
-- Mod 1024:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 496 (bits)
- - Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
-
-Prerequisite: SHS #4010, DRBG #1731 |
-Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #2669
-Version 10.0.15254 |
-
-
-
-- 186-4:
-
-- Key Generation:
-
-- Public Key Exponent: Fixed (10001)
-- Provable Primes with Conditions:
-
-- Mod lengths: 2048, 3072 (bits)
-- Primality Tests: C.3
- - Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Verification PSS:
-
-- Mod 1024:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 496 (bits)
- - Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
-
-Prerequisite: SHS #4009, DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668
-Version 10.0.16299 |
-
-
-
-- 186-4:
-
-- Key Generation:
-
-- Probable Random Primes:
-
-- Mod lengths: 2048, 3072 (bits)
-- Primality Tests: C.2
- - Signature Generation PKCS1.5:
-
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Generation PSS:
-
-- Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Signature Verification PKCS1.5:
-
-- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
-- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
- - Signature Verification PSS:
-
-- Mod 1024:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 496 (bits)
- - Mod 2048:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
- - Mod 3072:
-
-- SHA-1: Salt Length: 160 (bits)
-- SHA-256: Salt Length: 256 (bits)
-- SHA-384: Salt Length: 384 (bits)
-- SHA-512: Salt Length: 512 (bits)
-
-Prerequisite: SHS #4009, DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667
-Version 10.0.16299 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
-SHA Val#3790 |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524
-Version 10.0.15063 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3790 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523
-Version 10.0.15063 |
-
-
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val#3790
-DRBG: Val# 1555 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522
-Version 10.0.15063 |
-
-
-FIPS186-4:
-186-4KEY(gen):
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val#3790 |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521
-Version 10.0.15063 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
-FIPS186-4:
-ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
-SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3652 |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415
-Version 7.00.2872 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
-FIPS186-4:
-ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
-SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3651 |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414
-Version 8.00.6246 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val# 3649
-DRBG: Val# 1430 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412
-Version 7.00.2872 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3648
-DRBG: Val# 1429 |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411
-Version 8.00.6246 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
-SHA Val# 3347 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206
-Version 10.0.14393 |
-
-
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-SHA Val# 3347 DRBG: Val# 1217 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195
-Version 10.0.14393 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3346 |
-soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194
-Version 10.0.14393 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val# 3347 DRBG: Val# 1217 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193
-Version 10.0.14393 |
-
-
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val# 3347 DRBG: Val# 1217 |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192
-Version 10.0.14393 |
-
-
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-SHA Val# 3047 DRBG: Val# 955 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889
-Version 10.0.10586 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3048 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871
-Version 10.0.10586 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val# 3047 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888
-Version 10.0.10586 |
-
-
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val# 3047 |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887
-Version 10.0.10586 |
-
-
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-SHA Val# 2886 DRBG: Val# 868 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798
-Version 10.0.10240 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#2871 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784
-Version 10.0.10240 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#2871 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783
-Version 10.0.10240 |
-
-
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val# 2886 |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802
-Version 10.0.10240 |
-
-
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-SHA Val#2373 DRBG: Val# 489 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487
-Version 6.3.9600 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#2373 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494
-Version 6.3.9600 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#2373 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493
-Version 6.3.9600 |
-
-
-FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val#2373 |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519
-Version 6.3.9600 |
-
-
-FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
-SHA #1903
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134. |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134 |
-
-
-FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-SHA #1903 DRBG: #258 |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132. |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052. |
-Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051. |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568. |
-Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560. |
-Windows Server 2008 R2 and SP1 CNG algorithms #567
-Windows 7 and SP1 CNG algorithms #560 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559. |
-Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557. |
-Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395. |
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371. |
-Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357. |
-Windows Server 2008 CNG algorithms #358
-Windows Vista SP1 CNG algorithms #357 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354. |
-Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355
-Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353. |
-Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258. |
-Windows Vista RSA key generation implementation #258 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257. |
-Windows Vista CNG algorithms #257 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255. |
-Windows Vista Enhanced Cryptographic Provider (RSAENH) #255 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245. |
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230. |
-Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222. |
-Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222 |
-
-
-FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]:
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81. |
-Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81 |
-
-
-FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52. |
-Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52 |
-
-
-FIPS186-2:
-– PKCS#1 v1.5, signature generation and verification
-– Mod sizes: 1024, 1536, 2048, 3072, 4096
-– SHS: SHA–1/256/384/512 |
-Windows XP, vendor-affirmed
-Windows 2000, vendor-affirmed |
-
-
-
-
-
-#### Secure Hash Standard (SHS)
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- SHA-1:
-
-- Supports Empty Message
- - SHA-256:
-
-- Supports Empty Message
- - SHA-384:
-
-- Supports Empty Message
- - SHA-512:
-
-- Supports Empty Message
- |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #4011
-Version 10.0.15063.674 |
-
-
-
-- SHA-1:
-
-- Supports Empty Message
- - SHA-256:
-
-- Supports Empty Message
- - SHA-384:
-
-- Supports Empty Message
- - SHA-512:
-
-- Supports Empty Message
- |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4010
-Version 10.0.15254 |
-
-
-
-- SHA-1:
-
-- Supports Empty Message
- - SHA-256:
-
-- Supports Empty Message
- - SHA-384:
-
-- Supports Empty Message
- - SHA-512:
-
-- Supports Empty Message
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009
-Version 10.0.16299 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790
-Version 10.0.15063 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652
-Version 7.00.2872 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651
-Version 8.00.6246 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649
-Version 7.00.2872 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648
-Version 8.00.6246 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
-Version 10.0.14393 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
-Version 10.0.14393 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
-Version 10.0.10586 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
-Version 10.0.10586 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
-Version 10.0.10240 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
-Version 10.0.10240 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
-Version 6.3.9600 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
-Version 6.3.9600 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)
-Implementation does not support zero-length (null) messages. |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774
-Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows 7and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816 |
-
-
-| SHA-1 (BYTE-only) |
-Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785
-Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753
-Windows Vista Symmetric Algorithm Implementation #618 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only) |
-Windows Vista BitLocker Drive Encryption #737
-Windows Vista Beta 2 BitLocker Drive Encryption #495 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613
-Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364 |
-
-
-| SHA-1 (BYTE-only) |
-Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611
-Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610
-Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385
-Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #371
-Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #181
-Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #177
-Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176 |
-
-
-SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only) |
-Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589
-Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578
-Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305 |
-
-
-| SHA-1 (BYTE-only) |
-Windows XP Microsoft Enhanced Cryptographic Provider #83
-Crypto Driver for Windows 2000 (fips.sys) #35
-Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32
-Windows 2000 RSAENH.DLL #24
-Windows 2000 RSABASE.DLL #23
-Windows NT 4 SP6 RSAENH.DLL #21
-Windows NT 4 SP6 RSABASE.DLL #20 |
-
-
-
-
-
-#### Triple DES
-
-
-
-
-
-
-
-
-| Modes / States / Key Sizes |
-Algorithm Implementation and Certificate # |
-
-
-
-- TDES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-CFB64:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-CFB8:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-ECB:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #2558
-Version 10.0.15063.674 |
-
-
-
-- TDES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-CFB64:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-CFB8:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-ECB:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2557
-Version 10.0.15254 |
-
-
-
-- TDES-CBC:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-CFB64:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-CFB8:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- - TDES-ECB:
-
-- Modes: Decrypt, Encrypt
-- Keying Option: 1
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556
-Version 10.0.16299 |
-
-
-| TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, ) |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459
-Version 10.0.15063 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384
-Version 8.00.6246 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) |
-Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383
-Version 8.00.6246 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-CTR ( int only ) |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382
-Version 7.00.2872 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) |
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381
-Version 8.00.6246 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
-
-
-Version 10.0.14393 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
-
-
-Version 10.0.10586 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
-
-
-Version 10.0.10240 |
-
-
-TECB( KO 1 e/d, ) ;
-TCBC( KO 1 e/d, ) ;
-TCFB8( KO 1 e/d, ) ;
-TCFB64( KO 1 e/d, ) |
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692
-Version 6.3.9600 |
-
-
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) ;
-TCFB64( e/d; KO 1,2 ) |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387 |
-
-
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386 |
-
-
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
-Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846 |
-
-
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
-Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656 |
-
-
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) ;
-TCFB8( e/d; KO 1,2 ) |
-Windows Vista Symmetric Algorithm Implementation #549 |
-
-
-| Triple DES MAC |
-Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed
-Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed |
-
-
-TECB( e/d; KO 1,2 ) ;
-TCBC( e/d; KO 1,2 ) |
-Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308
-Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691
-Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #677
-Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #676
-Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #675
-Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #544
-Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #543
-Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #542
-Windows CE 6.0 and Window CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #526
-Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #517
-Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #381
-Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #370
-Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #365
-Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #315
-Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #201
-Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #199
-Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #192
-Windows XP Microsoft Enhanced Cryptographic Provider #81
-Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #18
-Crypto Driver for Windows 2000 (fips.sys) #16 |
-
-
-
-
-
-#### SP 800-132 Password Based Key Derivation Function (PBKDF)
-
-
-
- |
- Modes / States / Key Sizes
- |
-
- Algorithm Implementation and Certificate #
- |
-
-
- |
- PBKDF (vendor affirmed) |
-
- Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
(Software Version: 10.0.14393)
- Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)
- Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2935
(Software Version: 10.0.14393)
- Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2931
(Software Version: 10.0.14393)
- |
-
-
- |
- PBKDF (vendor affirmed) |
-
- Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)
- Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed
- |
-
-
-
-
-#### Component Validation List
-
-
-
-
-
-
-
-
-| Publication / Component Validated / Description |
-Implementation and Certificate # |
-
-
-
-- ECDSA SigGen:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: DRBG #489 |
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540
-Version 6.3.9600 |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Microsoft Surface Hub Virtual TPM Implementations #1519
-Version 10.0.15063.674 |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518
-Version 10.0.16299 |
-
-
-
-- RSADP:
-
-- Modulus Size: 2048 (bits)
- |
-Microsoft Surface Hub MsBignum Cryptographic Implementations #1517
-Version 10.0.15063.674 |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Microsoft Surface Hub MsBignum Cryptographic Implementations #1516
-Version 10.0.15063.674 |
-
-
-
-- ECDSA SigGen:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
- Prerequisite: DRBG #1732 |
-Microsoft Surface Hub MsBignum Cryptographic Implementations #1515
-Version 10.0.15063.674 |
-
-
-
-- ECDSA SigGen:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: DRBG #1732 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #1514
-Version 10.0.15063.674 |
-
-
-
-- RSADP:
-
-- Modulus Size: 2048 (bits)
- |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #1513
-Version 10.0.15063.674 |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #1512
-Version 10.0.15063.674 |
-
-
-
-- IKEv1:
-
-- Methods: Digital Signature, Pre-shared Key, Public Key Encryption
-- Pre-shared Key Length: 64-2048
-- Diffie-Hellman shared secrets:
-
-- Diffie-Hellman shared secret:
-
-- Length: 2048 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 256 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 384 (bits)
-- SHA Functions: SHA-384
-
-Prerequisite: SHS #4011, HMAC #3269
-
-- IKEv2:
-
-- Derived Keying Material length: 192-1792
-- Diffie-Hellman shared secrets:
-
-- Diffie-Hellman shared secret:
-
-- Length: 2048 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 256 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 384 (bits)
-- SHA Functions: SHA-384
-
-Prerequisite: SHS #4011, HMAC #3269
-
-- TLS:
-
-- Supports TLS 1.0/1.1
-- Supports TLS 1.2:
-
-- SHA Functions: SHA-256, SHA-384
-
-Prerequisite: SHS #4011, HMAC #3269 |
-Microsoft Surface Hub SymCrypt Cryptographic Implementations #1511
-Version 10.0.15063.674 |
-
-
-
-- ECDSA SigGen:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: DRBG #1731 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1510
-Version 10.0.15254 |
-
-
-
-- RSADP:
-
-- Modulus Size: 2048 (bits)
- |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1509
-Version 10.0.15254 |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1508
-Version 10.0.15254 |
-
-
-
-- IKEv1:
-
-- Methods: Digital Signature, Pre-shared Key, Public Key Encryption
-- Pre-shared Key Length: 64-2048
-- Diffie-Hellman shared secrets:
-
-- Diffie-Hellman shared secret:
-
-- Length: 2048 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 256 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 384 (bits)
-- SHA Functions: SHA-384
-
-Prerequisite: SHS #4010, HMAC #3268
-
-- IKEv2:
-
-- Derived Keying Material length: 192-1792
-- Diffie-Hellman shared secrets:
-
-- Diffie-Hellman shared secret:
-
-- Length: 2048 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 256 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 384 (bits)
-- SHA Functions: SHA-384
-
-Prerequisite: SHS #4010, HMAC #3268
-
-- TLS:
-
-- Supports TLS 1.0/1.1
-- Supports TLS 1.2:
-
-- SHA Functions: SHA-256, SHA-384
-
-Prerequisite: SHS #4010, HMAC #3268 |
-Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1507
-Version 10.0.15254 |
-
-
-
-- ECDSA SigGen:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: DRBG #1731 |
-Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1506
-Version 10.0.15254 |
-
-
-
-- RSADP:
-
-- Modulus Size: 2048 (bits)
- |
-Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1505
-Version 10.0.15254 |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1504
-Version 10.0.15254 |
-
-
-
-- ECDSA SigGen:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503
-Version 10.0.16299 |
-
-
-
-- RSADP:
-
-- Modulus Size: 2048 (bits)
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502
-Version 10.0.16299 |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501
-Version 10.0.16299 |
-
-
-
-- ECDSA SigGen:
-
-- P-256 SHA: SHA-256
-- P-384 SHA: SHA-384
-- P-521 SHA: SHA-512
-
-Prerequisite: DRBG #1730 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499
-Version 10.0.16299 |
-
-
-
-- RSADP:
-
-- Modulus Size: 2048 (bits)
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498
-Version 10.0.16299
- |
-
-
-
-- RSASP1:
-
-- Modulus Size: 2048 (bits)
-- Padding Algorithms: PKCS 1.5
- |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1497
-Version 10.0.16299 |
-
-
-
-- IKEv1:
-
-- Methods: Digital Signature, Pre-shared Key, Public Key Encryption
-- Pre-shared Key Length: 64-2048
-- Diffie-Hellman shared secrets:
-
-- Diffie-Hellman shared secret:
-
-- Length: 2048 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 256 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 384 (bits)
-- SHA Functions: SHA-384
-
-Prerequisite: SHS #4009, HMAC #3267
-
-- IKEv2:
-
-- Derived Keying Material length: 192-1792
-- Diffie-Hellman shared secrets:
-
-- Diffie-Hellman shared secret:
-
-- Length: 2048 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 256 (bits)
-- SHA Functions: SHA-256
- - Diffie-Hellman shared secret:
-
-- Length: 384 (bits)
-- SHA Functions: SHA-384
-
-Prerequisite: SHS #4009, HMAC #3267
-
-- TLS:
-
-- Supports TLS 1.0/1.1
-- Supports TLS 1.2:
-
-- SHA Functions: SHA-256, SHA-384
-
-Prerequisite: SHS #4009, HMAC #3267 |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496
-Version 10.0.16299 |
-
-
-FIPS186-4 ECDSA
-Signature Generation of hash sized messages
-ECDSA SigGen Component: CURVES( P-256 P-384 P-521 ) |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
-Version 10.0. 15063
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
-Version 10.0. 15063
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
-Version 10.0.14393
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
-Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
-Version 10.0.10586
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
-Version 6.3.9600 |
-
-
-FIPS186-4 RSA; PKCS#1 v2.1
-RSASP1 Signature Primitive
-RSASP1: (Mod2048: PKCS1.5 PKCSPSS) |
-Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1285
-Version 10.0.15063
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1282
-Version 10.0.15063
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
-Version 10.0.15063
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
-Version 10.0.14393
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
-Version 10.0.14393
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
-Version 10.0.10586
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
-Version 10.0.10240
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations #289
-Version 6.3.9600 |
-
-
-FIPS186-4 RSA; RSADP
-RSADP Primitive
-RSADP: (Mod2048) |
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1283
-Version 10.0.15063
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
-Version 10.0.15063
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
-Version 10.0.14393
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
-Version 10.0.14393
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #663
-Version 10.0.10586
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #576
-Version 10.0.10240 |
-
-
-SP800-135
-Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS |
-Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496
-Version 10.0.16299
-Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
-Version 10.0.15063
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1140
-Version 7.00.2872
-Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1139
-Version 8.00.6246
-Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp #886
-Version 10.0.14393
-Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BCryptPrimitives and NCryptSSLp #664
-Version 10.0.10586
-Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
-Version 10.0.10240
-Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
-Version 6.3.9600 |
-
-
-
-
-
-## References
-
-\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules
-
-\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ
-
-\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised)
-
-\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
-
-## Additional Microsoft References
-
-Enabling FIPS mode -
-
-Cipher Suites in Schannel - [http://msdn.microsoft.com/library/aa374757(VS.85).aspx](https://msdn.microsoft.com/library/aa374757\(vs.85\).aspx)
-
+
+Please be aware that selection of FIPS mode can limit product functionality (See ).
+
+## Information for Software Developers
+
+This section is targeted at developers who wish to build their own applications using the FIPS 140 validated cryptographic modules.
+
+Each of the validated cryptographic modules defines a series of rules that must be followed. The security rules for each validated cryptographic module are specified in the Security Policy document. Links to each of the Security Policy documents is provided in the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section below. Generally, the restriction in Microsoft validated cryptographic modules is limiting the use of cryptography to only FIPS Approved cryptographic algorithms, modes, and key sizes.
+
+### Using Microsoft Cryptographic Modules in a FIPS mode of operation
+
+No matter whether developing with native languages or using .NET, it is important to first check whether the CNG modules for the target system are FIPS validated. The list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section.
+
+When developing using CNG directly, it is the responsibility of the developer to follow the security rules outlined in the FIPS 140 Security Policy for each module. The security policy for each module is provided on the CMVP website. Links to each of the Security Policy documents is provided in the tables below. It is important to remember that setting the FIPS local/group security policy Flag (discussed above) does not affect the behavior of the modules when used for developing custom applications.
+
+If you are developing your application using .NET instead of using the native libraries, then setting the FIPS local policy flag will generate an exception when an improper .NET class is used for cryptography (i.e. the cryptographic classes whose names end in "Managed"). The names of these allowed classes end with "Cng", which use the CNG binaries or "CryptoServiceProvider", which use the legacy CAPI binaries.
+
+### Key Strengths and Validity Periods
+
+NIST Special Publication 800-131A Revision 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, dated November 2015, \[[SP 800-131A](http://dx.doi.org/10.6028/nist.sp.800-131ar1)\], offers guidance for moving to stronger cryptographic keys and algorithms. This does not replace NIST SP 800-57, Recommendation for Key Management Part 1: General, \[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\], but gives more specific guidance. One of the most important topics discussed in these publications deals with the key strengths of FIPS Approved algorithms and their validity periods. When developing applications that use FIPS Approved algorithms, it is also extremely important to select appropriate key sizes based on the security lifetimes recommended by NIST.
+
+## FIPS 140 FAQ
+
+The following are answers to commonly asked questions for the FIPS 140-2 validation of Microsoft products.
+
+1. How does FIPS 140 relate to the Common Criteria?
+ **Answer:** These are two separate security standards with different, but complementary, purposes. FIPS 140 is a standard designed specifically for validating product modules that implement cryptography. On the other hand, Common Criteria is designed to help evaluate security functions in IT products.
+ In many cases, Common Criteria evaluations will rely on FIPS 140 validations to provide assurance that cryptographic functionality is implemented properly.
+2. How does FIPS 140 relate to Suite B?
+ **Answer:** Suite B is simply a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information.
+ The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140 standard.
+3. There are so many modules listed on the NIST website for each release, how are they related and how do I tell which one applies to me?
+ **Answer:** Microsoft strives to validate all releases of its cryptographic modules. Each module provides a different set of cryptographic algorithms. If you are required to use only FIPS validated cryptographic modules, you simply need to verify that the version being used appears on the validation list.
+ Please see the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140)section for a complete list of Microsoft validated modules.
+4. My application links against crypt32.dll, cryptsp.dll, advapi32.dll, bcrypt.dll, bcryptprimitives.dll, or ncrypt.dll. What do I need to do to assure I’m using FIPS 140 validated cryptographic modules?
+ **Answer:** crypt32.dll, cryptsp.dll, advapi32.dll, and ncrypt.dll are intermediary libraries that will offload all cryptographic operations to the FIPS validated cryptographic modules. Bcrypt.dll itself is a validated cryptographic module for Windows Vista and Windows Server 2008. For Windows 7 and Windows Server 2008 R2 and later, bcryptprimitives.dll is the validated module, but bcrypt.dll remains as one of the libraries to link against.
+ You must first verify that the underlying CNG cryptographic module is validated. Once verified, you'll need to confirm that you're using the module correctly in FIPS mode (See [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) section for details).
+5. What does "When operated in FIPS mode" mean on certificates?
+ **Answer:** This caveat identifies that a required configuration and security rules must be followed in order to use the cryptographic module in a manner consistent with its FIPS 140 Security Policy. The security rules are defined in the Security Policy for the module and usually revolve around using only FIPS Approved cryptographic algorithms and key sizes. Please see the Security Policy for the specific security rules for each cryptographic module (See [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section for links to each policy).
+6. Which FIPS validated module is called when Windows 7 or Windows 8 is configured to use the FIPS setting in the wireless configuration?
+ **Answer:** CNG is used. This setting tells the wireless driver to call FIPS 140-2 validated cryptographic modules instead of using the driver’s own cryptography, if any.
+7. Is BitLocker to Go FIPS 140-2 validated?
+ **Answer:** There are two separate parts for BitLocker to Go. One part is simply a native feature of BitLocker and as such, it uses FIPS 140-2 validated cryptographic modules. The other part is the BitLocker to Go Reader application for down-level support of older operating systems such as Windows XP and Windows Vista. The Reader application does not use FIPS 140-2 validated cryptographic modules.
+8. Are applications FIPS 140-2 validated?
+ **Answer:** Microsoft only has low-level cryptographic modules in Windows FIPS 140-2 validated, not high-level applications. A better question is whether a certain application calls a FIPS 140-2 validated cryptographic module in the underlying Windows OS. That question needs to be directed to the company/product group that created the application of interest.
+9. How can Systems Center Operations Manager 2012 be configured to use FIPS 140-2 validated cryptographic modules?
+ **Answer:** See [https://technet.microsoft.com/library/hh914094.aspx](https://technet.microsoft.com/library/hh914094.aspx)
+
+## Microsoft FIPS 140 Validated Cryptographic Modules
+
+### Modules By Operating System
+
+The following tables identify the Cryptographic Modules for an operating system.
+
+#### Windows
+
+##### Windows 10 Creators Update (Version 1703)
+
+Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
+
+
+
+
+\[1\] Applies only to Home, Pro, Enterprise, Education and S
+
+\[2\] Applies only to Pro, Enterprise, Education, S, Mobile and Surface Hub
+
+\[3\] Applies only to Pro, Enterprise Education and S
+
+##### Windows 10 Anniversary Update (Version 1607)
+
+Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
+10.0.14393 |
+#2937 |
+FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886) |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+10.0.14393 |
+#2936 |
+FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887) |
+
+
+| Boot Manager |
+10.0.14393 |
+#2931 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)
+Other algorithms: MD5; PBKDF (non-compliant); VMK KDF |
+
+
+| BitLocker® Windows OS Loader (winload) |
+10.0.14393 |
+#2932 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: NDRNG; MD5 |
+
+
+| BitLocker® Windows Resume (winresume)[1] |
+10.0.14393 |
+#2933 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (dumpfve.sys)[2] |
+10.0.14393 |
+#2934 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064) |
+
+
+| Code Integrity (ci.dll) |
+10.0.14393 |
+#2935 |
+FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: AES (non-compliant); MD5
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888) |
+
+
+| Secure Kernel Code Integrity (skci.dll)[3] |
+10.0.14393 |
+#2938 |
+FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
+
+Other algorithms: MD5
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888) |
+
+
+
+
+
+\[1\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
+
+\[2\] Applies only to Pro, Enterprise, Enterprise LTSB and Mobile
+
+\[3\] Applies only to Pro, Enterprise and Enterprise LTSB
+
+##### Windows 10 November 2015 Update (Version 1511)
+
+Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
+10.0.10586 |
+#2606 |
+FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664) |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+10.0.10586 |
+#2605 |
+FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663) |
+
+
+| Boot Manager[4] |
+10.0.10586 |
+#2700 |
+FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
+
+
+| BitLocker® Windows OS Loader (winload)[5] |
+10.0.10586 |
+#2701 |
+FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
+
+Other algorithms: MD5; NDRNG |
+
+
+| BitLocker® Windows Resume (winresume)[6] |
+10.0.10586 |
+#2702 |
+FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (dumpfve.sys)[7] |
+10.0.10586 |
+#2703 |
+FIPS Approved algorithms: AES (Certs. #3653) |
+
+
+| Code Integrity (ci.dll) |
+10.0.10586 |
+#2604 |
+FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
+
+Other algorithms: AES (non-compliant); MD5
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665) |
+
+
+| Secure Kernel Code Integrity (skci.dll)[8] |
+10.0.10586 |
+#2607 |
+FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
+
+Other algorithms: MD5
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665) |
+
+
+
+
+
+\[4\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
+
+\[5\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
+
+\[6\] Applies only to Home, Pro and Enterprise
+
+\[7\] Applies only to Pro, Enterprise, Mobile and Surface Hub
+
+\[8\] Applies only to Enterprise and Enterprise LTSB
+
+##### Windows 10 (Version 1507)
+
+Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
+10.0.10240 |
+#2606 |
+FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575) |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+10.0.10240 |
+#2605 |
+FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576) |
+
+
+| Boot Manager[9] |
+10.0.10240 |
+#2600 |
+FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
+
+
+| BitLocker® Windows OS Loader (winload)[10] |
+10.0.10240 |
+#2601 |
+FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
+
+Other algorithms: MD5; NDRNG |
+
+
+| BitLocker® Windows Resume (winresume)[11] |
+10.0.10240 |
+#2602 |
+FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (dumpfve.sys)[12] |
+10.0.10240 |
+#2603 |
+FIPS Approved algorithms: AES (Certs. #3497 and #3498) |
+
+
+| Code Integrity (ci.dll) |
+10.0.10240 |
+#2604 |
+FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
+
+Other algorithms: AES (non-compliant); MD5
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572) |
+
+
+| Secure Kernel Code Integrity (skci.dll)[13] |
+10.0.10240 |
+#2607 |
+FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
+
+Other algorithms: MD5
+Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572) |
+
+
+
+
+
+\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
+
+\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
+
+\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
+
+\[12\] Applies only to Pro, Enterprise and Enterprise LTSB
+
+\[13\] Applies only to Enterprise and Enterprise LTSB
+
+##### Windows 8.1
+
+Validated Editions: RT, Pro, Enterprise, Phone, Embedded
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
+6.3.9600 6.3.9600.17031 |
+#2357 |
+FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323) |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+6.3.9600 6.3.9600.17042 |
+#2356 |
+FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
+Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289) |
+
+
+| Boot Manager |
+6.3.9600 6.3.9600.17031 |
+#2351 |
+FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
+
+
+| BitLocker® Windows OS Loader (winload) |
+6.3.9600 6.3.9600.17031 |
+#2352 |
+FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
+
+Other algorithms: MD5; NDRNG |
+
+
+| BitLocker® Windows Resume (winresume)[14] |
+6.3.9600 6.3.9600.17031 |
+#2353 |
+FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (dumpfve.sys) |
+6.3.9600 6.3.9600.17031 |
+#2354 |
+FIPS Approved algorithms: AES (Cert. #2832)
+
+Other algorithms: N/A |
+
+
+| Code Integrity (ci.dll) |
+6.3.9600 6.3.9600.17031 |
+#2355#2355 |
+FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
+
+Other algorithms: MD5
+Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289) |
+
+
+
+
+
+\[14\] Applies only to Pro, Enterprise, and Embedded 8.
+
+##### Windows 8
+
+Validated Editions: RT, Home, Pro, Enterprise, Phone
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
+6.2.9200 |
+#1892 |
+FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert. ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+
+ |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+6.2.9200 |
+#1891 |
+FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RNG (Cert. ); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) |
+
+
+| Boot Manager |
+6.2.9200 |
+#1895 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Windows OS Loader (WINLOAD) |
+6.2.9200 |
+#1896 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG |
+
+
+| BitLocker® Windows Resume (WINRESUME)[15] |
+6.2.9200 |
+#1898 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (DUMPFVE.SYS) |
+6.2.9200 |
+#1899 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198)
+
+Other algorithms: N/A |
+
+
+| Code Integrity (CI.DLL) |
+6.2.9200 |
+#1897 |
+FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5 |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) |
+6.2.9200 |
+#1893 |
+FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert. ); Triple-DES MAC (Triple-DES Cert. , vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. , key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+| Enhanced Cryptographic Provider (RSAENH.DLL) |
+6.2.9200 |
+#1894 |
+FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+
+Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+
+
+
+\[15\] Applies only to Home and Pro
+
+**Windows 7**
+
+Validated Editions: Windows 7, Windows 7 SP1
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
+6.1.7600.16385
+6.1.7601.17514 |
+1329 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+6.1.7600.16385
+6.1.7600.16915
+6.1.7600.21092
+6.1.7601.17514
+6.1.7601.17725
+6.1.7601.17919
+6.1.7601.21861
+6.1.7601.22076 |
+1328 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 |
+
+
+| Boot Manager |
+6.1.7600.16385
+6.1.7601.17514 |
+1319 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
+
+Other algorithms: MD5#1168 and ); HMAC (Cert. ); RSA (Cert. ); SHS (Cert. )
+
+Other algorithms: MD5 |
+
+
+| Winload OS Loader (winload.exe) |
+6.1.7600.16385
+6.1.7600.16757
+6.1.7600.20897
+6.1.7600.20916
+6.1.7601.17514
+6.1.7601.17556
+6.1.7601.21655
+6.1.7601.21675 |
+1326 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
+
+Other algorithms: MD5 |
+
+
+| BitLocker™ Drive Encryption |
+6.1.7600.16385
+6.1.7600.16429
+6.1.7600.16757
+6.1.7600.20536
+6.1.7600.20873
+6.1.7600.20897
+6.1.7600.20916
+6.1.7601.17514
+6.1.7601.17556
+6.1.7601.21634
+6.1.7601.21655
+6.1.7601.21675 |
+1332 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
+
+Other algorithms: Elephant Diffuser |
+
+
+| Code Integrity (CI.DLL) |
+6.1.7600.16385
+6.1.7600.17122
+6.1.7600.21320
+6.1.7601.17514
+6.1.7601.17950
+6.1.7601.22108 |
+1327 |
+FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
+
+Other algorithms: MD5 |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) |
+6.1.7600.16385
+(no change in SP1) |
+1331 |
+FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4 |
+
+
+| Enhanced Cryptographic Provider (RSAENH.DLL) |
+6.1.7600.16385
+(no change in SP1) |
+1330 |
+FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+
+
+
+##### Windows Vista SP1
+
+Validated Editions: Ultimate Edition
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Boot Manager (bootmgr) |
+6.0.6001.18000 and 6.0.6002.18005 |
+978 |
+FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753) |
+
+
+| Winload OS Loader (winload.exe) |
+6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596 |
+979 |
+FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
+
+Other algorithms: MD5 |
+
+
+| Code Integrity (ci.dll) |
+6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005 |
+980 |
+FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
+
+Other algorithms: MD5 |
+
+
+| Kernel Mode Security Support Provider Interface (ksecdd.sys) |
+6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.22869 |
+1000 |
+FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and ); ECDSA (Cert. ); HMAC (Cert. ); RNG (Cert. and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+| Cryptographic Primitives Library (bcrypt.dll) |
+6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.22872 |
+1001 |
+FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength) |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005 |
+1002 |
+FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 |
+1003 |
+FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 |
+
+
+
+
+
+##### Windows Vista
+
+Validated Editions: Ultimate Edition
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+6.0.6000.16386 |
+893 |
+FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+6.0.6000.16386 |
+894 |
+FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 |
+
+
+| BitLocker™ Drive Encryption |
+6.0.6000.16386 |
+947 |
+FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
+
+Other algorithms: Elephant Diffuser |
+
+
+| Kernel Mode Security Support Provider Interface (ksecdd.sys) |
+6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067 |
+891 |
+FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+
+Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5 |
+
+
+
+
+
+##### Windows XP SP3
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Kernel Mode Cryptographic Module (FIPS.SYS) |
+5.1.2600.5512 |
+997 |
+FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)
+Other algorithms: DES; MD5; HMAC MD5 |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+5.1.2600.5507 |
+990 |
+FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)
+Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4 |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+5.1.2600.5507 |
+989 |
+FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)
+Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits) |
+
+
+
+
+
+##### Windows XP SP2
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| DSS/Diffie-Hellman Enhanced Cryptographic Provider |
+5.1.2600.2133 |
+240 |
+FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)
+Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement) |
+
+
+| Microsoft Enhanced Cryptographic Provider |
+5.1.2600.2161 |
+238 |
+FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)
+Other algorithms: DES (Cert. #156); RC2; RC4; MD5 |
+
+
+
+
+
+##### Windows XP SP1
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Microsoft Enhanced Cryptographic Provider |
+5.1.2600.1029 |
+238 |
+FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)
+Other algorithms: DES (Cert. #156); RC2; RC4; MD5 |
+
+
+
+
+
+##### Windows XP
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Kernel Mode Cryptographic Module |
+5.1.2600.0 |
+241 |
+FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)
+Other algorithms: DES (Cert. #89) |
+
+
+
+
+
+##### Windows 2000 SP3
+
+
+
+
+##### Windows 2000 SP2
+
+
+
+
+##### Windows 2000 SP1
+
+
+
+
+##### Windows 2000
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider |
+5.0.2150.1 |
+76 |
+FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)
+Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) |
+
+
+
+
+
+##### Windows 95 and Windows 98
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider |
+5.0.1877.6 and 5.0.1877.7 |
+75 |
+FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)
+Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) |
+
+
+
+
+
+##### Windows NT 4.0
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Base Cryptographic Provider |
+5.0.1877.6 and 5.0.1877.7 |
+68 |
+FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
+
+Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) |
+
+
+
+
+
+#### Windows Server
+
+##### Windows Server 2016
+
+Validated Editions: Standard, Datacenter, Storage Server
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
+10.0.14393 |
+2937 |
+FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt) |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+10.0.14393 |
+2936 |
+FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt) |
+
+
+| Boot Manager |
+10.0.14393 |
+2931 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)
+Other algorithms: MD5; PBKDF (non-compliant); VMK KDF |
+
+
+| BitLocker® Windows OS Loader (winload) |
+10.0.14393 |
+2932 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: NDRNG; MD5 |
+
+
+| BitLocker® Windows Resume (winresume) |
+10.0.14393 |
+2933 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (dumpfve.sys) |
+10.0.14393 |
+2934 |
+FIPS Approved algorithms: AES (Certs. #4061 and #4064) |
+
+
+| Code Integrity (ci.dll) |
+10.0.14393 |
+2935 |
+FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: AES (non-compliant); MD5 |
+
+
+| Secure Kernel Code Integrity (skci.dll) |
+10.0.14393 |
+2938 |
+FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
+
+Other algorithms: MD5 |
+
+
+
+
+
+##### Windows Server 2012 R2
+
+Validated Editions: Server, Storage Server,
+
+**StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2**
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) |
+6.3.9600 6.3.9600.17031 |
+2357 |
+FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+6.3.9600 6.3.9600.17042 |
+2356 |
+FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) |
+
+
+| Boot Manager |
+6.3.9600 6.3.9600.17031 |
+2351 |
+FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant) |
+
+
+| BitLocker® Windows OS Loader (winload) |
+6.3.9600 6.3.9600.17031 |
+2352 |
+FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
+
+Other algorithms: MD5; NDRNG |
+
+
+| BitLocker® Windows Resume (winresume)[16] |
+6.3.9600 6.3.9600.17031 |
+2353 |
+FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (dumpfve.sys)[17] |
+6.3.9600 6.3.9600.17031 |
+2354 |
+FIPS Approved algorithms: AES (Cert. #2832)
+
+Other algorithms: N/A |
+
+
+| Code Integrity (ci.dll) |
+6.3.9600 6.3.9600.17031 |
+2355 |
+FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
+
+Other algorithms: MD5 |
+
+
+
+
+
+\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
+
+\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
+
+**Windows Server 2012**
+
+Validated Editions: Server, Storage Server
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL) |
+6.2.9200 |
+1892 |
+FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert. ); HMAC (Cert. #); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+6.2.9200 |
+1891 |
+FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) |
+
+
+| Boot Manager |
+6.2.9200 |
+1895 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Windows OS Loader (WINLOAD) |
+6.2.9200 |
+1896 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG |
+
+
+| BitLocker® Windows Resume (WINRESUME) |
+6.2.9200 |
+1898 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5 |
+
+
+| BitLocker® Dump Filter (DUMPFVE.SYS) |
+6.2.9200 |
+1899 |
+FIPS Approved algorithms: AES (Certs. #2196 and #2198)
+
+Other algorithms: N/A |
+
+
+| Code Integrity (CI.DLL) |
+6.2.9200 |
+1897 |
+FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5 |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL) |
+6.2.9200 |
+1893 |
+FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+| Enhanced Cryptographic Provider (RSAENH.DLL) |
+6.2.9200 |
+1894 |
+FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+
+Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+
+
+
+##### Windows Server 2008 R2
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Boot Manager (bootmgr) |
+6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.17514 |
+1321 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
+
+Other algorithms: MD5 |
+
+
+| Winload OS Loader (winload.exe) |
+6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675 |
+1333 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
+
+Other algorithms: MD5 |
+
+
+| Code Integrity (ci.dll) |
+6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.22108 |
+1334 |
+FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
+
+Other algorithms: MD5 |
+
+
+| Kernel Mode Cryptographic Primitives Library (cng.sys) |
+6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076 |
+1335 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4 |
+
+
+| Cryptographic Primitives Library (bcryptprimitives.dll) |
+66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.17514 |
+1336 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4 |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+6.1.7600.16385 |
+1337 |
+FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+6.1.7600.16385 |
+1338 |
+FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4 |
+
+
+| BitLocker™ Drive Encryption |
+6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675 |
+1339 |
+FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
+
+Other algorithms: Elephant Diffuser |
+
+
+
+
+
+##### Windows Server 2008
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Boot Manager (bootmgr) |
+6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.22497 |
+1004 |
+FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
+
+Other algorithms: N/A |
+
+
+| Winload OS Loader (winload.exe) |
+6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596 |
+1005 |
+FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
+
+Other algorithms: MD5 |
+
+
+| Code Integrity (ci.dll) |
+6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 |
+1006 |
+FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
+
+Other algorithms: MD5 |
+
+
+| Kernel Mode Security Support Provider Interface (ksecdd.sys) |
+6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.22869 |
+1007 |
+FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert. ); RNG (Cert. and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+| Cryptographic Primitives Library (bcrypt.dll) |
+6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.22872 |
+1008 |
+FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength) |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005 |
+1009 |
+FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
+
+-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005 |
+1010 |
+FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+
+
+
+##### Windows Server 2003 SP2
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+5.2.3790.3959 |
+875 |
+FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)
+Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4 |
+
+
+| Kernel Mode Cryptographic Module (FIPS.SYS) |
+5.2.3790.3959 |
+869 |
+FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)
+Other algorithms: DES; HMAC-MD5 |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+5.2.3790.3959 |
+868 |
+FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)
+Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) |
+
+
+
+
+
+##### Windows Server 2003 SP1
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Kernel Mode Cryptographic Module (FIPS.SYS) |
+5.2.3790.1830 [SP1] |
+405 |
+FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])
+Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)
+[1] x86
+[2] SP1 x86, x64, IA64 |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+5.2.3790.1830 [Service Pack 1]) |
+382 |
+FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])
+Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5
+[1] x86
+[2] SP1 x86, x64, IA64 |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+5.2.3790.1830 [Service Pack 1] |
+381 |
+FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)
+Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40
+[1] x86
+[2] SP1 x86, x64, IA64 |
+
+
+
+
+
+##### Windows Server 2003
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Kernel Mode Cryptographic Module (FIPS.SYS) |
+5.2.3790.0 |
+405 |
+FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])
+Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)
+[1] x86
+[2] SP1 x86, x64, IA64 |
+
+
+| Enhanced Cryptographic Provider (RSAENH) |
+5.2.3790.0 |
+382 |
+FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])
+Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5
+[1] x86
+[2] SP1 x86, x64, IA64 |
+
+
+| Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) |
+5.2.3790.0 |
+381 |
+FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)
+Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40
+[1] x86
+[2] SP1 x86, x64, IA64 |
+
+
+
+
+
+#### Other Products
+
+##### Windows Embedded Compact 7 and Windows Embedded Compact 8
+
+
+
+
+
+##### Windows CE 6.0 and Windows Embedded Compact 7
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Enhanced Cryptographic Provider |
+6.00.1937 [1] and 7.00.1687 [2] |
+825 |
+FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])
+Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES |
+
+
+
+
+
+##### Outlook Cryptographic Provider
+
+
+
+
+
+
+
+
+
+
+| Cryptographic Module |
+Version (link to Security Policy) |
+FIPS Certificate # |
+Algorithms |
+
+
+| Outlook Cryptographic Provider (EXCHCSP) |
+SR-1A (3821)SR-1A (3821) |
+110 |
+FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)
+Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5 |
+
+
+
+
+
+
+### Cryptographic Algorithms
+
+The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate.
+
+### Advanced Encryption Standard (AES)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- AES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CFB128:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CTR:
+
+- Counter Source: Internal
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-OFB:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ |
+Microsoft Surface Hub Virtual TPM Implementations #4904
+Version 10.0.15063.674 |
+
+
+
+- AES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CFB128:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CTR:
+
+- Counter Source: Internal
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-OFB:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903
+Version 10.0.16299 |
+
+
+
+- AES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CCM:
+
+- Key Lengths: 128, 192, 256 (bits)
+- Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
+- IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
+- Plain Text Length: 0-32
+- AAD Length: 0-65536
+ - AES-CFB128:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CFB8:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CMAC:
+
+- Generation:
+
+- AES-128:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-192:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-256:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - Verification:
+
+- AES-128:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-192:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-256:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-CTR:
+
+- Counter Source: Internal
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-ECB:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-GCM:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+- Tag Lengths: 96, 104, 112, 120, 128 (bits)
+- Plain Text Lengths: 0, 8, 1016, 1024 (bits)
+- AAD Lengths: 0, 8, 1016, 1024 (bits)
+- 96 bit IV supported
+ - AES-XTS:
+
+- Key Size: 128:
+
+- Modes: Decrypt, Encrypt
+- Block Sizes: Full
+ - Key Size: 256:
+
+- Modes: Decrypt, Encrypt
+- Block Sizes: Full
+ |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #4902
+Version 10.0.15063.674 |
+
+
+
+- AES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CCM:
+
+- Key Lengths: 128, 192, 256 (bits)
+- Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
+- IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
+- Plain Text Length: 0-32
+- AAD Length: 0-65536
+ - AES-CFB128:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CFB8:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CMAC:
+
+- Generation:
+
+- AES-128:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-192:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-256:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - Verification:
+
+- AES-128:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-192:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-256:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-CTR:
+
+- Counter Source: Internal
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-ECB:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-GCM:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+- Tag Lengths: 96, 104, 112, 120, 128 (bits)
+- Plain Text Lengths: 0, 8, 1016, 1024 (bits)
+- AAD Lengths: 0, 8, 1016, 1024 (bits)
+- 96 bit IV supported
+ - AES-XTS:
+
+- Key Size: 128:
+
+- Modes: Decrypt, Encrypt
+- Block Sizes: Full
+ - Key Size: 256:
+
+- Modes: Decrypt, Encrypt
+- Block Sizes: Full
+ |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4901
+Version 10.0.15254 |
+
+
+
+- AES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CCM:
+
+- Key Lengths: 128, 192, 256 (bits)
+- Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
+- IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
+- Plain Text Length: 0-32
+- AAD Length: 0-65536
+ - AES-CFB128:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CFB8:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-CMAC:
+
+- Generation:
+
+- AES-128:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-192:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-256:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - Verification:
+
+- AES-128:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-192:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-256:
+
+- Block Sizes: Full, Partial
+- Message Length: 0-65536
+- Tag Length: 16-16
+ - AES-CTR:
+
+- Counter Source: Internal
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-ECB:
+
+- Modes: Decrypt, Encrypt
+- Key Lengths: 128, 192, 256 (bits)
+ - AES-GCM:
+
+- Modes: Decrypt, Encrypt
+- IV Generation: External
+- Key Lengths: 128, 192, 256 (bits)
+- Tag Lengths: 96, 104, 112, 120, 128 (bits)
+- Plain Text Lengths: 0, 8, 1016, 1024 (bits)
+- AAD Lengths: 0, 8, 1016, 1024 (bits)
+- 96 bit IV supported
+ - AES-XTS:
+
+- Key Size: 128:
+
+- Modes: Decrypt, Encrypt
+- Block Sizes: Full
+ - Key Size: 256:
+
+- Modes: Decrypt, Encrypt
+- Block Sizes: Full
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897
+Version 10.0.16299 |
+
+
+AES-KW:
+
+- Modes: Decrypt, Encrypt
+- CIPHK transformation direction: Forward
+- Key Lengths: 128, 192, 256 (bits)
+- Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
+
+AES Val#4902 |
+Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900
+Version 10.0.15063.674 |
+
+
+AES-KW:
+
+- Modes: Decrypt, Encrypt
+- CIPHK transformation direction: Forward
+- Key Lengths: 128, 192, 256 (bits)
+- Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
+
+AES Val#4901 |
+Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899
+Version 10.0.15254 |
+
+
+AES-KW:
+
+- Modes: Decrypt, Encrypt
+- CIPHK transformation direction: Forward
+- Key Lengths: 128, 192, 256 (bits)
+- Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
+
+AES Val#4897 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898
+Version 10.0.16299 |
+
+
+AES-CCM:
+
+- Key Lengths: 256 (bits)
+- Tag Lengths: 128 (bits)
+- IV Lengths: 96 (bits)
+- Plain Text Length: 0-32
+- AAD Length: 0-65536
+
+AES Val#4902 |
+Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896
+Version 10.0.15063.674 |
+
+
+AES-CCM:
+
+- Key Lengths: 256 (bits)
+- Tag Lengths: 128 (bits)
+- IV Lengths: 96 (bits)
+- Plain Text Length: 0-32
+- AAD Length: 0-65536
+
+AES Val#4901 |
+Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895
+Version 10.0.15254 |
+
+
+AES-CCM:
+
+- Key Lengths: 256 (bits)
+- Tag Lengths: 128 (bits)
+- IV Lengths: 96 (bits)
+- Plain Text Length: 0-32
+- AAD Length: 0-65536
+
+AES Val#4897 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894
+Version 10.0.16299 |
+
+
+CBC ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+OFB ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627
+Version 10.0.15063 |
+
+
+KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
+AES Val#4624 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626
+Version 10.0.15063 |
+
+
+CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+AES Val#4624
+ |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625
+Version 10.0.15063 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported
+GMAC_Supported
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624
+Version 10.0.15063 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 ); |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434
+Version 7.00.2872 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 ); |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433
+Version 8.00.6246 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431
+Version 7.00.2872 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430
+Version 8.00.6246 |
+
+
+CBC ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+OFB ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074
+Version 10.0.14393 |
+
+
+ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
+GMAC_Supported
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064
+Version 10.0.14393 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+ |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
+Version 10.0.14393 |
+
+
+KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )
+AES Val#4064 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062
+Version 10.0.14393 |
+
+
+CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+AES Val#4064 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061
+Version 10.0.14393 |
+
+
+KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
+AES Val#3629 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652
+Version 10.0.10586 |
+
+
+CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+AES Val#3629 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653
+Version 10.0.10586 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+ |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
+Version 10.0.10586 |
+
+
+ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
+GMAC_Supported
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
+
+
+Version 10.0.10586 |
+
+
+KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )
+AES Val#3497 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507
+Version 10.0.10240 |
+
+
+CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+AES Val#3497 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498
+Version 10.0.10240 |
+
+
+ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
+GMAC_Supported
+XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
+Version 10.0.10240 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+ |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
+Version 10.0.10240 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+ |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853
+Version 6.3.9600 |
+
+
+CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+AES Val#2832 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848
+Version 6.3.9600 |
+
+
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
+GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported ;
+OtherIVLen_Supported
+GMAC_Supported |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832
+Version 6.3.9600 |
+
+
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+AES Val#2197
+CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
+AES Val#2197
+GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
+GMAC_Supported |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216 |
+
+
+CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )
+AES Val#2196 |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+CFB128 ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+ |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196 |
+
+
+CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+AES Val#1168 |
+Windows Server 2008 R2 and SP1 CNG algorithms #1187
+Windows 7 Ultimate and SP1 CNG algorithms #1178 |
+
+
+CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
+AES Val#1168 |
+Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 );
+ |
+Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 |
+
+
+GCM
+GMAC |
+Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed |
+
+
+| CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
+Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760 |
+
+
+| CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) |
+Windows Server 2008 CNG algorithms #757
+Windows Vista Ultimate SP1 CNG algorithms #756 |
+
+
+CBC ( e/d; 128 , 256 );
+CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) |
+Windows Vista Ultimate BitLocker Drive Encryption #715
+Windows Vista Ultimate BitLocker Drive Encryption #424 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CFB8 ( e/d; 128 , 192 , 256 ); |
+Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739
+Windows Vista Symmetric Algorithm Implementation #553 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 );
+CTR ( int only; 128 , 192 , 256 ) |
+Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023 |
+
+
+ECB ( e/d; 128 , 192 , 256 );
+CBC ( e/d; 128 , 192 , 256 ); |
+Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818
+Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781
+Windows 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #548
+Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #516
+Windows CE and Windows Mobile 6, 6.1, and 6.5 Enhanced Cryptographic Provider (RSAENH) #507
+Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #290
+Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider (RSAENH) #224
+Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #80
+Windows XP, SP1, and SP2 Enhanced Cryptographic Provider (RSAENH) #33 |
+
+
+
+
+
+Deterministic Random Bit Generator (DRBG)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- Counter:
+
+- Modes: AES-256
+- Derivation Function States: Derivation Function not used
+- Prediction Resistance Modes: Not Enabled
+
+Prerequisite: AES #4904 |
+Microsoft Surface Hub Virtual TPM Implementations #1734
+Version 10.0.15063.674 |
+
+
+
+- Counter:
+
+- Modes: AES-256
+- Derivation Function States: Derivation Function not used
+- Prediction Resistance Modes: Not Enabled
+
+Prerequisite: AES #4903 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733
+Version 10.0.16299 |
+
+
+
+- Counter:
+
+- Modes: AES-256
+- Derivation Function States: Derivation Function used
+- Prediction Resistance Modes: Not Enabled
+
+Prerequisite: AES #4902 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #1732
+Version 10.0.15063.674 |
+
+
+
+- Counter:
+
+- Modes: AES-256
+- Derivation Function States: Derivation Function used
+- Prediction Resistance Modes: Not Enabled
+
+Prerequisite: AES #4901 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1731
+Version 10.0.15254 |
+
+
+
+- Counter:
+
+- Modes: AES-256
+- Derivation Function States: Derivation Function used
+- Prediction Resistance Modes: Not Enabled
+
+Prerequisite: AES #4897 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730
+Version 10.0.16299 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ] |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556
+Version 10.0.15063 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ] |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555
+Version 10.0.15063 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ] |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433
+Version 7.00.2872 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ] |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432
+Version 8.00.6246 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ] |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430
+Version 7.00.2872 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ] |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429
+Version 8.00.6246 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ] |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222
+Version 10.0.14393 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ] |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217
+Version 10.0.14393 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ] |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955
+Version 10.0.10586 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ] |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868
+Version 10.0.10240 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ] |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489
+Version 6.3.9600 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] |
+Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193 |
+
+
+| CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] |
+Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23 |
+
+
+| DRBG (SP 800–90) |
+Windows Vista Ultimate SP1, vendor-affirmed |
+
+
+
+
+
+#### Digital Signature Algorithm (DSA)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- DSA:
+
+- 186-4:
+
+- PQGGen:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - PQGVer:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - SigGen:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - SigVer:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - KeyPair:
+
+- L = 2048, N = 256
+- L = 3072, N = 256
+
+Prerequisite: SHS #4011, DRBG #1732 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #1303
+Version 10.0.15063.674 |
+
+
+
+- DSA:
+
+- 186-4:
+
+- PQGGen:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - PQGVer:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - SigGen:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - SigVer:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - KeyPair:
+
+-
+-
+- L = 2048, N = 256
+- L = 3072, N = 256
+
+Prerequisite: SHS #4010, DRBG #1731 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1302
+Version 10.0.15254 |
+
+
+
+- DSA:
+
+- 186-4:
+
+- PQGGen:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - PQGVer:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - SigGen:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - SigVer:
+
+- L = 2048, N = 256 SHA: SHA-256
+- L = 3072, N = 256 SHA: SHA-256
+ - KeyPair:
+
+- L = 2048, N = 256
+- L = 3072, N = 256
+
+Prerequisite: SHS #4009, DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301
+Version 10.0.16299 |
+
+
+FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen: [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SHS: Val#3790
+DRBG: Val# 1555 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223
+Version 10.0.15063 |
+
+
+FIPS186-4:
+PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+SHS: Val# 3649 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188
+Version 7.00.2872 |
+
+
+FIPS186-4:
+PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
+SHS: Val#3648 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187
+Version 8.00.6246 |
+
+
+FIPS186-4:
+PQG(gen)PARMS TESTED: [
+(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen: [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED: [ (2048,256)
+SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SHS: Val# 3347
+DRBG: Val# 1217 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098
+Version 10.0.14393 |
+
+
+FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
+KeyPairGen: [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SHS: Val# 3047
+DRBG: Val# 955 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024
+Version 10.0.10586 |
+
+
+FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen: [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SHS: Val# 2886
+DRBG: Val# 868 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983
+Version 10.0.10240 |
+
+
+FIPS186-4:
+PQG(gen)PARMS TESTED: [
+(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256)
+SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen: [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SHS: Val# 2373
+DRBG: Val# 489 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855
+Version 6.3.9600 |
+
+
+FIPS186-2:
+PQG(ver) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: #1903
+DRBG: #258
+FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SHS: #1903
+DRBG: #258
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687. |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687 |
+
+
+FIPS186-2:
+PQG(ver) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: #1902
+DRBG: #258
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686. |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 1773
+DRBG: Val# 193
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645. |
+Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 1081
+DRBG: Val# 23
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386. |
+Windows Server 2008 R2 and SP1 CNG algorithms #391
+Windows 7 Ultimate and SP1 CNG algorithms #386 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 1081
+RNG: Val# 649
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385. |
+Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390
+Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 753
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283. |
+Windows Server 2008 CNG algorithms #284
+Windows Vista Ultimate SP1 CNG algorithms #283 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 753
+RNG: Val# 435
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281. |
+Windows Server 2008 Enhanced DSS (DSSENH) #282
+Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 618
+RNG: Val# 321
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226. |
+Windows Vista CNG algorithms #227
+Windows Vista Enhanced DSS (DSSENH) #226 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 784
+RNG: Val# 448
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292. |
+Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292 |
+
+
+FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 783
+RNG: Val# 447
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291. |
+Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291 |
+
+
+FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: Val# 611
+RNG: Val# 314 |
+Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221 |
+
+
+FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: Val# 385 |
+Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146 |
+
+
+FIPS186-2:
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: Val# 181
+
+ |
+Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95 |
+
+
+FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SHS: SHA-1 (BYTE)
+SIG(ver) MOD(1024);
+SHS: SHA-1 (BYTE) |
+Windows 2000 DSSENH.DLL #29
+Windows 2000 DSSBASE.DLL #28
+Windows NT 4 SP6 DSSENH.DLL #26
+Windows NT 4 SP6 DSSBASE.DLL #25 |
+
+
+FIPS186-2: PRIME;
+FIPS186-2:
+KEYGEN(Y):
+SHS: SHA-1 (BYTE)
+SIG(gen):
+SIG(ver) MOD(1024);
+SHS: SHA-1 (BYTE) |
+Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17 |
+
+
+
+
+
+#### Elliptic Curve Digital Signature Algorithm (ECDSA)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384, P-521
+- Generation Methods: Extra Random Bits
+ - Public Key Validation:
+
+- Curves: P-256, P-384, P-521
+ - Signature Generation:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+ - Signature Verification:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: SHS #2373, DRBG #489 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263
+Version 6.3.9600 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384
+- Generation Methods: Testing Candidates
+
+Prerequisite: SHS #4011, DRBG #1734 |
+Microsoft Surface Hub Virtual TPM Implementations #1253
+Version 10.0.15063.674 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384
+- Generation Methods: Testing Candidates
+
+Prerequisite: SHS #4009, DRBG #1733 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252
+Version 10.0.16299 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384, P-521
+- Generation Methods: Extra Random Bits
+ - Public Key Validation:
+
+- Curves: P-256, P-384, P-521
+ - Signature Generation:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+ - Signature Verification:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: SHS #4011, DRBG #1732 |
+Microsoft Surface Hub MsBignum Cryptographic Implementations #1251
+Version 10.0.15063.674 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384, P-521
+- Generation Methods: Extra Random Bits
+ - Public Key Validation:
+
+- Curves: P-256, P-384, P-521
+ - Signature Generation:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+ - Signature Verification:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: SHS #4011, DRBG #1732 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #1250
+Version 10.0.15063.674 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384, P-521
+- Generation Methods: Extra Random Bits
+ - Public Key Validation:
+
+- Curves: P-256, P-384, P-521
+ - Signature Generation:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+ - Signature Verification:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: SHS #4010, DRBG #1731 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1249
+Version 10.0.15254 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384, P-521
+- Generation Methods: Extra Random Bits
+ - Public Key Validation:
+
+- Curves: P-256, P-384, P-521
+ - Signature Generation:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+ - Signature Verification:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: SHS #4010, DRBG #1731 |
+Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1248
+Version 10.0.15254 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384, P-521
+- Generation Methods: Extra Random Bits
+ - Public Key Validation:
+
+- Curves: P-256, P-384, P-521
+ - Signature Generation:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+ - Signature Verification:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: SHS #4009, DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247
+Version 10.0.16299 |
+
+
+
+- ECDSA:
+
+- 186-4:
+
+- Key Pair Generation:
+
+- Curves: P-256, P-384, P-521
+- Generation Methods: Extra Random Bits
+ - Public Key Validation:
+
+- Curves: P-256, P-384, P-521
+ - Signature Generation:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+ - Signature Verification:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: SHS #4009, DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246
+Version 10.0.16299 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 TestingCandidates )
+SHS: Val#3790
+DRBG: Val# 1555 |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136
+Version 10.0.15063 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#3790
+DRBG: Val# 1555 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135
+Version 10.0.15063 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#3790
+DRBG: Val# 1555 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133
+Version 10.0.15063 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
+SHS:Val# 3649
+DRBG:Val# 1430 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073
+Version 7.00.2872 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
+SHS:Val#3648
+DRBG:Val# 1429 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072
+Version 8.00.6246 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 TestingCandidates )
+PKV: CURVES( P-256 P-384 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )
+SHS: Val# 3347
+DRBG: Val# 1222 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920
+Version 10.0.14393 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val# 3347
+DRBG: Val# 1217 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911
+Version 10.0.14393 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val# 3047
+DRBG: Val# 955 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760
+Version 10.0.10586 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val# 2886
+DRBG: Val# 868 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706
+Version 10.0.10240 |
+
+
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#2373
+DRBG: Val# 489 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505
+Version 6.3.9600 |
+
+
+FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: #1903
+DRBG: #258
+SIG(ver):CURVES( P-256 P-384 P-521 )
+SHS: #1903
+DRBG: #258
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: #1903
+DRBG: #258
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341. |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341 |
+
+
+FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#1773
+DRBG: Val# 193
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#1773
+DRBG: Val# 193
+FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#1773
+DRBG: Val# 193
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295. |
+Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295 |
+
+
+FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#1081
+DRBG: Val# 23
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#1081
+DRBG: Val# 23
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141. |
+Windows Server 2008 R2 and SP1 CNG algorithms #142
+Windows 7 Ultimate and SP1 CNG algorithms #141 |
+
+
+FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#753
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#753
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82. |
+Windows Server 2008 CNG algorithms #83
+Windows Vista Ultimate SP1 CNG algorithms #82 |
+
+
+FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#618
+RNG: Val# 321
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#618
+RNG: Val# 321
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60. |
+Windows Vista CNG algorithms #60 |
+
+
+
+
+
+#### Keyed-Hash Message Authentication Code (HMAC)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- HMAC-SHA-1:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-256:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-384:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+
+Prerequisite: SHS #4011 |
+Microsoft Surface Hub Virtual TPM Implementations #3271
+Version 10.0.15063.674 |
+
+
+
+- HMAC-SHA-1:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-256:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-384:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+
+Prerequisite: SHS #4009 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270
+Version 10.0.16299 |
+
+
+
+- HMAC-SHA-1:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-256:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-384:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-512:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+
+Prerequisite: SHS #4011 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #3269
+Version 10.0.15063.674 |
+
+
+
+- HMAC-SHA-1:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-256:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-384:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-512:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+
+Prerequisite: SHS #4010 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #3268
+Version 10.0.15254 |
+
+
+
+- HMAC-SHA-1:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-256:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-384:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+ - HMAC-SHA2-512:
+
+- Key Sizes < Block Size
+- Key Sizes > Block Size
+- Key Sizes = Block Size
+
+Prerequisite: SHS #4009 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267
+Version 10.0.16299 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062
+Version 10.0.15063 |
+
+
+HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061
+Version 10.0.15063 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652 |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946
+Version 7.00.2872 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651 |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945
+Version 8.00.6246 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943
+Version 7.00.2872 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942
+Version 8.00.6246 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+SHS Val# 3347
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+SHS Val# 3347
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+SHS Val# 3347 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661
+Version 10.0.14393 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651
+Version 10.0.14393 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+SHS Val# 3047
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+SHS Val# 3047
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+SHS Val# 3047
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+SHS Val# 3047 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381
+Version 10.0.10586 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+SHSVal# 2886
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+SHSVal# 2886
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+ SHSVal# 2886
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+SHSVal# 2886 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233
+Version 10.0.10240 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+SHS Val#2373
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+SHS Val#2373
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+SHS Val#2373
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+SHS Val#2373 |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773
+Version 6.3.9600 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764 |
+Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122
+Version 5.2.29344 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902
+HMAC-SHA256 ( Key Size Ranges Tested: KS#1902 |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902 |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )
+SHS#1903
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
+SHS#1903
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
+SHS#1903
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
+SHS#1903 |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
+Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773 |
+Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774 |
+Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081 |
+Windows Server 2008 R2 and SP1 CNG algorithms #686
+Windows 7 and SP1 CNG algorithms #677
+Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687
+Windows 7 Enhanced Cryptographic Provider (RSAENH) #673 |
+
+
+HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081 |
+Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816 |
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753 |
+Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753 |
+Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408
+Windows Vista Enhanced Cryptographic Provider (RSAENH) #407 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
+Windows Vista Enhanced Cryptographic Provider (RSAENH) #297 |
+
+
+| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785 |
+Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429
+Windows XP, vendor-affirmed |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783 |
+Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613 |
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289 |
+
+
+| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610 |
+Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753 |
+Windows Server 2008 CNG algorithms #413
+Windows Vista Ultimate SP1 CNG algorithms #412 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737 |
+Windows Vista Ultimate BitLocker Drive Encryption #386 |
+
+
+HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 |
+Windows Vista CNG algorithms #298 |
+
+
+HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589 |
+Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267 |
+
+
+HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578 |
+Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260 |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495
+HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495 |
+Windows Vista BitLocker Drive Encryption #199 |
+
+
+| HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364 |
+Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99
+Windows XP, vendor-affirmed |
+
+
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305
+HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305
+HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305
+HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305 |
+Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31 |
+
+
+
+
+
+#### Key Agreement Scheme (KAS)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- KAS ECC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
+- Schemes:
+
+- Full Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- KDFs: Concatenation
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+
+Prerequisite: SHS #4011, ECDSA #1253, DRBG #1734 |
+Microsoft Surface Hub Virtual TPM Implementations #150
+Version 10.0.15063.674 |
+
+
+
+- KAS ECC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
+- Schemes:
+
+- Full Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- KDFs: Concatenation
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+
+Prerequisite: SHS #4009, ECDSA #1252, DRBG #1733 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149
+Version 10.0.16299 |
+
+
+
+- KAS ECC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
+- Schemes:
+
+- Ephemeral Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- KDFs: Concatenation
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+ - One Pass DH:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+ - Static Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+
+Prerequisite: SHS #4011, ECDSA #1250, DRBG #1732
+
+- KAS FFC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
+- Schemes:
+
+- dhEphem:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - dhOneFlow:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - dhStatic:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+
+Prerequisite: SHS #4011, DSA #1303, DRBG #1732 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #148
+Version 10.0.15063.674 |
+
+
+
+- KAS ECC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
+- Schemes:
+
+- Ephemeral Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- KDFs: Concatenation
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+ - One Pass DH:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+ - Static Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+
+Prerequisite: SHS #4010, ECDSA #1249, DRBG #1731
+
+- KAS FFC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
+- Schemes:
+
+- dhEphem:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - dhOneFlow:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - dhStatic:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+
+Prerequisite: SHS #4010, DSA #1302, DRBG #1731 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #147
+Version 10.0.15254 |
+
+
+
+- KAS ECC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
+- Schemes:
+
+- Ephemeral Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- KDFs: Concatenation
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+ - One Pass DH:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+ - Static Unified:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- EC:
+
+- Curve: P-256
+- SHA: SHA-256
+- MAC: HMAC
+ - ED:
+
+- Curve: P-384
+- SHA: SHA-384
+- MAC: HMAC
+ - EE:
+
+- Curve: P-521
+- SHA: SHA-512
+- MAC: HMAC
+
+Prerequisite: SHS #4009, ECDSA #1246, DRBG #1730
+
+- KAS FFC:
+
+- Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
+- Schemes:
+
+- dhEphem:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - dhOneFlow:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - dhStatic:
+
+- Key Agreement Roles: Initiator, Responder
+- Parameter Sets:
+
+- FB:
+
+- SHA: SHA-256
+- MAC: HMAC
+ - FC:
+
+- SHA: SHA-256
+- MAC: HMAC
+
+Prerequisite: SHS #4009, DSA #1301, DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146
+Version 10.0.16299 |
+
+
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
+SHS Val#3790
+DSA Val#1135
+DRBG Val#1556 |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128
+Version 10.0.15063 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS Val#3790
+DSA Val#1223
+DRBG Val#1555
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+
+SHS Val#3790
+ECDSA Val#1133
+DRBG Val#1555 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127
+Version 10.0.15063 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS Val# 3649
+DSA Val#1188
+DRBG Val#1430
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ] |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115
+Version 7.00.2872 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhHybridOneFlow ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS Val#3648
+DSA Val#1187
+DRBG Val#1429
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+
+SHS Val#3648
+ECDSA Val#1072
+DRBG Val#1429 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114
+Version 8.00.6246 |
+
+
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration )
+SCHEMES [ FullUnified ( No_KC < KARole(s): Initiator / Responder > < KDF: CONCAT > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
+SHS Val# 3347 ECDSA Val#920 DRBG Val#1222 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93
+Version 10.0.14393 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation )
+SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic (No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS Val# 3347 DSA Val#1098 DRBG Val#1217
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92
+Version 10.0.14393 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS Val# 3047 DSA Val#1024 DRBG Val#955
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+SHS Val# 3047 ECDSA Val#760 DRBG Val#955 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72
+Version 10.0.10586 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS Val# 2886 DSA Val#983 DRBG Val#868
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+SHS Val# 2886 ECDSA Val#706 DRBG Val#868 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64
+Version 10.0.10240 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS Val#2373 DSA Val#855 DRBG Val#489
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+SHS Val#2373 ECDSA Val#505 DRBG Val#489 |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47
+Version 6.3.9600 |
+
+
+FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS #1903 DSA Val#687 DRBG #258
+ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+
+SHS #1903 ECDSA Val#341 DRBG #258 |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36 |
+
+
+KAS (SP 800–56A)
+key agreement
+key establishment methodology provides 80 to 256 bits of encryption strength |
+Windows 7 and SP1, vendor-affirmed
+Windows Server 2008 R2 and SP1, vendor-affirmed |
+
+
+
+
+
+SP 800-108 Key-Based Key Derivation Functions (KBKDF)
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- Counter:
+
+- MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
+
+MAC prerequisite: HMAC #3271
+
+
+- Counter Location: Before Fixed Data
+- R Length: 32 (bits)
+- SPs used to generate K: SP 800-56A, SP 800-90A
+
+ K prerequisite: DRBG #1734, KAS #150 |
+Microsoft Surface Hub Virtual TPM Implementations #161
+Version 10.0.15063.674 |
+
+
+
+- Counter:
+
+- MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
+
+MAC prerequisite: HMAC #3270
+
+
+- Counter Location: Before Fixed Data
+- R Length: 32 (bits)
+- SPs used to generate K: SP 800-56A, SP 800-90A
+
+ K prerequisite: DRBG #1733, KAS #149 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160
+Version 10.0.16299 |
+
+
+
+- Counter:
+
+- MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
+
+MAC prerequisite: AES #4902, HMAC #3269
+
+
+- Counter Location: Before Fixed Data
+- R Length: 32 (bits)
+- SPs used to generate K: SP 800-56A, SP 800-90A
+- K prerequisite: KAS #148
+
+ |
+Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #159
+Version 10.0.15063.674 |
+
+
+
+- Counter:
+
+- MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
+
+MAC prerequisite: AES #4901, HMAC #3268
+
+
+- Counter Location: Before Fixed Data
+- R Length: 32 (bits)
+- SPs used to generate K: SP 800-56A, SP 800-90A
+
+ K prerequisite: KAS #147 |
+Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #158
+Version 10.0.15254 |
+
+
+
+- Counter:
+
+- MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
+
+MAC prerequisite: AES #4897, HMAC #3267
+
+
+- Counter Location: Before Fixed Data
+- R Length: 32 (bits)
+- SPs used to generate K: SP 800-56A, SP 800-90A
+
+ K prerequisite: KAS #146 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157
+Version 10.0.16299 |
+
+
+CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+
+KAS Val#128
+DRBG Val#1556
+MAC Val#3062 |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141
+Version 10.0.15063 |
+
+
+CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+
+KAS Val#127
+AES Val#4624
+DRBG Val#1555
+MAC Val#3061 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140
+Version 10.0.15063 |
+
+
+CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+KAS Val#93 DRBG Val#1222 MAC Val#2661 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102
+Version 10.0.14393 |
+
+
+CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101
+Version 10.0.14393 |
+
+
+CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72
+Version 10.0.10586 |
+
+
+CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66
+Version 10.0.10240 |
+
+
+CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+DRBG Val#489 MAC Val#1773 |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30
+Version 6.3.9600 |
+
+
+CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+DRBG #258 HMAC Val#1345 |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3 |
+
+
+
+
+
+Random Number Generator (RNG)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+FIPS 186-2 General Purpose
+[ (x-Original); (SHA-1) ] |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110 |
+
+
+FIPS 186-2
+[ (x-Original); (SHA-1) ] |
+Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060
+Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292
+Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286
+Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66 |
+
+
+FIPS 186-2
+[ (x-Change Notice); (SHA-1) ]
+FIPS 186-2 General Purpose
+[ (x-Change Notice); (SHA-1) ] |
+Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649
+Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435
+Windows Vista RNG implementation #321 |
+
+
+FIPS 186-2 General Purpose
+[ (x-Change Notice); (SHA-1) ] |
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470
+Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449
+Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #316
+Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313 |
+
+
+FIPS 186-2
+[ (x-Change Notice); (SHA-1) ] |
+Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448
+Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314 |
+
+
+
+
+
+#### RSA
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+RSA:
+
+- 186-4:
+
+- Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
+ - Signature Verification PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+
+Prerequisite: SHS #4011, DRBG #1734 |
+Microsoft Surface Hub Virtual TPM Implementations #2677
+Version 10.0.15063.674 |
+
+
+RSA:
+
+- 186-4:
+
+- Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 240 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384
+ - Signature Verification PSS:
+
+- Mod 1024:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+ - Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+
+Prerequisite: SHS #4009, DRBG #1733 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676
+Version 10.0.16299 |
+
+
+RSA:
+
+- 186-4:
+
+- Key Generation:
+- Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+
+Prerequisite: SHS #4011, DRBG #1732 |
+Microsoft Surface Hub RSA32 Algorithm Implementations #2675
+Version 10.0.15063.674 |
+
+
+RSA:
+
+- 186-4:
+
+- Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+
+Prerequisite: SHS #4009, DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674
+Version 10.0.16299 |
+
+
+RSA:
+
+- 186-4:
+
+- Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+
+Prerequisite: SHS #4010, DRBG #1731 |
+Windows 10 Mobile (version 1709) RSA32 Algorithm Implementations #2673
+Version 10.0.15254 |
+
+
+RSA:
+
+- 186-4:
+
+- Key Generation:
+
+- Public Key Exponent: Fixed (10001)
+- Provable Primes with Conditions:
+
+- Mod lengths: 2048, 3072 (bits)
+- Primality Tests: C.3
+ - Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Verification PSS:
+
+- Mod 1024:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 496 (bits)
+ - Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+
+Prerequisite: SHS #4011, DRBG #1732 |
+Microsoft Surface Hub MsBignum Cryptographic Implementations #2672
+Version 10.0.15063.674 |
+
+
+RSA:
+
+- 186-4:
+
+- Key Generation:
+
+- Probable Random Primes:
+
+- Mod lengths: 2048, 3072 (bits)
+- Primality Tests: C.2
+ - Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Verification PSS:
+
+- Mod 1024:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 496 (bits)
+ - Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+
+Prerequisite: SHS #4011, DRBG #1732 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #2671
+Version 10.0.15063.674 |
+
+
+RSA:
+
+- 186-4:
+
+- Key Generation:
+
+- Probable Random Primes:
+
+- Mod lengths: 2048, 3072 (bits)
+- Primality Tests: C.2
+ - Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Verification PSS:
+
+- Mod 1024:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 496 (bits)
+ - Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+
+Prerequisite: SHS #4010, DRBG #1731 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2670
+Version 10.0.15254 |
+
+
+RSA:
+
+- 186-4:
+
+- Key Generation:
+
+- Public Key Exponent: Fixed (10001)
+- Provable Primes with Conditions:
+
+- Mod lengths: 2048, 3072 (bits)
+- Primality Tests: C.3
+ - Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Verification PSS:
+
+- Mod 1024:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 496 (bits)
+ - Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+
+Prerequisite: SHS #4010, DRBG #1731 |
+Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #2669
+Version 10.0.15254 |
+
+
+
+- 186-4:
+
+- Key Generation:
+
+- Public Key Exponent: Fixed (10001)
+- Provable Primes with Conditions:
+
+- Mod lengths: 2048, 3072 (bits)
+- Primality Tests: C.3
+ - Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Verification PSS:
+
+- Mod 1024:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 496 (bits)
+ - Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+
+Prerequisite: SHS #4009, DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668
+Version 10.0.16299 |
+
+
+
+- 186-4:
+
+- Key Generation:
+
+- Probable Random Primes:
+
+- Mod lengths: 2048, 3072 (bits)
+- Primality Tests: C.2
+ - Signature Generation PKCS1.5:
+
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Generation PSS:
+
+- Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Signature Verification PKCS1.5:
+
+- Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+- Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
+ - Signature Verification PSS:
+
+- Mod 1024:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 496 (bits)
+ - Mod 2048:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+ - Mod 3072:
+
+- SHA-1: Salt Length: 160 (bits)
+- SHA-256: Salt Length: 256 (bits)
+- SHA-384: Salt Length: 384 (bits)
+- SHA-512: Salt Length: 512 (bits)
+
+Prerequisite: SHS #4009, DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667
+Version 10.0.16299 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
+SHA Val#3790 |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524
+Version 10.0.15063 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3790 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523
+Version 10.0.15063 |
+
+
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val#3790
+DRBG: Val# 1555 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522
+Version 10.0.15063 |
+
+
+FIPS186-4:
+186-4KEY(gen):
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val#3790 |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521
+Version 10.0.15063 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
+FIPS186-4:
+ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
+SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3652 |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415
+Version 7.00.2872 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
+FIPS186-4:
+ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
+SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3651 |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414
+Version 8.00.6246 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val# 3649
+DRBG: Val# 1430 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412
+Version 7.00.2872 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3648
+DRBG: Val# 1429 |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411
+Version 8.00.6246 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
+SHA Val# 3347 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206
+Version 10.0.14393 |
+
+
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+SHA Val# 3347 DRBG: Val# 1217 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195
+Version 10.0.14393 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3346 |
+soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194
+Version 10.0.14393 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val# 3347 DRBG: Val# 1217 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193
+Version 10.0.14393 |
+
+
+FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val# 3347 DRBG: Val# 1217 |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192
+Version 10.0.14393 |
+
+
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+SHA Val# 3047 DRBG: Val# 955 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889
+Version 10.0.10586 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3048 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871
+Version 10.0.10586 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val# 3047 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888
+Version 10.0.10586 |
+
+
+FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val# 3047 |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887
+Version 10.0.10586 |
+
+
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+SHA Val# 2886 DRBG: Val# 868 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798
+Version 10.0.10240 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#2871 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784
+Version 10.0.10240 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#2871 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783
+Version 10.0.10240 |
+
+
+FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val# 2886 |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802
+Version 10.0.10240 |
+
+
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+SHA Val#2373 DRBG: Val# 489 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487
+Version 6.3.9600 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#2373 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494
+Version 6.3.9600 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#2373 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493
+Version 6.3.9600 |
+
+
+FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val#2373 |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519
+Version 6.3.9600 |
+
+
+FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
+SHA #1903
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134. |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134 |
+
+
+FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+SHA #1903 DRBG: #258 |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132. |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052. |
+Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051. |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568. |
+Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560. |
+Windows Server 2008 R2 and SP1 CNG algorithms #567
+Windows 7 and SP1 CNG algorithms #560 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559. |
+Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557. |
+Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395. |
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371. |
+Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357. |
+Windows Server 2008 CNG algorithms #358
+Windows Vista SP1 CNG algorithms #357 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354. |
+Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355
+Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353. |
+Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258. |
+Windows Vista RSA key generation implementation #258 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257. |
+Windows Vista CNG algorithms #257 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255. |
+Windows Vista Enhanced Cryptographic Provider (RSAENH) #255 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245. |
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230. |
+Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222. |
+Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222 |
+
+
+FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]:
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81. |
+Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81 |
+
+
+FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52. |
+Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52 |
+
+
+FIPS186-2:
+– PKCS#1 v1.5, signature generation and verification
+– Mod sizes: 1024, 1536, 2048, 3072, 4096
+– SHS: SHA–1/256/384/512 |
+Windows XP, vendor-affirmed
+Windows 2000, vendor-affirmed |
+
+
+
+
+
+#### Secure Hash Standard (SHS)
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- SHA-1:
+
+- Supports Empty Message
+ - SHA-256:
+
+- Supports Empty Message
+ - SHA-384:
+
+- Supports Empty Message
+ - SHA-512:
+
+- Supports Empty Message
+ |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #4011
+Version 10.0.15063.674 |
+
+
+
+- SHA-1:
+
+- Supports Empty Message
+ - SHA-256:
+
+- Supports Empty Message
+ - SHA-384:
+
+- Supports Empty Message
+ - SHA-512:
+
+- Supports Empty Message
+ |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4010
+Version 10.0.15254 |
+
+
+
+- SHA-1:
+
+- Supports Empty Message
+ - SHA-256:
+
+- Supports Empty Message
+ - SHA-384:
+
+- Supports Empty Message
+ - SHA-512:
+
+- Supports Empty Message
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009
+Version 10.0.16299 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790
+Version 10.0.15063 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652
+Version 7.00.2872 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651
+Version 8.00.6246 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649
+Version 7.00.2872 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648
+Version 8.00.6246 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
+Version 10.0.14393 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
+Version 10.0.14393 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
+Version 10.0.10586 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
+Version 10.0.10586 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
+Version 10.0.10240 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
+Version 10.0.10240 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
+Version 6.3.9600 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
+Version 6.3.9600 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)
+Implementation does not support zero-length (null) messages. |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774
+Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows 7and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816 |
+
+
+| SHA-1 (BYTE-only) |
+Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785
+Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753
+Windows Vista Symmetric Algorithm Implementation #618 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only) |
+Windows Vista BitLocker Drive Encryption #737
+Windows Vista Beta 2 BitLocker Drive Encryption #495 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613
+Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364 |
+
+
+| SHA-1 (BYTE-only) |
+Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611
+Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610
+Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385
+Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #371
+Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #181
+Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #177
+Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176 |
+
+
+SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only) |
+Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589
+Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578
+Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305 |
+
+
+| SHA-1 (BYTE-only) |
+Windows XP Microsoft Enhanced Cryptographic Provider #83
+Crypto Driver for Windows 2000 (fips.sys) #35
+Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32
+Windows 2000 RSAENH.DLL #24
+Windows 2000 RSABASE.DLL #23
+Windows NT 4 SP6 RSAENH.DLL #21
+Windows NT 4 SP6 RSABASE.DLL #20 |
+
+
+
+
+
+#### Triple DES
+
+
+
+
+
+
+
+
+| Modes / States / Key Sizes |
+Algorithm Implementation and Certificate # |
+
+
+
+- TDES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-CFB64:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-CFB8:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-ECB:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #2558
+Version 10.0.15063.674 |
+
+
+
+- TDES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-CFB64:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-CFB8:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-ECB:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2557
+Version 10.0.15254 |
+
+
+
+- TDES-CBC:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-CFB64:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-CFB8:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ - TDES-ECB:
+
+- Modes: Decrypt, Encrypt
+- Keying Option: 1
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556
+Version 10.0.16299 |
+
+
+| TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, ) |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459
+Version 10.0.15063 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384
+Version 8.00.6246 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) |
+Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383
+Version 8.00.6246 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+CTR ( int only ) |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382
+Version 7.00.2872 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) |
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381
+Version 8.00.6246 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
+
+
+Version 10.0.14393 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
+
+
+Version 10.0.10586 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
+
+
+Version 10.0.10240 |
+
+
+TECB( KO 1 e/d, ) ;
+TCBC( KO 1 e/d, ) ;
+TCFB8( KO 1 e/d, ) ;
+TCFB64( KO 1 e/d, ) |
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692
+Version 6.3.9600 |
+
+
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) ;
+TCFB64( e/d; KO 1,2 ) |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387 |
+
+
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386 |
+
+
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
+Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846 |
+
+
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
+Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656 |
+
+
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) ;
+TCFB8( e/d; KO 1,2 ) |
+Windows Vista Symmetric Algorithm Implementation #549 |
+
+
+| Triple DES MAC |
+Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed
+Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed |
+
+
+TECB( e/d; KO 1,2 ) ;
+TCBC( e/d; KO 1,2 ) |
+Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308
+Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691
+Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #677
+Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #676
+Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #675
+Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #544
+Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #543
+Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #542
+Windows CE 6.0 and Window CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #526
+Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #517
+Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #381
+Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #370
+Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #365
+Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #315
+Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #201
+Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #199
+Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #192
+Windows XP Microsoft Enhanced Cryptographic Provider #81
+Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #18
+Crypto Driver for Windows 2000 (fips.sys) #16 |
+
+
+
+
+
+#### SP 800-132 Password Based Key Derivation Function (PBKDF)
+
+
+
+ |
+ Modes / States / Key Sizes
+ |
+
+ Algorithm Implementation and Certificate #
+ |
+
+
+ |
+ PBKDF (vendor affirmed) |
+
+ Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
(Software Version: 10.0.14393)
+ Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)
+ Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2935
(Software Version: 10.0.14393)
+ Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2931
(Software Version: 10.0.14393)
+ |
+
+
+ |
+ PBKDF (vendor affirmed) |
+
+ Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)
+ Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed
+ |
+
+
+
+
+#### Component Validation List
+
+
+
+
+
+
+
+
+| Publication / Component Validated / Description |
+Implementation and Certificate # |
+
+
+
+- ECDSA SigGen:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: DRBG #489 |
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540
+Version 6.3.9600 |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Microsoft Surface Hub Virtual TPM Implementations #1519
+Version 10.0.15063.674 |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518
+Version 10.0.16299 |
+
+
+
+- RSADP:
+
+- Modulus Size: 2048 (bits)
+ |
+Microsoft Surface Hub MsBignum Cryptographic Implementations #1517
+Version 10.0.15063.674 |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Microsoft Surface Hub MsBignum Cryptographic Implementations #1516
+Version 10.0.15063.674 |
+
+
+
+- ECDSA SigGen:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+ Prerequisite: DRBG #1732 |
+Microsoft Surface Hub MsBignum Cryptographic Implementations #1515
+Version 10.0.15063.674 |
+
+
+
+- ECDSA SigGen:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: DRBG #1732 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #1514
+Version 10.0.15063.674 |
+
+
+
+- RSADP:
+
+- Modulus Size: 2048 (bits)
+ |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #1513
+Version 10.0.15063.674 |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #1512
+Version 10.0.15063.674 |
+
+
+
+- IKEv1:
+
+- Methods: Digital Signature, Pre-shared Key, Public Key Encryption
+- Pre-shared Key Length: 64-2048
+- Diffie-Hellman shared secrets:
+
+- Diffie-Hellman shared secret:
+
+- Length: 2048 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 256 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 384 (bits)
+- SHA Functions: SHA-384
+
+Prerequisite: SHS #4011, HMAC #3269
+
+- IKEv2:
+
+- Derived Keying Material length: 192-1792
+- Diffie-Hellman shared secrets:
+
+- Diffie-Hellman shared secret:
+
+- Length: 2048 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 256 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 384 (bits)
+- SHA Functions: SHA-384
+
+Prerequisite: SHS #4011, HMAC #3269
+
+- TLS:
+
+- Supports TLS 1.0/1.1
+- Supports TLS 1.2:
+
+- SHA Functions: SHA-256, SHA-384
+
+Prerequisite: SHS #4011, HMAC #3269 |
+Microsoft Surface Hub SymCrypt Cryptographic Implementations #1511
+Version 10.0.15063.674 |
+
+
+
+- ECDSA SigGen:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: DRBG #1731 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1510
+Version 10.0.15254 |
+
+
+
+- RSADP:
+
+- Modulus Size: 2048 (bits)
+ |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1509
+Version 10.0.15254 |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1508
+Version 10.0.15254 |
+
+
+
+- IKEv1:
+
+- Methods: Digital Signature, Pre-shared Key, Public Key Encryption
+- Pre-shared Key Length: 64-2048
+- Diffie-Hellman shared secrets:
+
+- Diffie-Hellman shared secret:
+
+- Length: 2048 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 256 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 384 (bits)
+- SHA Functions: SHA-384
+
+Prerequisite: SHS #4010, HMAC #3268
+
+- IKEv2:
+
+- Derived Keying Material length: 192-1792
+- Diffie-Hellman shared secrets:
+
+- Diffie-Hellman shared secret:
+
+- Length: 2048 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 256 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 384 (bits)
+- SHA Functions: SHA-384
+
+Prerequisite: SHS #4010, HMAC #3268
+
+- TLS:
+
+- Supports TLS 1.0/1.1
+- Supports TLS 1.2:
+
+- SHA Functions: SHA-256, SHA-384
+
+Prerequisite: SHS #4010, HMAC #3268 |
+Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1507
+Version 10.0.15254 |
+
+
+
+- ECDSA SigGen:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: DRBG #1731 |
+Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1506
+Version 10.0.15254 |
+
+
+
+- RSADP:
+
+- Modulus Size: 2048 (bits)
+ |
+Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1505
+Version 10.0.15254 |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1504
+Version 10.0.15254 |
+
+
+
+- ECDSA SigGen:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503
+Version 10.0.16299 |
+
+
+
+- RSADP:
+
+- Modulus Size: 2048 (bits)
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502
+Version 10.0.16299 |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501
+Version 10.0.16299 |
+
+
+
+- ECDSA SigGen:
+
+- P-256 SHA: SHA-256
+- P-384 SHA: SHA-384
+- P-521 SHA: SHA-512
+
+Prerequisite: DRBG #1730 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499
+Version 10.0.16299 |
+
+
+
+- RSADP:
+
+- Modulus Size: 2048 (bits)
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498
+Version 10.0.16299
+ |
+
+
+
+- RSASP1:
+
+- Modulus Size: 2048 (bits)
+- Padding Algorithms: PKCS 1.5
+ |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1497
+Version 10.0.16299 |
+
+
+
+- IKEv1:
+
+- Methods: Digital Signature, Pre-shared Key, Public Key Encryption
+- Pre-shared Key Length: 64-2048
+- Diffie-Hellman shared secrets:
+
+- Diffie-Hellman shared secret:
+
+- Length: 2048 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 256 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 384 (bits)
+- SHA Functions: SHA-384
+
+Prerequisite: SHS #4009, HMAC #3267
+
+- IKEv2:
+
+- Derived Keying Material length: 192-1792
+- Diffie-Hellman shared secrets:
+
+- Diffie-Hellman shared secret:
+
+- Length: 2048 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 256 (bits)
+- SHA Functions: SHA-256
+ - Diffie-Hellman shared secret:
+
+- Length: 384 (bits)
+- SHA Functions: SHA-384
+
+Prerequisite: SHS #4009, HMAC #3267
+
+- TLS:
+
+- Supports TLS 1.0/1.1
+- Supports TLS 1.2:
+
+- SHA Functions: SHA-256, SHA-384
+
+Prerequisite: SHS #4009, HMAC #3267 |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496
+Version 10.0.16299 |
+
+
+FIPS186-4 ECDSA
+Signature Generation of hash sized messages
+ECDSA SigGen Component: CURVES( P-256 P-384 P-521 ) |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
+Version 10.0. 15063
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
+Version 10.0. 15063
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
+Version 10.0.14393
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
+Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
+Version 10.0.10586
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
+Version 6.3.9600 |
+
+
+FIPS186-4 RSA; PKCS#1 v2.1
+RSASP1 Signature Primitive
+RSASP1: (Mod2048: PKCS1.5 PKCSPSS) |
+Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1285
+Version 10.0.15063
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1282
+Version 10.0.15063
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
+Version 10.0.15063
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
+Version 10.0.14393
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
+Version 10.0.14393
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
+Version 10.0.10586
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
+Version 10.0.10240
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations #289
+Version 6.3.9600 |
+
+
+FIPS186-4 RSA; RSADP
+RSADP Primitive
+RSADP: (Mod2048) |
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1283
+Version 10.0.15063
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
+Version 10.0.15063
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
+Version 10.0.14393
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
+Version 10.0.14393
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #663
+Version 10.0.10586
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #576
+Version 10.0.10240 |
+
+
+SP800-135
+Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS |
+Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496
+Version 10.0.16299
+Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
+Version 10.0.15063
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1140
+Version 7.00.2872
+Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1139
+Version 8.00.6246
+Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp #886
+Version 10.0.14393
+Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BCryptPrimitives and NCryptSSLp #664
+Version 10.0.10586
+Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
+Version 10.0.10240
+Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
+Version 6.3.9600 |
+
+
+
+
+
+## References
+
+\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules
+
+\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ
+
+\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised)
+
+\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
+
+## Additional Microsoft References
+
+Enabling FIPS mode -
+
+Cipher Suites in Schannel - [https://msdn.microsoft.com/library/aa374757(VS.85).aspx](https://msdn.microsoft.com/library/aa374757\(vs.85\).aspx)
+
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index 546e5f5d36..6e0e5385e8 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -1,8 +1,8 @@
---
title: Fileless threats
ms.reviewer:
-description: Learn about fileless threats, its categories, and how it runs
-keywords: fileless, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP
+description: Learn about the categories of fileless threats and malware that "live off the land"
+keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next generation protection
ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
@@ -18,9 +18,9 @@ search.appverid: met150
# Fileless threats
-What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The term is used broadly; it's also used to describe malware families that do rely on files to operate.
+What exactly are fileless threats? The term "fileless" suggests that a threat does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition for fileless malware. The term is used broadly; it's also used to describe malware families that do rely on files to operate.
-Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft, some parts of the attack chain may be fileless, while others may involve the filesystem in some form or another.
+Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft, some parts of the attack chain may be fileless, while others may involve the filesystem in some form.
For clarity, fileless threats are grouped into different categories.
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index 7cd0315cc8..b2d4621b58 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -37,5 +37,5 @@ The wsusscn2.cab file contains the metadata of only security updates, update rol
For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit.
- [Windows security baselines](windows-security-baselines.md)
-- [Download Microsoft Security Compliance Toolkit 1.0 ](https://www.microsoft.com/download/details.aspx?id=55319)
+- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319)
- [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md
index ff64c95cca..44f14073d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md
@@ -3,7 +3,12 @@
## [Overview](overview.md)
### [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
#### [What's in the dashboard and what it means for my organization](tvm-dashboard-insights.md)
+#### [Exposure score](tvm-exposure-score.md)
#### [Configuration score](configuration-score.md)
+#### [Security recommendation](tvm-security-recommendation.md)
+#### [Remediation](tvm-remediation.md)
+#### [Software inventory](tvm-software-inventory.md)
+#### [Weaknesses](tvm-weaknesses.md)
#### [Scenarios](threat-and-vuln-mgt-scenarios.md)
@@ -65,9 +70,6 @@
###### [Remove file from blocked list](respond-file-alerts.md#remove-file-from-blocked-list)
###### [Check activity details in Action center](respond-file-alerts.md#check-activity-details-in-action-center)
###### [Deep analysis](respond-file-alerts.md#deep-analysis)
-###### [Submit files for analysis](respond-file-alerts.md#submit-files-for-analysis)
-###### [View deep analysis reports](respond-file-alerts.md#view-deep-analysis-reports)
-###### [Troubleshoot deep analysis](respond-file-alerts.md#troubleshoot-deep-analysis)
##### [Investigate entities using Live response](live-response.md)
@@ -75,6 +77,7 @@
### [Automated investigation and remediation](automated-investigations.md)
#### [Learn about the automated investigation and remediation dashboard](manage-auto-investigation.md)
+#### [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md)
### [Secure score](overview-secure-score.md)
@@ -82,14 +85,12 @@
### [Microsoft Threat Experts](microsoft-threat-experts.md)
-### [Threat analytics](threat-analytics.md)
-
### [Advanced hunting](overview-hunting.md)
#### [Query data using Advanced hunting](advanced-hunting.md)
##### [Advanced hunting reference](advanced-hunting-reference.md)
##### [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
#### [Custom detections](overview-custom-detections.md)
-#####[Create custom detections rules](custom-detection-rules.md)
+##### [Create custom detections rules](custom-detection-rules.md)
### [Management and APIs](management-apis.md)
#### [Understand threat intelligence concepts](threat-indicator-concepts.md)
@@ -100,7 +101,7 @@
#### [Protect users, data, and devices with Conditional Access](conditional-access.md)
#### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md)
#### [Information protection in Windows overview](information-protection-in-windows-overview.md)
-##### [Use sensitivity labels to prioritize incident response ](information-protection-investigation.md)
+##### [Use sensitivity labels to prioritize incident response](information-protection-investigation.md)
@@ -119,7 +120,7 @@
### [Assign user access to the portal](assign-portal-access.md)
### [Evaluate Microsoft Defender ATP](evaluate-atp.md)
-####Evaluate attack surface reduction
+#### Evaluate attack surface reduction
##### [Hardware-based isolation](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
##### [Application control](../windows-defender-application-control/audit-windows-defender-application-control-policies.md)
##### [Exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
@@ -133,7 +134,7 @@
## [Configure and manage capabilities](onboard.md)
### [Configure attack surface reduction](configure-attack-surface-reduction.md)
-###Hardware-based isolation
+### Hardware-based isolation
#### [System integrity](../windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
#### [Application isolation](../windows-defender-application-guard/install-wd-app-guard.md)
##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md)
@@ -352,6 +353,11 @@
#### Interoperability
##### [Partner applications](partner-applications.md)
+#### [Manage machine configuration](configure-machines.md)
+##### [Monitor and increase machine onboarding](configure-machines-onboarding.md)
+##### [Increase compliance to the security baseline](configure-machines-security-baseline.md)
+##### [Optimize ASR rule deployment and detections](configure-machines-asr.md)
+
#### Role-based access control
##### [Manage portal access using RBAC](rbac.md)
###### [Create and manage roles](user-roles.md)
@@ -363,7 +369,7 @@
### Configure Microsoft Threat Protection integration
#### [Configure Conditional Access](configure-conditional-access.md)
#### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md)
-####[Configure information protection in Windows](information-protection-in-windows-config.md)
+#### [Configure information protection in Windows](information-protection-in-windows-config.md)
### [Configure Microsoft Defender Security Center settings](preferences-setup.md)
@@ -385,14 +391,14 @@
##### [Enable Threat intel](enable-custom-ti.md)
##### [Enable SIEM integration](enable-siem-integration.md)
-####Rules
+#### Rules
##### [Manage suppression rules](manage-suppression-rules.md)
##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md)
##### [Manage indicators](manage-indicators.md)
##### [Manage automation file uploads](manage-automation-file-uploads.md)
##### [Manage automation folder exclusions](manage-automation-folder-exclusions.md)
-####Machine management
+#### Machine management
##### [Onboarding machines](onboard-configure.md)
##### [Offboarding machines](offboard-machines.md)
@@ -401,7 +407,7 @@
## [Troubleshoot Microsoft Defender ATP](troubleshoot-overview.md)
-###Troubleshoot sensor state
+### Troubleshoot sensor state
#### [Check sensor state](check-sensor-status.md)
#### [Fix unhealthy sensors](fix-unhealthy-sensors.md)
#### [Inactive machines](fix-unhealthy-sensors.md#inactive-machines)
@@ -411,10 +417,14 @@
### [Troubleshoot Microsoft Defender ATP service issues](troubleshoot-mdatp.md)
#### [Check service health](service-status.md)
-###Troubleshoot attack surface reduction
+
+### [Troubleshoot live response issues]()
+#### [Troubleshoot issues related to live response](troubleshoot-live-response.md)
+
+### Troubleshoot attack surface reduction
#### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md)
#### [Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md)
-#### [Collect diagnostic data for files](../windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md)
+#### [Collect diagnostic data for files](../windows-defender-exploit-guard/troubleshoot-np.md)
### [Troubleshoot next generation protection](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index 46f0887e3f..edf9758501 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -29,35 +29,52 @@ Depending on the Microsoft security products that you use, some advanced feature
Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
## Automated investigation
+
When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations.md).
## Live response
-When you enable this feature, users with the appropriate permissions can initiate a live response session on machines.
-For more information on role assignments see, [Create and manage roles](user-roles.md).
+When you enable this feature, users with the appropriate permissions can initiate a live response session on machines.
+
+For more information on role assignments see, [Create and manage roles](user-roles.md).
## Live response unsigned script execution
-Enabling this feature allows you to run unsigned scripts in a live response session.
+Enabling this feature allows you to run unsigned scripts in a live response session.
## Auto-resolve remediated alerts
+
For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature.
->[!TIP]
+>[!TIP]
>For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.
>[!NOTE]
> - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.
>- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
-
## Block file
-This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled, see [Block files in your network](respond-file-alerts.md#block-files-in-your-network) for more details.
-If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
+Blocking is only available if your organization uses Windows Defender Antivirus as the active antimalware solution, and if the cloud-based protection feature is enabled.
+
+This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on machines in your organization.
+
+To turn **Allow or block** files on:
+
+1. In the navigation pane, select **Settings** > **Advanced features** > **Allow or block file**.
+
+1. Toggle the setting between **On** and **Off**.
+
+ 
+
+1. Select **Save preferences** at the bottom of the page.
+
+Once you have enabled this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.
## Show user details
+
When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
+
- Security operations dashboard
- Alert queue
- Machine details page
@@ -65,20 +82,21 @@ When you enable this feature, you'll be able to see user details stored in Azure
For more information, see [Investigate a user account](investigate-user.md).
## Skype for Business integration
+
Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
>[!NOTE]
-> When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when machines are in isolation mode.
-
+> When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when machines are in isolation mode.
## Azure Advanced Threat Protection integration
+
The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view.
-
>[!NOTE]
->You'll need to have the appropriate license to enable this feature.
+>You'll need to have the appropriate license to enable this feature.
### Enable the Microsoft Defender ATP integration from the Azure ATP portal
+
To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
1. Login to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
@@ -90,6 +108,7 @@ To receive contextual machine integration in Azure ATP, you'll also need to enab
When you complete the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page.
## Office 365 Threat Intelligence connection
+
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
@@ -100,41 +119,56 @@ When you enable this feature, you'll be able to incorporate data from Office 365
To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
## Microsoft Threat Experts
+
Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability, while experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it.
>[!NOTE]
>The Microsoft Threat Experts capability in Microsoft Defender ATP is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).
## Microsoft Cloud App Security
-Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
+
+Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
>[!NOTE]
>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
## Azure Information Protection
+
Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings.
-
## Microsoft Intune connection
-This feature is only available if you have an active Microsoft Intune (Intune) license.
-When you enable this feature, you'll be able to share Microsoft Defender ATP device information to Intune and enhance policy enforcement.
+Microsoft Defender ATP can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [enable this feature](configure-conditional-access.md), you'll be able to share Microsoft Defender ATP device information with Intune, enhancing policy enforcement.
+
+>[!IMPORTANT]
+>You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. For more information on specific steps, see [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md).
+
+This feature is only available if you have the following:
+
+- A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or Microsoft 365 Enterprise E5)
+- An active Microsoft Intune environment, with Intune-managed Windows 10 devices [Azure AD-joined](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join/).
+
+### Conditional Access policy
+
+When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It should not be deleted.
>[!NOTE]
->You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature.
-
+> The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints.
## Preview features
+
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
## Enable advanced features
+
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
3. Click **Save preferences**.
## Related topics
+
- [Update data retention settings](data-retention-settings.md)
- [Configure alert notifications](configure-email-notifications.md)
- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
index 8e6f64817f..c22f668986 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@@ -18,7 +18,7 @@ ms.topic: conceptual
ms.date: 04/24/2018
---
-# Advanced hunting query best practices Microsoft Defender ATP
+# Advanced hunting query best practices in Microsoft Defender ATP
**Applies to:**
@@ -28,23 +28,26 @@ ms.date: 04/24/2018
## Performance best practices
The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries.
-- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/).
-- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
-- Use 'has' keyword over 'contains' when looking for full tokens.
+- When trying new queries, always use `limit` to avoid extremely large result sets or use `count` to assess the size of the result set.
+- Use time filters first. Ideally, limit your queries to 7 days.
+- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
+- Use the `has` operator over `contains` when looking for full tokens.
- Use looking in specific column rather than using full text search across all columns.
-- When joining between two tables - choose the table with less rows to be the first one (left-most).
-- When joining between two tables - project only needed columns from both sides of the join.
+- When joining between two tables, specify the table with fewer rows first.
+- When joining between two tables, project only needed columns from both sides of the join.
+
+>[!Tip]
+>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/en-us/azure/kusto/query/best-practices).
## Query tips and pitfalls
-### Unique Process IDs
-Process IDs are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
+### Using process IDs
+Process IDs (PIDs) are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
To address this issue, Microsoft Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time.
+So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either `MachineId` or `ComputerName`), a process ID (`ProcessId` or `InitiatingProcessId`) and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`)
-So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either MachineId or ComputerName), a process ID (ProcessId or InitiatingProcessId) and the process creation time (ProcessCreationTime or InitiatingProcessCreationTime)
-
-The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB) - possibly scanning for file shares.
+The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
Example query:
```
@@ -54,13 +57,13 @@ NetworkCommunicationEvents
| where RemoteIPCount > 10
```
-The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime - to make sure the query looks at a single process, and not mixing multiple processes with the same process ID.
+The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
-### Using command line queries
+### Using command lines
-Command lines may vary - when applicable, filter on file names and do fuzzy matching.
+Command lines can vary. When applicable, filter on file names and do fuzzy matching.
-There are numerous ways to construct a command line to accomplish a task.
+There are numerous ways to construct a command line to accomplish a task.
For example, a malicious attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, and others. In addition, the attacker can also change the order of some parameters, add multiple quotes or spaces, and much more.
@@ -68,7 +71,7 @@ To create more durable queries using command lines, we recommended the following
- Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields, instead of filtering on the command line field.
- When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
-- Use case insensitive matches. For example, use '=~', 'in~', 'contains' instead of '==', 'in' or 'contains_cs'
+- Use case insensitive matches. For example, use `=~`, `in~`, `contains` instead of `==`, `in` or `contains_cs`
- To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS obfuscation techniques, but it does mitigate the most common ones.
The following example query shows various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
@@ -90,7 +93,4 @@ ProcessCreationEvents
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
```
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
-
-
-
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
index 44e20add28..4ca2aebb87 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
@@ -23,7 +23,7 @@ ms.date: 08/15/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-To get you started in querying your data, you can use the basic or Advanced query examples that have some preloaded queries for you to understand the basic query syntax.
+To get you started in querying your data, you can use the Basic or Advanced query examples, which have some preloaded queries to help you understand the basic query syntax.
@@ -109,7 +109,7 @@ You can create or modify a query and save it as your own query or share it with
### Update a query
These steps guide you on modifying and overwriting an existing query.
-1. Edit an existing query.
+1. Edit an existing query.
2. Click the **Save**.
@@ -151,6 +151,3 @@ Check out the [Advanced hunting repository](https://github.com/Microsoft/Windows
## Related topic
- [Advanced hunting reference](advanced-hunting-reference.md)
- [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
index da4a174d2c..a3455dcc67 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@@ -63,12 +63,39 @@ So, for example:
- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
+#### Understanding alert categories
+We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will retain the previous category names.
+
+The table below lists the current categories and how they generally map to previous categories.
+
+| New category | Previous categories | Detected threat activity or component |
+|----------------------|----------------------|-------------|
+| Collection | - | Locating and collecting data for exfiltration |
+| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands |
+| Credential access | CredentialTheft | Obtaining valid credentials to extend control over devices and other resources in the network |
+| Defense evasion | - | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits |
+| Discovery | Reconnaissance, WebFingerprinting | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers |
+| Execution | Delivery, MalwareDownload | Launching attacker tools and malicious code, including RATs and backdoors |
+| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location |
+| Exploit | Exploit | Exploit code and possible exploitation activity |
+| Initial access | SocialEngineering, WebExploit, DocumentExploit | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails |
+| Lateral movement | LateralMovement, NetworkPropagation | Moving between devices in the target network to reach critical resources or gain network persistence |
+| Malware | Malware, Backdoor, Trojan, TrojanDownloader, CredentialStealing, Weaponization, RemoteAccessTool | Backdoors, trojans, and other types of malicious code |
+| Persistence | Installation, Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts |
+| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account |
+| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access |
+| Suspicious activity | General, None, NotApplicable, EnterprisePolicy, SuspiciousNetworkTraffic | Atypicaly activity that could be malware activity or part of an attack |
+| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) |
+
### Status
You can choose to limit the list of alerts based on their status.
### Investigation state
Corresponds to the automated investigation state.
+### Category
+You can choose to filter the queue to display specific types of malicious activity.
+
### Assigned to
You can choose between showing alerts that are assigned to you or automation.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
index 05fcb78399..3817d34a9a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@@ -46,7 +46,7 @@ status | Enum | Specifies the current status of the alert. Possible values are:
investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' .
classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
-category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General' .
+category| String | Category of the alert. Possible values are: 'Collection', 'Command and control', 'Credential access', 'Defense evasion', 'Discovery', 'Execution', 'Exfiltration', 'Exploit', 'Initial access', 'Lateral movement', 'Malware', 'Persistence', 'Privilege escalation', 'Ransomware', 'Suspicious activity', 'Unwanted software'.
detectionSource | string | Detection source.
threatFamilyName | string | Threat family.
title | string | Alert title.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
index a09b2f556d..a3d83d4880 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
@@ -1,5 +1,5 @@
---
-title: Advanced Hunting API
+title: Hello World
ms.reviewer:
description: Use this API to run advanced queries
keywords: apis, supported apis, advanced hunting, query
@@ -19,10 +19,9 @@ ms.topic: article
# Microsoft Defender ATP API - Hello World
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## Get Alerts using a simple PowerShell script
@@ -33,68 +32,60 @@ It only takes 5 minutes done in two steps:
- Use examples: only requires copy/paste of a short PowerShell script
### Do I need a permission to connect?
-For the App registration stage, you must have a Global administrator role in your Azure Active Directory (Azure AD) tenant.
+For the Application registration stage, you must have a **Global administrator** role in your Azure Active Directory (Azure AD) tenant.
### Step 1 - Create an App in Azure Active Directory
-1. Log on to [Azure](https://portal.azure.com) with your Global administrator user.
+1. Log on to [Azure](https://portal.azure.com) with your **Global administrator** user.
-2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**.
+2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**.
- 
+ 
-3. In the registration form, enter the following information, then click **Create**.
+3. In the registration form, choose a name for your application and then click **Register**.
- - **Name:** Choose your own name.
- - **Application type:** Web app / API
- - **Redirect URI:** `https://127.0.0.1`
+4. Allow your Application to access Microsoft Defender ATP and assign it **'Read all alerts'** permission:
- 
+ - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
-4. Allow your App to access Microsoft Defender ATP and assign it 'Read all alerts' permission:
+ - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
- - Click **Settings** > **Required permissions** > **Add**.
+ 
- 
+ - Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions**
- - Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
+ 
- **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+ **Important note**: You need to select the relevant permissions. 'Read All Alerts' is only an example!
- 
+ For instance,
- - Click **Select permissions** > **Read all alerts** > **Select**.
+ - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
+ - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
+ - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
- 
+5. Click **Grant consent**
- - Click **Done**
+ - **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
- 
+ 
- - Click **Grant permissions**
+6. Add a secret to the application.
- **Note**: Every time you add permission you must click on **Grant permissions**.
+ - Click **Certificates & secrets**, add description to the secret and click **Add**.
- 
+ **Important**: After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!
-5. Create a key for your App:
+ 
- - Click **Keys**, type a key name and click **Save**.
+7. Write down your application ID and your tenant ID:
- 
+ - On your application page, go to **Overview** and copy the following:
-6. Write down your App ID and your Tenant ID:
-
- - App ID:
-
- 
-
- - Tenant ID: Navigate to **Azure Active Directory** > **Properties**
-
- 
+ 
-Done! You have successfully registered an application!
+Done! You have successfully registered an application!
### Step 2 - Get a token using the App and use this token to access the API.
@@ -106,8 +97,8 @@ Done! You have successfully registered an application!
# Paste below your Tenant ID, App ID and App Secret (App key).
$tenantId = '' ### Paste your tenant ID here
-$appId = '' ### Paste your app ID here
-$appSecret = '' ### Paste your app key here
+$appId = '' ### Paste your Application ID here
+$appSecret = '' ### Paste your Application secret here
$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
index ba81f53c58..4c97c07b2e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@@ -39,19 +39,19 @@ Field numbers match the numbers in the images below.
>
> | Portal label | SIEM field name | ArcSight field | Example value | Description |
> |------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-> | 1 | AlertTitle | name | A dll was unexpectedly loaded into a high integrity process without a UAC prompt | Value available for every alert. |
-> | 2 | Severity | deviceSeverity | Medium | Value available for every alert. |
-> | 3 | Category | deviceEventCategory | Privilege Escalation | Value available for every alert. |
-> | 4 | Source | sourceServiceName | WindowsDefenderATP | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every alert. |
-> | 5 | MachineName | sourceHostName | liz-bean | Value available for every alert. |
+> | 1 | AlertTitle | name | Windows Defender AV detected 'Mikatz' high-severity malware | Value available for every alert. |
+> | 2 | Severity | deviceSeverity | High | Value available for every alert. |
+> | 3 | Category | deviceEventCategory | Malware | Value available for every alert. |
+> | 4 | Detection source | sourceServiceName | Antivirus | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every alert. |
+> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every alert. |
> | 6 | FileName | fileName | Robocopy.exe | Available for alerts associated with a file or process. |
> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for alerts associated with a file or process. |
-> | 8 | UserDomain | sourceNtDomain | contoso | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
-> | 9 | UserName | sourceUserName | liz-bean | The user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
-> | 10 | Sha1 | fileHash | 5b4b3985339529be3151d331395f667e1d5b7f35 | Available for alerts associated with a file or process. |
-> | 11 | Md5 | deviceCustomString5 | 55394b85cb5edddff551f6f3faa9d8eb | Available for Windows Defender AV alerts. |
-> | 12 | Sha256 | deviceCustomString6 | 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5 | Available for Windows Defender AV alerts. |
-> | 13 | ThreatName | eviceCustomString1 | Trojan:Win32/Skeeyah.A!bit | Available for Windows Defender AV alerts. |
+> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
+> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
+> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for alerts associated with a file or process. |
+> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV alerts. |
+> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV alerts. |
+> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV alerts. |
> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
> | 15 | Url | requestUrl | down.esales360.cn | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
@@ -60,7 +60,7 @@ Field numbers match the numbers in the images below.
> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every alert. |
> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the activity relevant to the alert occurred. Value available for every alert. |
> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every alert. |
-> | 22 | Actor | deviceCustomString4 | | Available for alerts related to a known actor group. |
+> | 22 | Actor | deviceCustomString4 | BORON | Available for alerts related to a known actor group. |
> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every alert. |
> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. |
> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
index 9a0cea7281..122b141332 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
@@ -20,7 +20,7 @@ ms.topic: article
## APIs
-Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/en-us/legal/microsoft-apis/terms-of-use).
+Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use).
## Legal Notices
diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
index a550e32f0c..e97f64fda4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
In general, you’ll need to take the following steps to use the APIs:
- Create an AAD application
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
new file mode 100644
index 0000000000..8945fc0931
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -0,0 +1,54 @@
+---
+title: Manage actions related to automated investigation and remediation
+description: Use the action center to manage actions related to automated investigation and response
+keywords: action, center, autoir, automated, investigation, response, remediation
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Manage actions related to automated investigation and remediation
+
+The Action center aggregates all investigations that require an action for an investigation to proceed or be completed.
+
+
+
+The action center consists of two main tabs:
+- Pending actions - Displays a list of ongoing investigations that require attention. A recommended action is presented to the analyst, which they can approve or reject.
+- History - Acts as an audit log for:
+ - All actions taken by AutoIR or approved by an analyst with ability to undo actions that support this capability (for example, quarantine file).
+ - All commands ran and remediation actions applied in Live Response with ability to undo actions that support this capability.
+ - Remediation actions applied by Windows Defender AV with ability to undo actions that support this capability.
+
+
+
+
+Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
+
+From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
+
+
+>[!NOTE]
+>The tab will only appear if there are pending actions for that category.
+
+### Approve or reject an action
+You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
+
+Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
+
+From the panel, you can click on the Open investigation page link to see the investigation details.
+
+You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.
+
+## Related topics
+- [Automated investigation and investigation](automated-investigations.md)
+- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index a4e69d1eab..7e77ed48e3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -56,7 +56,7 @@ During an Automated investigation, details about each analyzed entity is categor
The **Log** tab reflects the chronological detailed view of all the investigation actions taken on the alert.
-If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions.
+If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. You can also go to the **Action center** to get an aggregated view all pending actions and manage remediaton actions. It also acts as an audit trail for all Automated investigation actions.
### How an Automated investigation expands its scope
diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
index ac4575e88d..8057947dc2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
@@ -25,7 +25,7 @@ ms.date: 04/24/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
-The sensor health tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
+The sensor health tile is found on the Security Operations dashboard. This tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service:
- **Misconfigured** - These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
@@ -44,7 +44,7 @@ You can filter the health state list by the following status:
- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service.
-You can view the machine details when you click on a misconfigured or inactive machine. You’ll see more specific machine information when you click the information icon.
+You can view the machine details when you click on a misconfigured or inactive machine.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
index c3b917aac9..919befad8e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@@ -1,57 +1,61 @@
----
-title: Overview of Configuration score in Microsoft Defender Security Center
-ms.reviewer:
-description: Expand your visibility into the overall security configuration posture of your organization
-keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/11/2019
----
-# Configuration score
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
->[!NOTE]
-> Secure score is now part of Threat & Vulnerability Management as Configuration score. We’ll keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection) page.
-
-The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over your organization's security posture based on security best practices.
-
-Your configuration score widget shows the collective security configuration state of your machines across the following categories:
-- Application
-- Operating system
-- Network
-- Accounts
-- Security controls
-
-## How it works
-
-What you'll see in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
-- Compare collected configurations to the collected benchmarks to discover misconfigured assets
-- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration
-- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams)
-- Collect and monitor changes of security control configuration state from all assets
-
-From the widget, you'd be able to see which security aspect require attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can take action based on security benchmarks.
-
-## Improve your configuration score
-The goal is to improve your configuration score by remediating the issues in the security recommendations list. You can filter the view based on:
-- **Related component** - **Accounts**, **Application**, **Network**, **OS**, or **Security controls**
-- **Remediation type** - **Configuration change** or **Software update**
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: Overview of Configuration score in Microsoft Defender Security Center
+description: Expand your visibility into the overall security configuration posture of your organization
+keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Configuration score
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>[!NOTE]
+> Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+
+The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over the security posture of your organization based on security best practices. High configuration score means your endpoints are more resilient from cybersecurity threat attacks.
+
+Your configuration score widget shows the collective security configuration state of your machines across the following categories:
+- Application
+- Operating system
+- Network
+- Accounts
+- Security controls
+
+## How it works
+
+The data in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
+- Compare collected configurations to the collected benchmarks to discover misconfigured assets
+- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration
+- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams)
+- Collect and monitor changes of security control configuration state from all assets
+
+From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks.
+
+## Improve your configuration score
+The goal is to remediate the issues in the security recommendations list to improve your configuration score. You can filter the view based on:
+- **Related component** — **Accounts**, **Application**, **Network**, **OS**, or **Security controls**
+- **Remediation type** — **Configuration change** or **Software update**
+
+See how you can [improve your security configuration](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
index d1a14f1f7d..0911a2d722 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
@@ -1,45 +1,45 @@
----
-title: Configure Threat & Vulnerability Management in Microsoft Defender ATP
-ms.reviewer:
-description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft System Center Configuration Manager (SCCM) integrations.
-keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM
-search.product: Windows 10
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-# Configure Threat & Vulnerability Management
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
-This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation.
-
-### Before you begin
-> [!IMPORTANT]
-> Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.
-
-Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM).
-
->[!WARNING]
->Only Intune and SCCM enrolled devices are supported in this scenario.
->Use any of the following options to enroll devices in Intune:
->- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
->- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
->- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup).
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Configuration score](configuration-score.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: Configure Threat & Vulnerability Management in Microsoft Defender ATP
+ms.reviewer:
+description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft System Center Configuration Manager (SCCM) integrations.
+keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM
+search.product: Windows 10
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: mjcaparas
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+# Configure Threat & Vulnerability Management
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation.
+
+### Before you begin
+> [!IMPORTANT]
+> Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.
+
+Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM).
+
+>[!WARNING]
+>Only Intune and SCCM enrolled devices are supported in this scenario.
+>Use any of the following options to enroll devices in Intune:
+>- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
+>- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
+>- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup).
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Configuration score](configuration-score.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
index e1ba0b2aff..76fe3c070d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
@@ -1,7 +1,7 @@
---
title: Configure Conditional Access in Microsoft Defender ATP
-description:
-keywords:
+description: Learn about steps that you need to do in Intune, Microsoft Defender Security Center, and Azure to implement Conditional access
+keywords: conditional access, conditional, access, device risk, risk level, integration, intune integration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 09/03/2018
---
# Configure Conditional Access in Microsoft Defender ATP
@@ -29,17 +28,24 @@ This section guides you through all the steps you need to take to properly imple
>It's important to note that Azure AD registered devices is not supported in this scenario.
>Only Intune enrolled devices are supported.
+
You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune:
- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
-- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
-- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup).
+- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune]https://docs.microsoft.com/intune/quickstart-enroll-windows-device)
+- End-user alternative: For more information on joining an Azure AD domain, see [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan).
There are steps you'll need to take in Microsoft Defender Security Center, the Intune portal, and Azure AD portal.
+It's important to note the required roles to access these portals and implement Conditional access:
+- **Microsoft Defender Security Center** - You'll need to sign into the portal with a global administrator role to turn on the integration.
+- **Intune** - You'll need to sign in to the portal with security administrator rights with management permissions.
+- **Azure AD portal** - You'll need to sign in as a global administrator, security administrator, or Conditional Access administrator.
+
+
> [!NOTE]
> You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
index 05c041475c..133f0ecb0a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
@@ -69,7 +69,7 @@ You can create rules that determine the machines and alert severities to send em
Here's an example email notification:
-
+
## Edit a notification rule
1. Select the notification rule you'd like to edit.
@@ -101,4 +101,4 @@ This section lists various issues that you may encounter when using email notifi
- [Update data retention settings](data-retention-settings.md)
- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
- [Enable Secure Score security controls](enable-secure-score.md)
-- [Configure advanced features](advanced-features.md)
\ No newline at end of file
+- [Configure advanced features](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
index d16c45de90..54f60b64f4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
@@ -52,9 +52,9 @@ ms.date: 04/24/2018
4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
-5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
+5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate Task (At least Windows 7)**.
-6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under **Security options**.
+6. In the **Task** window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM and then click **Check Names** then **OK**. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
@@ -84,7 +84,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
4. Click **Policies**, then **Administrative templates**.
-5. Click **Windows components** and then **Microsoft Defender ATP**.
+5. Click **Windows components** and then **Windows Defender ATP**.
6. Choose to enable or disable sample sharing from your machines.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
index b13eb91164..b1b6bdea64 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
@@ -61,7 +61,7 @@ You can use existing System Center Configuration Manager functionality to create
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
-3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs) topic.
+3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic.
a. Choose a predefined device collection to deploy the package to.
@@ -115,7 +115,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
-3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs) topic.
+3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic.
a. Choose a predefined device collection to deploy the package to.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
new file mode 100644
index 0000000000..9b0a3173f6
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
@@ -0,0 +1,55 @@
+---
+title: Optimize ASR rule deployment and detections
+description: Ensure your attack surface reduction (ASR) rules are fully deployed and optimized to effectively identify and prevent actions that are typically taken by malware during exploitation.
+keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: procedural
+---
+
+# Optimize ASR rule deployment and detections
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+[Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
+
+
+*Attack surface management card*
+
+The **Attack surface management** card is an entry point to tools in Microsoft 365 security center that you can use to:
+
+- Understand how ASR rules are currently deployed in your organization
+- Review ASR detections and identify possible incorrect detections
+- Analyze the impact of exclusions and generate the list of file paths to exclude
+
+Selecting **Go to attack surface management** takes you to **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
+
+
+*Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center*
+
+>[!NOTE]
+>To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
+
+For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+
+# Related topics
+- [Ensure your machines are configured properly](configure-machines.md)
+- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
+- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
new file mode 100644
index 0000000000..f09ddf1096
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
@@ -0,0 +1,79 @@
+---
+title: Get machines onboarded to Microsoft Defender ATP
+description: Track onboarding of Intune-managed machines to Windows Defender ATP and increase onboarding rate.
+keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, configuration management
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: procedural
+---
+
+# Get machines onboarded to Microsoft Defender ATP
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
+
+>[!NOTE]
+>Before you can track and manage onboarding of machines, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management).
+
+## Discover and track unprotected machines
+
+The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 machines that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 machines.
+
+
+*Card showing onboarded machines compared to the total number of Intune-managed Windows 10 machine*
+
+>[!NOTE]
+>- If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines.
+>- During preview, you might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
+
+## Onboard more machines with Intune profiles
+
+Microsoft Defender ATP provides several convenient options for [onboarding Windows 10 machines](onboard-configure.md). For Intune-managed machines, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP sensor to select machines, effectively onboarding these devices to the service.
+
+From the **Onboarding** card, select **Onboard more machines** to create and assign a profile on Intune. The link takes you to a similar overview of your onboarding state.
+
+>[!TIP]
+>Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**.
+
+From the overview, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the machines you want to onboard.
+
+1. Select **Create a device configuration profile to configure ATP sensor**.
+
+ 
+ *Microsoft Defender ATP device compliance page on Intune device management*
+
+2. Specify a name for the profile, specify desired configuration options for sample sharing and reporting frequency, and select **Create** to save the new profile.
+
+ 
+ *Configuration profile creation*
+
+3. After creating the profile, assign it to all your machines. You can review profiles and their deployment status anytime by accessing **Device configuration > Profiles** on Intune.
+
+ 
+ *Assigning the new agent profile to all machines*
+
+>[!TIP]
+>To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-profile-assign).
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+
+# Related topics
+- [Ensure your machines are configured properly](configure-machines.md)
+- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
+- [Optimize ASR rule deployment and detections](configure-machines-asr.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
new file mode 100644
index 0000000000..d91d24bb04
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
@@ -0,0 +1,111 @@
+---
+title: Increase compliance to the Microsoft Defender ATP security baseline
+description: The Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
+keywords: Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection ASR, security baseline
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: procedural
+---
+
+# Increase compliance to the Microsoft Defender ATP security baseline
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
+
+To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a).
+
+>[!NOTE]
+>Before you can track and manage compliance to the Microsoft Defender ATP security baseline, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management).
+
+## Compare the Microsoft Defender ATP and the Windows Intune security baselines
+The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
+
+- [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows)
+- [Microsoft Defender ATP baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp)
+
+Both baselines are maintained so that they complement one another and have identical values for shared settings. Deploying both baselines to the same machine will not result in conflicts. Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls.
+
+## Get permissions to manage security baselines in Intune
+
+By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage security baseline profiles. If you haven’t been assigned either role, work with a Global Administrator or an Intune Service Administrator to [create a custom role in Intune](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role) with full permissions to security baselines and then assign that role to your Azure AD group.
+
+
+
+*Security baseline permissions on Intune*
+
+## Monitor compliance to the Microsoft Defender ATP security baseline
+
+The **Security baseline** card on [machine configuration management](configure-machines.md) provides an overview of compliance across Windows 10 machines that have been assigned the Microsoft Defender ATP security baseline.
+
+
+*Card showing compliance to the Microsoft Defender ATP security baseline*
+
+Each machine is given one of the following status types:
+
+- **Matches baseline**—machine settings match all the settings in the baseline
+- **Does not match baseline**—at least one machine setting doesn't match the baseline
+- **Misconfigured**—at least one baseline setting isn't properly configured on the machine and is in a conflict, error, or pending state
+- **Not applicable**—At least one baseline setting isn't applicable on the machine
+
+To review specific machines, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the machines.
+
+>[!NOTE]
+>During preview, you might encounter a few known limitations:
+>- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
+>- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
+
+## Review and assign the Microsoft Defender ATP security baseline
+
+Machine configuration management monitors baseline compliance only of Windows 10 machines that have been specifically assigned the Microsoft Defender ATP security baseline. You can conveniently review the baseline and assign it to machines on Intune device management.
+
+1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed.
+
+ >[!TIP]
+ > Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines (preview) > PREVIEW: Windows Defender ATP baseline**.
+
+
+2. Create a new profile.
+
+ 
+ *Microsoft Defender ATP security baseline overview on Intune*
+
+3. During profile creation, you can review and adjust specific settings on the baseline.
+
+ 
+ *Security baseline options during profile creation on Intune*
+
+4. Assign the profile to the appropriate machine group.
+
+ 
+ *Assigning the security baseline profile on Intune*
+
+5. Save the profile and deploy it to the assigned machine group.
+
+ 
+ *Saving and deploying the security baseline profile on Intune*
+
+>[!TIP]
+>To learn more about Intune security baselines and assigning them, read [Create a Windows 10 security baseline in Intune](https://docs.microsoft.com/intune/security-baselines).
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+
+# Related topics
+- [Ensure your machines are configured properly](configure-machines.md)
+- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
+- [Optimize ASR rule deployment and detections](configure-machines-asr.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
new file mode 100644
index 0000000000..31fbc743c6
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
@@ -0,0 +1,72 @@
+---
+title: Ensure your machines are configured properly
+description: Properly configure machines to boost overall resilience against threats and enhance your capability to detect and respond to attacks.
+keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: procedural
+---
+
+# Ensure your machines are configured properly
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+With properly configured machines, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your machines:
+
+- Onboard to Microsoft Defender ATP
+- Meet or exceed the Microsoft Defender ATP security baseline configuration
+- Have strategic attack surface mitigations in place
+
+
+*Machine configuration management page*
+
+You can track configuration status at an organizational level and quickly take action in response to poor onboarding coverage, compliance issues, and poorly optimized attack surface mitigations through direct, deep links to device management pages on Microsoft Intune and Microsoft 365 security center.
+
+In doing so, you benefit from:
+- Comprehensive visibility of the events on your machines
+- Robust threat intelligence and powerful machine learning technologies for processing raw events and identifying the breach activity and threat indicators
+- A full stack of security features configured to efficiently stop the installation of malicious implants, hijacking of system files and process, data exfiltration, and other threat activities
+- Optimized attack surface mitigations, maximizing strategic defenses against threat activity while minimizing impact to productivity
+
+## Enroll machines to Intune management
+
+Machine configuration management works closely with Intune device management to establish the inventory of the machines in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 machines.
+
+Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll).
+
+>[!NOTE]
+>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/en-us/intune/licenses-assign).
+
+>[!TIP]
+>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
+
+## Known issues and limitations in this preview
+During preview, you might encounter a few known limitations:
+- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
+- The count of onboarded machines tracked by machine configuration management might not include machines onboarded using Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles. To include these machines, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to these machines.
+- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
+
+
+## In this section
+Topic | Description
+:---|:---
+[Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)| Track onboarding status of Intune-managed machines and onboard more machines through Intune.
+[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed machines.
+[Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center.
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 0f9793b0a9..ad8b37b921 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -20,13 +20,14 @@ ms.topic: article
**Applies to:**
+- Windows Server 2008 R2 SP1 (pre-release)
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
- Windows Server, 2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[!include[Prerelease information](prerelease.md)]
+[!include[Prerelease information](prerelease.md)]
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink)
@@ -34,6 +35,7 @@ ms.topic: article
Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security Center console.
The service supports the onboarding of the following servers:
+- Windows Server 2008 R2 SP1 (pre-release)
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
@@ -42,9 +44,9 @@ The service supports the onboarding of the following servers:
For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
-## Windows Server 2012 R2 and Windows Server 2016
+## Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016
-There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP:
+There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP:
- **Option 1**: Onboard through Azure Security Center
- **Option 2**: Onboard through Microsoft Defender Security Center
@@ -52,19 +54,25 @@ There are two options to onboard Windows Server 2012 R2 and Windows Server 2016
### Option 1: Onboard servers through Azure Security Center
1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
-2. Select Windows Server 2012 R2 and 2016 as the operating system.
+2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system.
3. Click **Onboard Servers in Azure Security Center**.
4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
### Option 2: Onboard servers through Microsoft Defender Security Center
-You'll need to tak the following steps if you choose to onboard servers through Microsoft Defender Security Center.
+You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center.
-- For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
+- For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
+ - Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598)
+ - Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+ - Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
+
+
+- For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
>[!NOTE]
- >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
+ >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
- Turn on server monitoring from Microsoft Defender Security Center.
- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
@@ -129,7 +137,7 @@ Agent Resource | Ports
## Windows Server, version 1803 and Windows Server 2019
-To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines.
+To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below.
Supported tools include:
- Local script
@@ -219,7 +227,7 @@ To offboard the server, you can use either of the following methods:
b. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID:
- 
+ 
2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 8f0d992e58..92914defd5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -23,6 +23,10 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+Create custom detection rules from [Advanced hunting](overview-hunting.md) queries to automatically check for threat indicators and generate alerts whenever these indicators are found.
+
+>[!NOTE]
+>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
1. In the navigation pane, select **Advanced hunting**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
index eac5c12814..249bf4cfb4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
@@ -30,7 +30,7 @@ ms.date: 04/24/2018
During the onboarding process, a wizard takes you through the general settings of Microsoft Defender ATP. After onboarding, you might want to update the data retention settings.
-1. In the navigation pane, select **Settings** > **Data rention**.
+1. In the navigation pane, select **Settings** > **Data retention**.
2. Select the data retention duration from the drop-down list.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
index 1abeaeef86..1939474a15 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
@@ -1,8 +1,8 @@
---
title: Evaluate Microsoft Defender Advanced Threat Protection
ms.reviewer:
-description:
-keywords:
+description: Evaluate the different security capabilities in Microsoft Defender ATP.
+keywords: attack surface reduction, evaluate, next, generation, protection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -16,7 +16,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/10/2018
---
# Evaluate Microsoft Defender ATP
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
index 4a19677915..080111bee7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
@@ -216,7 +216,7 @@ See The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
+>The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
- Create a new Console Application
- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
@@ -215,7 +203,7 @@ You will get an answer of the form:
Sanity check to make sure you got a correct token:
- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
- Validate you get a 'roles' claim with the desired permissions
-- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Microsoft Defender ATP's roles:
+- In the screen shot below you can see a decoded token acquired from an Application with permissions to all of Microsoft Defender ATP's roles:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
index b17168bee0..58362fcab8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
@@ -40,7 +40,7 @@ In this section we share PowerShell samples to
Set-ExecutionPolicy -ExecutionPolicy Bypass
```
->For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
+>For more details, refer to [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy)
## Get token
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1.png b/windows/security/threat-protection/microsoft-defender-atp/images/1.png
deleted file mode 100644
index 70ce314c00..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/WDATP-components.png b/windows/security/threat-protection/microsoft-defender-atp/images/WDATP-components.png
deleted file mode 100644
index 51f4335265..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/WDATP-components.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/action-center.png b/windows/security/threat-protection/microsoft-defender-atp/images/action-center.png
new file mode 100644
index 0000000000..02ad4445e6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/action-center.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png
index 19428a4156..849bacfa44 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png and b/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png b/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png
new file mode 100644
index 0000000000..74d57acf8e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG
index d7e7d092eb..57337cd9ab 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-save-query.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-save-query.PNG
index 2da889163c..4c6352b1e1 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-save-query.PNG and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-save-query.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-numbered.png b/windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-numbered.png
deleted file mode 100644
index 39c6a467aa..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-numbered.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing.png b/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing.png
new file mode 100644
index 0000000000..39c4236d7c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-tenant-id.png b/windows/security/threat-protection/microsoft-defender-atp/images/api-tenant-id.png
deleted file mode 100644
index ebac0b0e34..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/api-tenant-id.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/app-and-tenant-ids.png b/windows/security/threat-protection/microsoft-defender-atp/images/app-and-tenant-ids.png
new file mode 100644
index 0000000000..1f4f508c8c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/app-and-tenant-ids.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions-public-client.png b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions-public-client.png
new file mode 100644
index 0000000000..3fc32f22db
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions-public-client.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions.png
new file mode 100644
index 0000000000..15977b7c35
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-O365-admin-portal-customer.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-O365-admin-portal-customer.png
index c4a23269f5..5f7148efcf 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-O365-admin-portal-customer.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-O365-admin-portal-customer.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png
index 9d46d16055..43394cf2aa 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png
index a23b78fd2f..1db12b6733 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-report.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-report.png
deleted file mode 100644
index c7c4d60928..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-report.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-1.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-1.PNG
new file mode 100644
index 0000000000..c2b346d926
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-1.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-2.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-2.PNG
new file mode 100644
index 0000000000..a9d6418d30
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file-step-2.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file.png
new file mode 100644
index 0000000000..b894538426
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-indicator-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG
index 40d4cf3b5c..47264c9f3c 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png
index e023ffdfd6..c8c053fd44 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-details.png
deleted file mode 100644
index f98240f439..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-details.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-mgt-pane.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-mgt-pane.png
index cb4a38b529..1f95169ebf 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-mgt-pane.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-mgt-pane.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png
index 7ae7d3aa20..f6ae75b2cd 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-process-tree.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-process-tree.png
index b6ff98567a..a768200aab 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-process-tree.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-process-tree.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-source.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-source.png
deleted file mode 100644
index c2155cc7ee..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-source.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline.png
index b34d5f4779..04078d3be3 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png
index 1d9c37de33..3480437d09 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-group.png
deleted file mode 100644
index e3bf3d41f0..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-group.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-q.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-q.png
deleted file mode 100644
index 1131ead044..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-q.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue-user.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue-user.png
deleted file mode 100644
index 00185b3daa..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue-user.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue.png
deleted file mode 100644
index 5bf942065e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png
index ecfb56f1a8..7423e63ab9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png
index ec05ebcd1f..3290ef44c9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq1.png
deleted file mode 100644
index 22a72d1306..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq2.png
deleted file mode 100644
index 7d65413066..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq2.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png
index ec8235b996..a80f24b421 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-approve-reject-action.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-approve-reject-action.png
deleted file mode 100644
index f96acc7694..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-approve-reject-action.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png
index 2ac2a20e91..da9b66063b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app.png
deleted file mode 100644
index 4449661657..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app2.png
new file mode 100644
index 0000000000..e04f757cff
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-subscriptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-subscriptions.png
index 8951659d17..dbcb2fee94 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-subscriptions.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-subscriptions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-create-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-create-dashboard.png
index fc628073fc..2b0a0be8d6 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-create-dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-create-dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-9.png
deleted file mode 100644
index f40dff2c63..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-9.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-full.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-full.png
deleted file mode 100644
index e4ec0ca34e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-full.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics.png
deleted file mode 100644
index 4f738b77ae..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png
index fed14b65f4..9f868ac29e 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-ready.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-ready.png
index 3495a90989..0df653a018 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-ready.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-ready.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-retention-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-retention-policy.png
deleted file mode 100644
index 7b9454924e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-retention-policy.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-delete-query.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-delete-query.png
index 703204c040..5e19d47b57 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-delete-query.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-delete-query.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-detailed-actor.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-detailed-actor.png
index 3df0eccc18..c1a4e36c75 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-detailed-actor.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-detailed-actor.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-connector.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-connector.png
index fc1a15b8e1..763a218960 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-connector.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-connector.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-action.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-action.png
new file mode 100644
index 0000000000..8e878d29a0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-action.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-open-save.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-open-save.PNG
new file mode 100644
index 0000000000..5cc1b1457b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-open-save.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file.PNG
new file mode 100644
index 0000000000..06dcfc796c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-confirm-delete.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-confirm-delete.PNG
new file mode 100644
index 0000000000..bb483bad25
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-confirm-delete.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-file.png
new file mode 100644
index 0000000000..f553b74b89
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-settings.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-settings.PNG
new file mode 100644
index 0000000000..b70aee3333
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-edit-indicator-settings.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-example-email-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-example-email-notification.png
index 78290030a9..11e72fc6a9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-example-email-notification.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-example-email-notification.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-in-org.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-in-org.png
index 12f980de0a..7e343cce7a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-in-org.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-in-org.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png
index ea5619c545..56e2d7dcf0 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-names.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-names.PNG
new file mode 100644
index 0000000000..3bf537a3ea
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-names.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png
index 2787e7d147..b87ce58fcd 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png
deleted file mode 100644
index bf39e4b81e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-preference-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-preference-setup.png
deleted file mode 100644
index 9533a07777..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-preference-setup.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-geographic-location-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-geographic-location-setup.png
deleted file mode 100644
index 18e8861973..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-geographic-location-setup.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-get-data.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-get-data.png
index 5f7bdc83b7..48f6c597a6 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-get-data.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-get-data.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png
index 043255312e..b8117dc41d 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png
index bb11c88b62..c937e8fd04 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png
index 0b52a39faa..ffb98eef37 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png
index 5875c6fdb3..a952df593f 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png
index 7944809cde..4a5462d01a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph.png
index 1dd7f28817..35d1d00d6b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png
index ffac35fc9b..62f5f70047 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png
index 1e4d52ff8d..dc353f8c25 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png
index a2a61cb49b..89bc5c8f90 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png
index 7fcdfcc834..f0dcb7626b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png
index 7d02d3d6ed..5292a0a77f 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-industry-information.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-industry-information.png
deleted file mode 100644
index e53106da3e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-industry-information.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view.png
deleted file mode 100644
index 97529ae015..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view2.png
deleted file mode 100644
index 5ce3e0d034..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view2.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png
index 9dd1e801dd..d628c4780a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-view-ata.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-view-ata.png
deleted file mode 100644
index 5e2258d16d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-view-ata.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-misconfigured.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-misconfigured.png
deleted file mode 100644
index 3de8f88a28..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-misconfigured.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view.png
deleted file mode 100644
index 6145c08a4c..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view2.png
deleted file mode 100644
index 692b21869f..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view2.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-view-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-view-list.png
deleted file mode 100644
index ac38039f3a..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-view-list.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-main-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-main-portal.png
deleted file mode 100644
index 3336f8a1ac..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-main-portal.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping1.png
deleted file mode 100644
index b34e915132..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png
index d3291b5cd5..3074e07daa 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping7.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping7.png
index 8e5589a6ca..e65ee2668a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping7.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping7.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mcas-settings.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mcas-settings.png
deleted file mode 100644
index 11e12c2890..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mcas-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mdm-onboarding-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mdm-onboarding-package.png
deleted file mode 100644
index 2645ee2e58..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mdm-onboarding-package.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-new-alerts-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-new-alerts-list.png
deleted file mode 100644
index b9a758e159..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-new-alerts-list.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-no-subscriptions-found.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-no-subscriptions-found.png
index b538946141..d3d0ce1fbf 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-no-subscriptions-found.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-no-subscriptions-found.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-not-authorized-to-access-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-not-authorized-to-access-portal.png
index 738c1470e7..8ed854fe5f 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-not-authorized-to-access-portal.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-not-authorized-to-access-portal.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-in-organization.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-in-organization.png
index b4865884d3..d4e9f24da9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-in-organization.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-in-organization.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png
index 845b97a82a..c835d12524 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png
deleted file mode 100644
index 8a88c16936..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-run-detection-test.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-run-detection-test.png
index 02cc1bbc0f..edd651d7db 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-run-detection-test.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-run-detection-test.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints.png
deleted file mode 100644
index 36d21b5ebe..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-mdm.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-mdm.png
deleted file mode 100644
index 18b70c8c27..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-mdm.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-organization-size.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-organization-size.png
deleted file mode 100644
index e7e69034f0..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-organization-size.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-file.png
index 006d7c1a3f..96c32ee9a8 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-list.png
index 8da2532df7..d8ea23b4f2 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-list.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-list.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-sensor.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-sensor.png
deleted file mode 100644
index 06147c025e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-sensor.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-welcome-screen.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-welcome-screen.png
deleted file mode 100644
index fda9bac914..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-welcome-screen.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal.png
deleted file mode 100644
index 0dc5215ce4..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-accept.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-accept.png
index d36fb7296c..78de2711e1 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-accept.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-accept.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-consent.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-consent.png
index 881c69c22c..39e48e2f4f 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-consent.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-consent.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-extension.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-extension.png
index eb02b6627a..865594531d 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-extension.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-extension.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-navigator.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-navigator.png
deleted file mode 100644
index 2c2c75ac33..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-navigator.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preferences-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preferences-setup.png
index f271f16509..06c902871b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preferences-setup.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preferences-setup.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-experience.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-experience.png
deleted file mode 100644
index 8055212471..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-experience.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png
index 0908f75e43..d053776856 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-remediated-alert.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-remediated-alert.png
deleted file mode 100644
index d49b681907..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-remediated-alert.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-rename-incident.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-rename-incident.png
index 3df94c2e4d..be213c2acd 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-rename-incident.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-rename-incident.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-1.png
deleted file mode 100644
index ae8d72d307..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png
index 56a204ca39..b8d078d435 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-dashboard.png
deleted file mode 100644
index 1b3c80e762..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-dashboard.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines.png
deleted file mode 100644
index e7f8d974bf..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines2.png
deleted file mode 100644
index f80648993e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines2.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls-9.png
deleted file mode 100644
index 9ce191083b..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls-9.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls.png
deleted file mode 100644
index 023881cd9b..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-resized.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-resized.png
deleted file mode 100644
index 0c0f7d0eec..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-resized.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-tile.png
deleted file mode 100644
index 8e2da99e51..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-tile.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter.png
deleted file mode 100644
index e59480d960..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-tile.png
deleted file mode 100644
index 067d26d957..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-tile.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding-workspaceid.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding-workspaceid.png
deleted file mode 100644
index 1c3154f188..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding-workspaceid.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding.png
deleted file mode 100644
index 07fa544f73..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-powerbi.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-powerbi.png
index 68d57863d9..a730bd0ba7 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-powerbi.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-powerbi.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-complete.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-complete.png
deleted file mode 100644
index 8ca66b33cc..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-complete.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-incomplete.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-incomplete.png
index 554c69e2a6..0d0ebde222 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-incomplete.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-incomplete.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png
index 6b88b46227..eaf5e89d60 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-shared-queries.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-shared-queries.png
index bdcc1997eb..d3b6a7b64b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-shared-queries.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-shared-queries.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping1.png
deleted file mode 100644
index c59c3c04c0..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png
index 7a8d78a19e..fddaf0076c 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png
index 1f09d12343..55730d43ee 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png
index db6082c4e1..85d190c821 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png
index a66341935b..3cc33d038b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-subscription-expired.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-subscription-expired.png
index 8fc24beeab..26dc2a5bb3 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-subscription-expired.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-subscription-expired.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-task-manager.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-task-manager.png
index 4c4e057756..6202dd62e0 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-task-manager.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-task-manager.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-protection-reports.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-protection-reports.png
index ddda52b1f0..f64c755ac6 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-protection-reports.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-protection-reports.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png
index e39ee3c1ed..e5c1b21246 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-time-zone-menu.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-time-zone-menu.png
new file mode 100644
index 0000000000..430d6ce99e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-time-zone-menu.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-pane.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-pane.png
deleted file mode 100644
index b08381baed..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-pane.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-azureatp.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-azureatp.png
index e3f37f7626..7d9ac1d36d 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-azureatp.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-azureatp.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-tdp.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-tdp.png
deleted file mode 100644
index 8822bdf62d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-tdp.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png
deleted file mode 100644
index b0732653d6..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details.png
deleted file mode 100644
index 94c0f5cd1f..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-view-ata.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-view-ata.png
deleted file mode 100644
index 2bea8cb48d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-view-ata.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-windows-cloud-instance-creation.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-windows-cloud-instance-creation.png
deleted file mode 100644
index 990f12c3c8..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-windows-cloud-instance-creation.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/components.png b/windows/security/threat-protection/microsoft-defender-atp/images/components.png
deleted file mode 100644
index 0ddc52f5d3..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/components.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/creating-account.png b/windows/security/threat-protection/microsoft-defender-atp/images/creating-account.png
deleted file mode 100644
index 54599d4b99..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/creating-account.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/dashboard.png
index a91410b6a2..01aa4c4ac4 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/desktop.ini b/windows/security/threat-protection/microsoft-defender-atp/images/desktop.ini
new file mode 100644
index 0000000000..c6b68739d7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/desktop.ini
@@ -0,0 +1,4 @@
+[LocalizedFileNames]
+atp-mapping7.png=@atp-mapping7,0
+atp-machine-health-details.PNG=@atp-machine-health-details,0
+email-notification.png=@email-notification,0
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/download-file.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/download-file.PNG
new file mode 100644
index 0000000000..fdbbc1cd18
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/download-file.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/email-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/email-notification.png
deleted file mode 100644
index 1b9875fcad..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/email-notification.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png b/windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png
new file mode 100644
index 0000000000..a83123905f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/event-hub-resource-id.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/grant-consent.png b/windows/security/threat-protection/microsoft-defender-atp/images/grant-consent.png
new file mode 100644
index 0000000000..0735940d05
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/grant-consent.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png b/windows/security/threat-protection/microsoft-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png
deleted file mode 100644
index 5e14e15378..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png b/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png
new file mode 100644
index 0000000000..41c451506b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-create2.png b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-create2.png
new file mode 100644
index 0000000000..03c10910cb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-create2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-select-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-select-permissions.png
index 2114b14c4d..a2f05155dd 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-select-permissions.png and b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-select-permissions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/new-secure-score-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-secure-score-dashboard.png
index b302d30f54..ca19ec82c4 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/new-secure-score-dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/new-secure-score-dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/pending-actions.png b/windows/security/threat-protection/microsoft-defender-atp/images/pending-actions.png
index 8cb0f643a6..74f55f62f5 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/pending-actions.png and b/windows/security/threat-protection/microsoft-defender-atp/images/pending-actions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png b/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png
index 773447a838..39895c6e01 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png and b/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/run-as-admin.png b/windows/security/threat-protection/microsoft-defender-atp/images/run-as-admin.png
index f5166b77bc..784902b963 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/run-as-admin.png and b/windows/security/threat-protection/microsoft-defender-atp/images/run-as-admin.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sec-ops-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/sec-ops-dashboard.png
deleted file mode 100644
index f858a4664a..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/sec-ops-dashboard.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_card.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_card.png
new file mode 100644
index 0000000000..dbf9cf07fa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_card.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_m365exlusions.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_m365exlusions.png
new file mode 100644
index 0000000000..65d9ad6967
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_m365exlusions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_card.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_card.png
new file mode 100644
index 0000000000..c88ea0f49c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_card.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png
new file mode 100644
index 0000000000..f8147866f5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png
new file mode 100644
index 0000000000..a6b401f564
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png
new file mode 100644
index 0000000000..8f88c5899e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png
new file mode 100644
index 0000000000..2955624a72
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_permissions.png
new file mode 100644
index 0000000000..c97ef90085
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_permissions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_main.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_main.png
new file mode 100644
index 0000000000..551526ae72
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_main.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png
new file mode 100644
index 0000000000..097725199f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_2deviceconfprofile.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_2deviceconfprofile.png
new file mode 100644
index 0000000000..7a14844ecd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_2deviceconfprofile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_3assignprofile.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_3assignprofile.png
new file mode 100644
index 0000000000..1a2f78c4ea
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_3assignprofile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_card.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_card.png
new file mode 100644
index 0000000000..331ad032a6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_card.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png
index b1b9ba11c9..1b5f4378e8 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png and b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png
index 083f3a098d..ed1c3f4f2c 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ss1.png b/windows/security/threat-protection/microsoft-defender-atp/images/ss1.png
deleted file mode 100644
index ebd17712d6..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ss1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png b/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png
new file mode 100644
index 0000000000..d9409e3ab1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-event-schema.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-resource-id.png b/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-resource-id.png
new file mode 100644
index 0000000000..cbd0d20303
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/storage-account-resource-id.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png
index 309fd3074c..fea2bf16f9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta.png
index db89f750a7..95ad384e50 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ta.png and b/windows/security/threat-protection/microsoft-defender-atp/images/ta.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png
new file mode 100644
index 0000000000..11d2edcf3e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-breach-insights.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-breach-insights.png
new file mode 100644
index 0000000000..6407cd8f57
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-breach-insights.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-menu.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-menu.png
new file mode 100644
index 0000000000..aeab8c3b5c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-menu.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png
new file mode 100644
index 0000000000..a40e39c3d0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software.png
new file mode 100644
index 0000000000..3ef800afac
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-vuln-globalsearch.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-vuln-globalsearch.png
new file mode 100644
index 0000000000..76af989b3f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-vuln-globalsearch.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-menu.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-menu.png
new file mode 100644
index 0000000000..e210b07bf4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-menu.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png
index 36c8c8b48f..4da702615b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_dashboard.png
index d321e0ca67..580b189700 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_exp_score.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_exp_score.png
new file mode 100644
index 0000000000..301fdf1d11
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_exp_score.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_details.png
index 6e474ccfa6..2b22b3f8b3 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_menu.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_menu.png
index eaaa01d3c0..b77c2cb10a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_menu.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_menu.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png
index 2711f9560e..ec4fa8bc44 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png
index 3dd9ada0c9..ee0608e4b0 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_recommendations_page.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_recommendations_page.png
index 1ae6f4320d..50736dfe6d 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_recommendations_page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_recommendations_page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_software_page_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_software_page_details.png
index 095eb7424c..a55fa7fdf8 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_software_page_details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_software_page_details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/wdatp-pillars.png b/windows/security/threat-protection/microsoft-defender-atp/images/wdatp-pillars.png
deleted file mode 100644
index 06ad5e6ed2..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/wdatp-pillars.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/wdsc.png b/windows/security/threat-protection/microsoft-defender-atp/images/wdsc.png
deleted file mode 100644
index 3cd583ed74..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/wdsc.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-2.png
deleted file mode 100644
index 8123965c84..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-2.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-end.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-end.png
deleted file mode 100644
index 40f15eb65a..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-end.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-readalerts.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-readalerts.png
deleted file mode 100644
index 2872b71881..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-readalerts.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission.png
deleted file mode 100644
index 38e98ce07d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-app-id1.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-app-id1.png
deleted file mode 100644
index 4c058c2f93..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-app-id1.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key.png
deleted file mode 100644
index 4ddb1fae83..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key2.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key2.png
new file mode 100644
index 0000000000..99339be6a7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create.png
deleted file mode 100644
index dea9d8493d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-multitenant.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-multitenant.png
deleted file mode 100644
index 47203a8151..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-multitenant.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-settings.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-settings.png
deleted file mode 100644
index 1b8396b50e..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-get-appid.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-get-appid.png
deleted file mode 100644
index 103081f82c..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-get-appid.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-grant-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-grant-permissions.png
deleted file mode 100644
index b7c7e0926f..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-grant-permissions.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-select-permission.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-select-permission.png
deleted file mode 100644
index 8edc069eaf..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-select-permission.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png b/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png
index 7a52f49989..98886ae426 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png and b/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png b/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png
deleted file mode 100644
index 1761e2e539..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png b/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png
deleted file mode 100644
index fbd6a798b0..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
index feddd27cd5..ee65c7302f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
@@ -50,10 +50,10 @@ Sensitive information types in the Office 365 data loss prevention (DLP) impleme
Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for).
-Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/en-us/office365/securitycompliance/create-a-custom-sensitive-information-type).
+Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type).
-When a file is created or edited on a Windows device, Windows Defender ATP scans the content to evaluate if it contains sensitive information.
+When a file is created or edited on a Windows device, Microsoft Defender ATP scans the content to evaluate if it contains sensitive information.
Turn on the Azure Information Protection integration so that when a file that contains sensitive information is discovered by Microsoft Defender ATP though labels or information types, it is automatically forwarded to Azure Information Protection from the device.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
index 275fc11cea..11e43b707c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
@@ -28,15 +28,14 @@ ms.date: 04/24/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink)
-Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
+Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
-Click an alert to see the alert details view and the various tiles that provide information about the alert.
+Click an alert to see the alert details view and the various tiles that provide information about the alert.
-You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them. You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations.md).
+You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them. You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations.md).
-
The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the machine or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand.
For more information about managing alerts, see [Manage alerts](manage-alerts.md).
@@ -49,7 +48,7 @@ Alerts attributed to an adversary or actor display a colored tile with the actor
-Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs) and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
+Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs), and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
Some actor profiles include a link to download a more comprehensive threat intelligence report.
@@ -86,14 +85,14 @@ The **Incident Graph** expansion by destination IP Address, shows the organizati
You can click the full circles on the incident graph to expand the nodes and view the expansion to other machines where the matching criteria were observed.
## Artifact timeline
-The **Artifact timeline** feature provides an addition view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert.
+The **Artifact timeline** feature provides an additional view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert.
Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization.
## Related topics
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md)
+- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
index 283772ed84..8268c3ce96 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
@@ -39,17 +39,31 @@ You can see information from the following sections in the URL view:
- URL in organization
- Most recent observed machines with URL
-## URL Worldwide
-The URL details, contacts, and nameservers sections display various attributes about the URL.
+## URL worldwide
-## Alerts related to this URL
-The **Alerts related to this URL** section provides a list of alerts that are associated with the URL.
+The **URL Worldwide** section lists the URL, a link to further details at Whois, the number of related open incidents, and the number of active alerts.
-## URL in organization
-The **URL in organization** section provides details on the prevalence of the URL in the organization.
+## Incident
-## Most recent observed machinew with URL
-The **Most recent observed machinew with URL** section provides a chronological view on the events and associated alerts that were observed on the URL.
+The **Incident** card displays a bar chart of all active alerts in incidents over the past 180 days.
+
+## Prevalence
+
+The **Prevalence** card provides details on the prevalence of the URL within the organization, over a specified period of time.
+
+Although the default time period is the past 30 days, you can customize the range by selecting the downward-pointing arrow in the corner of the card. The shortest range available is for prevalence over the past day, while the longest range is over the past 6 months.
+
+## Alerts
+
+The **Alerts** tab provides a list of alerts that are associated with the URL. The table shown here is a filtered version of the alerts visible on the Alert queue screen, showing only alerts associated with the domain, their severity, status, the associated incident, classification, investigation state, and more.
+
+The Alerts tab can be adjusted to show more or less information, by selecting **Customize columns** from the action menu above the column headers. The number of items displayed can also be adjusted, by selecting **items per page** on the same menu.
+
+## Observed in organization
+
+The **Observed in organization** tab provides a chronological view on the events and associated alerts that were observed on the URL. This tab includes a timeline and a customizable table listing event details, such as the time, machine, and a brief description of what happened.
+
+You can view events from different periods of time by entering the dates into the text fields above the table headers. You can also customize the time range by selecting different areas of the timeline.
**Investigate a domain:**
@@ -60,7 +74,7 @@ The **Most recent observed machinew with URL** section provides a chronological
5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
## Related topics
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md)
+- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
index fc752990fc..aa344ebf81 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
@@ -17,58 +17,89 @@ ms.collection: M365-security-compliance
ms.topic: article
ms.date: 04/24/2018
---
+
# Investigate a file associated with a Microsoft Defender ATP alert
**Applies to:**
-
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+[!include[Prerelease information](prerelease.md)]
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
-You can investigate files by using the search feature, clicking on a link from the **Alert process tree**, **Incident graph**, **Artifact timeline**, or from an event listed in the **Machine timeline**.
+There are many ways to access the detailed profile page of a specific file. For example, you can use the search feature, click on a link from the **Alert process tree**, **Incident graph**, **Artifact timeline**, or select an event listed in the **Machine timeline**.
+
+Once on the detailed profile page, you can switch between the new and old page layouts by toggling **new File page**. The rest of this article describes the newer page layout.
You can get information from the following sections in the file view:
-- File details, Malware detection, Prevalence worldwide
+- File details, Malware detection, File prevalence
- Deep analysis
-- Alerts related to this file
-- File in organization
-- Most recent observed machines with file
+- Alerts
+- Observed in organization
+- Deep analysis
+- File names
-## File worldwide and Deep analysis
-The file details, malware detection, and prevalence worldwide sections display various attributes about the file. You’ll see actions you can take on the file. For more information on how to take action on a file, see [Take response action on a file](respond-file-alerts.md).
+You can also take action on a file from this page.
-You'll see details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if available, and the file’s prevalence worldwide. You'll also be able to [submit a file for deep analysis](respond-file-alerts.md#deep-analysis).
+## File actions
+
+Along the top of the profile page, above the file information cards. Actions you can perform here include:
+
+- Stop and quarantine
+- Add/edit indicator
+- Download file
+- Action center
+
+For more information on these actions, see [Take response action on a file](respond-file-alerts.md).
+
+## File details, Malware detection, and File prevalence
+
+The file details, incident, malware detection, and file prevalence cards display various attributes about the file.
+
+You'll see details such as the file’s MD5, the Virus Total detection ratio, and Windows Defender AV detection if available, and the file’s prevalence, both worldwide and within your organizations.
-## Alerts related to this file
-The **Alerts related to this file** section provides a list of alerts that are associated with the file. This list is a simplified version of the Alerts queue, and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
+## Alerts
+
+The **Alerts** tab provides a list of alerts that are associated with the file. This list covers much of the same information as the Alerts queue, except for the machine group, if any, the affected machine belongs to. You can choose what kind of information is shown by selecting **Customize columns** from the toolbar above the column headers.
-## File in organization
-The **File in organization** section provides details on the prevalence of the file, prevalence in email inboxes and the name observed in the organization.
+## Observed in organization
-
+The **Observed in organization** tab allows you to specify a date range to see which devices have been observed with the file.
-## Most recent observed machines with the file
-The **Most recent observed machines with the file** section allows you to specify a date range to see which machines have been observed with the file.
+>[!NOTE]
+>This tab will show a maximum number of 100 machines. To see _all_ devices with the file, export the tab to a CSV file, by selecting **Export** from the action menu above the tab's column headers.
-This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
+Use the slider or the range selector to quickly specify a time period that you want to check for events involving the file. You can specify a time window as small as a single day. This will allow you to see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
+
+## Deep analysis
+
+The **Deep analysis** tab allows you to [submit the file for deep analysis](respond-file-alerts.md#deep-analysis), to uncover more details about the the file's behavior, as well as the effect it is having within your organizations. After you submit the file, the deep analysis report will appear in this tab once results are available. If deep analysis did not find anything, the report will be empty and the results space will remain blank.
+
+
+
+## File names
+
+The **File names** tab lists all names the file has been observed to use, within your organizations.
+
+
## Related topics
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md)
+
+- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
-- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
\ No newline at end of file
+- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
+- [Take response actions on a file](respond-file-alerts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
index cddaa7e5f6..acff32cc9b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
@@ -25,6 +25,11 @@ ms.topic: article
Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them.
+When you investigate an incident, you'll see:
+- Incident details
+- Incident comments and actions
+- Tabs (alerts, machines, investigations, evidence, graph)
+
## Analyze incident details
Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph).
@@ -40,8 +45,6 @@ Alerts are grouped into incidents based on the following reasons:
- Same file - The files associated with the alert are exactly the same
- Same URL - The URL that triggered the alert is exactly the same
-
-
You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
index fda84c5cce..4f3711af17 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
@@ -17,15 +17,13 @@ ms.collection: M365-security-compliance
ms.topic: article
ms.date: 04/24/2018
---
+
# Investigate an IP address associated with a Microsoft Defender ATP alert
**Applies to:**
-
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
Examine possible communication between your machines and external internet protocol (IP) addresses.
@@ -34,22 +32,31 @@ Identifying all machines in the organization that communicated with a suspected
You can find information from the following sections in the IP address view:
-- IP worldwide, Reverse DNS names
+- IP worldwide
+- Reverse DNS names
- Alerts related to this IP
- IP in organization
-- Most recent observed machines with IP
+- Prevalence
## IP Worldwide and Reverse DNS names
+
The IP address details section shows attributes of the IP address such as its ASN and its Reverse DNS names.
## Alerts related to this IP
-The **Alerts related to this IP** section provides a list of alerts that are associated with the IP.
+
+The **Alerts related to this IP** section provides a list of alerts that are associated with the IP.
## IP in organization
+
The **IP in organization** section provides details on the prevalence of the IP address in the organization.
+## Prevalence
+
+The **Prevalence** section displays how many machines have connected to this IP address, and when the IP was first and last seen. You can filter the results of this section by time period; the default period is 30 days.
+
## Most recent observed machines with IP
-The **Most recent observed machines with IP** section provides a chronological view on the events and associated alerts that were observed on the IP address.
+
+The **Most recent observed machines** with IP section provides a chronological view on the events and associated alerts that were observed on the IP address.
**Investigate an external IP:**
@@ -67,7 +74,8 @@ Use the search filters to define the search criteria. You can also use the timel
Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
## Related topics
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md)
+
+- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
index 7d7bd87571..216cc284d1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@@ -20,11 +20,12 @@ ms.topic: article
# Investigate machines in the Microsoft Defender ATP Machines list
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
-Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach.
+Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of the breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
@@ -61,41 +62,42 @@ Response actions run along the top of a specific machine page and include:
- Isolate machine
- Action center
-You can take response actions in the action center, in a specific machine page, or in a specific file page.
+You can take response actions in the Action center, in a specific machine page, or in a specific file page.
For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts.md).
- For more information, see [Investigate user entities](investigate-user.md).
+For more information, see [Investigate user entities](investigate-user.md).
+
## Cards
### Active alerts
-If you have enabled the Azure ATP feature and there are alerts related to the machine, you can view a high level overview of the alerts and risk level. More information is available in the "Alerts" drill down.
+The **Azure Advanced Threat Protection** card will display a high-level overview of alerts related to the machine and their risk level, if you have enabled the Azure ATP feature, and there are any active alerts. More information is available in the "Alerts" drill down.
-
+
>[!NOTE]
>You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
### Logged on users
-The "Logged on users" tile shows the amount of users who have logged on in the past 30 days, along with the most and least frequent users. Selecting the "See all users" link opens the details pane that displays information such as user type, logon type, and first/last seen. For more information, see [Investigate user entities](investigate-user.md).
+The **Logged on users** card shows how many users have logged on in the past 30 days, along with the most and least frequent users. Selecting the "See all users" link opens the details pane, which displays information such as user type, log on type, and when the user was first and last seen. For more information, see [Investigate user entities](investigate-user.md).
### Security assessments
-The Security assessments tile shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A machine's exposure level is determined by the cumulative impact of it's pending security recommendations.
+The **Security assessments** card shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A machine's exposure level is determined by the cumulative impact of its pending security recommendations.
-
+
## Tabs
-The five tabs under the cards section show relevant security and threat prevention information related to the machine. In every tab, you can customize the columns that are shown.
+The five tabs under the cards section show relevant security and threat prevention information related to the machine. In each tab, you can customize the columns that are shown by selecting **Customize columns** from the bar above the column headers.
### Alerts
-The **Alerts** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts and customize the columns.
+The **Alerts** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts.
@@ -112,6 +114,7 @@ Timeline also enables you to selectively drill down into events that occurred wi
>[!NOTE]
> For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-filtering-platform-connection).
>Firewall covers the following events
+>
>- [5025](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5025) - firewall service stopped
>- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network
>- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection
@@ -142,13 +145,13 @@ You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline
### Security recommendations
-**Security recommendations** are generated from Microsoft Defender ATP's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it.
+**Security recommendations** are generated from Microsoft Defender ATP's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details.
### Software inventory
-The **Software inventory** section lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed machines, and version distribution.
+The **Software inventory** section lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed machines, and version distribution. See [Software inventory](tvm-software-inventory.md) for details
@@ -159,10 +162,13 @@ The **Discovered vulnerabilities** section shows the name, severity, and threat
## Related topics
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md)
+
+- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
+- [Security recommendation](tvm-security-recommendation.md)
+- [Software inventory](tvm-software-inventory.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
index 69493fe5ec..4ef33de1cf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
@@ -23,14 +23,14 @@ ms.date: 04/24/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink)
## Investigate user account entities
+
Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account.
You can find user account information in the following views:
+
- Dashboard
- Alert queue
- Machine details page
@@ -38,34 +38,39 @@ You can find user account information in the following views:
A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown.
When you investigate a user account entity, you'll see:
+
- User account details, Azure Advanced Threat Protection (Azure ATP) alerts, and Logged on machines
- Alerts related to this user
- Observed in organization (machines logged on to)
-**User details**
-The user account entity details, Azure ATP alerts, and logged on machines sections display various attributes about the user account.
+The user account details, Azure ATP alerts, and logged on machines cards display various attributes about the user account.
-The user entity tile provides details about the user such as when the user was first and last seen. Depending on the integration features you enable, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal.
+### User details
-**Azure Advanced Threat Protection**
-If you have enabled the Azure ATP feature and there are alerts related to the user, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. The Azure ATP tile also provides details such as the last AD site, total group memberships, and login failure associated with the user.
+The **User details** card provides information about the user, such as when the user was first and last seen. Depending on the integration features you've enabled, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal.
+
+### Azure Advanced Threat Protection
+
+The **Azure Advanced Threat Protection** card will contain a link that will take you to the Azure ATP page, if you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide more information about the alerts. This card also provides details such as the last AD site, total group memberships, and login failure associated with the user.
>[!NOTE]
>You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
-**Logged on machines**
-You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine.
+### Logged on machines
+The **Logged on machines** card shows a list of the machines that the user has logged on to. You can expand these to see details of the log-on events for each machine.
## Alerts related to this user
-This section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.
+
+The **Alerts related to this user** section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.
## Observed in organization
-This section allows you to specify a date range to see a list of machines where this user was observed logged on to, and the most frequent and least frequent logged on user account on each of these machines.
-The machine health state is displayed in the machine icon and color as well as in a description text. Clicking on the icon displays additional details regarding machine health.
+The **Observed in organization** section allows you to specify a date range to see a list of machines where this user was observed logged on to, the most frequent and least frequent logged on user account for each of these machines, and total observed users on each machine.
+
+Selecting an item on the Observed in organization table will expand the item, revealing more details about the machine. Directly selecting a link within an item will send you to the corresponding page.
@@ -78,6 +83,7 @@ The machine health state is displayed in the machine icon and color as well as i
A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of machines it was observed logged on to in the last 30 days.
You can filter the results by the following time periods:
+
- 1 day
- 3 days
- 7 days
@@ -85,11 +91,11 @@ You can filter the results by the following time periods:
- 6 months
## Related topics
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md)
+
+- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/licensing.md b/windows/security/threat-protection/microsoft-defender-atp/licensing.md
index 934b929def..d96d8546ea 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/licensing.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/licensing.md
@@ -30,15 +30,16 @@ ms.topic: article
Checking for the license state and whether it got properly provisioned, can be done through the **Office 365 admin center** or through the **Microsoft Azure portal**.
-1. In the **Office 365 admin center** navigate to **Billing** > **Subscriptions**.
+1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
+
+ 
+
+1. Alternately, in the **Office 365 admin center**, navigate to **Billing** > **Subscriptions**.
- On the screen you will see all the provisioned licenses and their current **Status**.
-2. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
-
- 
## Cloud Service Provider validation
@@ -103,8 +104,6 @@ When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windo
5. A dedicated cloud instance of Microsoft Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete.
- 
-
6. You are almost done. Before you can start using Microsoft Defender ATP you'll need to:
- [Onboard Windows 10 machines](configure-endpoints.md)
@@ -119,8 +118,6 @@ When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windo
7. After onboarding machines you can click **Start using Microsoft Defender ATP**. You will now launch Microsoft Defender ATP for the first time.
- 
-
## Related topics
- [Onboard machines to the Microsoft Defender Advanced Threat Protection service](onboard-configure.md)
- [Troubleshoot onboarding process and portal access issues](troubleshoot-onboarding-error-messages.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
index 149999abec..89649bba47 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
@@ -1,212 +1,225 @@
----
-title: Live response command examples
-description: Learn about common commands and see examples on how it's used
-keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Live response command examples
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
-
-Learn about common commands used in live response and see examples on how they are typically used.
-
-Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on machines using live response](live-response.md).
-
-
-## analyze
-
-```
-# Analyze the file malware.txt
-analyze file c:\Users\user\Desktop\malware.txt
-```
-
-```
-# Analyze the process by PID
-analyze process 1234
-```
-
-## connections
-
-```
-# List active connections in json format using parameter name
-connections -output json
-```
-
-```
-# List active connections in json format without parameter name
-connections json
-```
-
-## dir
-
-```
-# List files and sub-folders in the current folder
-dir
-```
-
-```
-# List files and sub-folders in a specific folder
-dir C:\Users\user\Desktop\
-```
-
-```
-# List files and subfolders in the current folder in json format
-dir -output json
-```
-
-## fileinfo
-
-```
-# Display information about a file
-fileinfo C:\Windows\notepad.exe
-```
-
-## findfile
-
-```
-# Find file by name
-findfile test.txt
-```
-
-## getfile
-
-```
-# Download a file from a machine
-getfile c:\Users\user\Desktop\work.txt
-```
-
-```
-# Download a file from a machine, automatically run prerequisite commands
-getfile c:\Users\user\Desktop\work.txt -auto
-```
-
-## processes
-```
-# Show all processes
-processes
-```
-
-```
-# Get process by pid
-processes 123
-```
-
-```
-# Get process by pid with argument name
-processes -pid 123
-```
-
-```
-# Get process by name
-processes -name notepad.exe
-```
-
-## putfile
-
-```
-# Upload file from library
-putfile get-process-by-name.ps1
-```
-
-```
-# Upload file from library, overwrite file if it exists
-putfile get-process-by-name.ps1 -overwrite
-```
-
-```
-# Upload file from library, keep it on the machine after a restart
-putfile get-process-by-name.ps1 -keep
-```
-
-## registry
-
-```
-# Show information about the values in a registry key
-registry HKEY_CURRENT_USER\Console
-```
-
-```
-# Show information about a specific registry value
-registry HKEY_CURRENT_USER\Console\\ScreenBufferSize
-```
-
-
-## remediate
-
-```
-# Remediate file in specific path
-remediate file c:\Users\user\Desktop\malware.exe
-```
-
-```
-# Remediate process with specific PID
-remediate process 7960
-```
-
-```
-# See list of all remediated entities
-remediate list
-```
-
-## run
-
-```
-# Run PowerShell script from the library without arguments
-run script.ps1
-```
-
-```
-# Run PowerShell script from the library with arguments
-run get-process-by-name.ps1 -parameters "-processName Registry"
-```
-
-## scheduledtask
-
-```
-# Get all scheduled tasks
-scheduledtasks
-```
-
-```
-# Get specific scheduled task by location and name
-scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition
-```
-
-```
-# Get specific scheduled task by location and name with spacing
-scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation"
-```
-
-
-## undo
-
-```
-# Restore remediated registry
-undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize
-```
-
-```
-# Restore remediated scheduledtask
-undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition
-```
-
-```
-# Restore remediated file
-undo file c:\Users\user\Desktop\malware.exe
-```
-
+---
+title: Live response command examples
+description: Learn about common commands and see examples on how it's used
+keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Live response command examples
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+
+
+Learn about common commands used in live response and see examples on how they are typically used.
+
+Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on machines using live response](live-response.md).
+
+
+## analyze
+
+```
+# Analyze the file malware.txt
+analyze file c:\Users\user\Desktop\malware.txt
+```
+
+```
+# Analyze the process by PID
+analyze process 1234
+```
+
+## connections
+
+```
+# List active connections in json format using parameter name
+connections -output json
+```
+
+```
+# List active connections in json format without parameter name
+connections json
+```
+
+## dir
+
+```
+# List files and sub-folders in the current folder
+dir
+```
+
+```
+# List files and sub-folders in a specific folder
+dir C:\Users\user\Desktop\
+```
+
+```
+# List files and subfolders in the current folder in json format
+dir -output json
+```
+
+## fileinfo
+
+```
+# Display information about a file
+fileinfo C:\Windows\notepad.exe
+```
+
+## findfile
+
+```
+# Find file by name
+findfile test.txt
+```
+
+## getfile
+
+```
+# Download a file from a machine
+getfile c:\Users\user\Desktop\work.txt
+```
+
+```
+# Download a file from a machine, automatically run prerequisite commands
+getfile c:\Users\user\Desktop\work.txt -auto
+```
+
+>[!NOTE]
+>
+> The following file types **cannot** be downloaded using this command from within Live Response:
+>
+> * [Reparse point files](/windows/desktop/fileio/reparse-points/)
+> * [Sparse files](/windows/desktop/fileio/sparse-files/)
+> * Empty files
+> * Virtual files, or files that are not fully present locally
+>
+> These file types **are** supported by [PowerShell](/powershell/scripting/overview?view=powershell-6/).
+>
+> Use PowerShell as an alternative, if you have problems using this command from within Live Response.
+
+## processes
+```
+# Show all processes
+processes
+```
+
+```
+# Get process by pid
+processes 123
+```
+
+```
+# Get process by pid with argument name
+processes -pid 123
+```
+
+```
+# Get process by name
+processes -name notepad.exe
+```
+
+## putfile
+
+```
+# Upload file from library
+putfile get-process-by-name.ps1
+```
+
+```
+# Upload file from library, overwrite file if it exists
+putfile get-process-by-name.ps1 -overwrite
+```
+
+```
+# Upload file from library, keep it on the machine after a restart
+putfile get-process-by-name.ps1 -keep
+```
+
+## registry
+
+```
+# Show information about the values in a registry key
+registry HKEY_CURRENT_USER\Console
+```
+
+```
+# Show information about a specific registry value
+registry HKEY_CURRENT_USER\Console\\ScreenBufferSize
+```
+
+
+## remediate
+
+```
+# Remediate file in specific path
+remediate file c:\Users\user\Desktop\malware.exe
+```
+
+```
+# Remediate process with specific PID
+remediate process 7960
+```
+
+```
+# See list of all remediated entities
+remediate list
+```
+
+## run
+
+```
+# Run PowerShell script from the library without arguments
+run script.ps1
+```
+
+```
+# Run PowerShell script from the library with arguments
+run get-process-by-name.ps1 -parameters "-processName Registry"
+```
+
+## scheduledtask
+
+```
+# Get all scheduled tasks
+scheduledtasks
+```
+
+```
+# Get specific scheduled task by location and name
+scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition
+```
+
+```
+# Get specific scheduled task by location and name with spacing
+scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation"
+```
+
+
+## undo
+
+```
+# Restore remediated registry
+undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize
+```
+
+```
+# Restore remediated scheduledtask
+undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition
+```
+
+```
+# Restore remediated file
+undo file c:\Users\user\Desktop\malware.exe
+```
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
index 358e414a2d..d3ed3224e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
@@ -1,255 +1,255 @@
----
-title: Investigate entities on machines using live response in Microsoft Defender ATP
-description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time.
-keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Investigate entities on machines using live response
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
-
-Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.
-
-Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
-
-With live response, analysts will have the ability to:
-- Run basic and advanced commands to do investigative work
-- Download files such as malware samples and outcomes of PowerShell scripts
-- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level
-- Take or undo remediation actions
-
-
-## Before you begin
-Before you can initiate a session on a machine, make sure you fulfill the following requirements:
-
-- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later.
-
-- **Enable live response from the settings page**
-You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
-
- >[!NOTE]
- >Only users with manage security or global admin roles can edit these settings.
-
-- **Enable live response unsigned script execution** (optional)
-
- >[!WARNING]
- >Allowing the use of unsigned scripts may increase your exposure to threats.
-
- Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
-
-- **Ensure that you have the appropriate permissions**
- Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md).
-
- Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role.
-
-## Live response dashboard overview
-When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as:
-
-- Who created the session
-- When the session started
-- The duration of the session
-
-The dashboard also gives you access to:
-- Disconnect session
-- Upload files to the library
-- Command console
-- Command log
-
-
-## Initiate a live response session on a machine
-
-1. Log in to Microsoft Defender Security Center.
-2. Navigate to the machines list page and select a machine to investigate. The machine page opens.
-
- >[!NOTE]
- >Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later.
-
-2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine.
-3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands).
-4. After completing your investigation, select **Disconnect session**, then select **Confirm**.
-
-
-
-## Live response commands
-Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md).
-
-### Basic commands
-The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
-
-Command | Description
-:---|:---|:---
-cd | Changes the current directory.
-cls | Clears the console screen.
-connect | Initiates a live response session to the machine.
-connections | Shows all the active connections.
-dir | Shows a list of files and subdirectories in a directory
-drivers | Shows all drivers installed on the machine.
-fileinfo | Get information about a file.
-findfile | Locates files by a given name on the machine.
-help | Provides help information for live response commands.
-persistence | Shows all known persistence methods on the machine.
-processes | Shows all processes running on the machine.
-registry | Shows registry values.
-scheduledtasks| Shows all scheduled tasks on the machine.
-services | Shows all services on the machine.
-trace | Sets the terminal's logging mode to debug.
-
-
-### Advanced commands
-The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
-
-Command | Description
-:---|:---
-analyze | Analyses the entity with various incrimination engines to reach a verdict.
-getfile | Gets a file from the machine.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `getfile` to automatically run the prerequisite command.
-run | Runs a PowerShell script from the library on the machine.
-library | Lists files that were uploaded to the live response library.
-putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default.
-remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `remediate` to automatically run the prerequisite command.
-undo | Restores an entity that was remediated.
-
-
-## Use live response commands
-The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/windows-commands#BKMK_c).
-
-The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity.
-
-### Get a file from the machine
-For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation.
-
->[!NOTE]
->There is a file size limit of 750mb.
-
-### Put a file in the library
-Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level.
-
-Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them.
-
-You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with.
-
-**To upload a file in the library:**
-1. Click **Upload file to library**.
-2. Click **Browse** and select the file.
-3. Provide a brief description.
-4. Specify if you'd like to overwrite a file with the same name.
-5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
-6. Click **Confirm**.
-7. (Optional) To verify that the file was uploaded to the library, run the `library` command.
-
-
-### Cancel a command
-Anytime during a session, you can cancel a command by pressing CTRL + C.
-
->[!WARNING]
->Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled.
-
-
-
-### Automatically run prerequisite commands
-Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error.
-
-You can use the auto flag to automatically run prerequisite commands, for example:
-
-```
-getfile c:\Users\user\Desktop\work.txt -auto
-```
-
-
-## Run a PowerShell script
-Before you can run a PowerShell script, you must first upload it to the library.
-
-After uploading the script to the library, use the `run` command to run the script.
-
-If you plan to use an unsigned script in the session, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
-
->[!WARNING]
->Allowing the use of unsigned scripts may increase your exposure to threats.
-
-
-
-## Apply command parameters
-- View the console help to learn about command parameters. To learn about an individual command, run:
-
- `help `
-
-- When applying parameters to commands, note that parameters are handled based on a fixed order:
-
- ` param1 param2`
-
-- When specifying parameters outside of the fixed order, specify the name of the parameter with a hyphen before providing the value:
-
- ` -param2_name param2`
-
-- When using commands that have prerequisite commands, you can use flags:
-
- ` -type file -id - auto` or `remediate file - auto`.
-
-
-
-## Supported output types
-Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands:
-
-- `-output json`
-- `-output table`
-
->[!NOTE]
->Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown.
-
-
-## Supported output pipes
-Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt.
-
-Example:
-
-```
-processes > output.txt
-```
-
-
-
-## View the command log
-Select the **Command log** tab to see the commands used on the machine during a session.
-Each command is tracked with full details such as:
-- ID
-- Command line
-- Duration
-- Status and input or output side bar
-
-
-
-
-## Limitations
-- Live response sessions are limited to 10 live response sessions at a time
-- Large scale command execution is not supported
-- A user can only initiate one session at a time
-- A machine can only be in one session at a time
-- There is a file size limit of 750mb when downloading files from a machine
-
-## Related topic
-- [Live response command examples](live-response-command-examples.md)
-
-
-
-
-
-
-
-
-
+---
+title: Investigate entities on machines using live response in Microsoft Defender ATP
+description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time.
+keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file,
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Investigate entities on machines using live response
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.
+
+Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
+
+With live response, analysts will have the ability to:
+- Run basic and advanced commands to do investigative work
+- Download files such as malware samples and outcomes of PowerShell scripts
+- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level
+- Take or undo remediation actions
+
+
+## Before you begin
+Before you can initiate a session on a machine, make sure you fulfill the following requirements:
+
+- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later.
+
+- **Enable live response from the settings page**
+You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
+
+ >[!NOTE]
+ >Only users with manage security or global admin roles can edit these settings.
+
+- **Enable live response unsigned script execution** (optional)
+
+ >[!WARNING]
+ >Allowing the use of unsigned scripts may increase your exposure to threats.
+
+ Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
+
+- **Ensure that you have the appropriate permissions**
+ Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md).
+
+ Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role.
+
+## Live response dashboard overview
+When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as:
+
+- Who created the session
+- When the session started
+- The duration of the session
+
+The dashboard also gives you access to:
+- Disconnect session
+- Upload files to the library
+- Command console
+- Command log
+
+
+## Initiate a live response session on a machine
+
+1. Log in to Microsoft Defender Security Center.
+2. Navigate to the machines list page and select a machine to investigate. The machine page opens.
+
+ >[!NOTE]
+ >Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later.
+
+2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine.
+3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands).
+4. After completing your investigation, select **Disconnect session**, then select **Confirm**.
+
+
+
+## Live response commands
+Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md).
+
+### Basic commands
+The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
+
+Command | Description
+:---|:---|:---
+cd | Changes the current directory.
+cls | Clears the console screen.
+connect | Initiates a live response session to the machine.
+connections | Shows all the active connections.
+dir | Shows a list of files and subdirectories in a directory
+drivers | Shows all drivers installed on the machine.
+fileinfo | Get information about a file.
+findfile | Locates files by a given name on the machine.
+help | Provides help information for live response commands.
+persistence | Shows all known persistence methods on the machine.
+processes | Shows all processes running on the machine.
+registry | Shows registry values.
+scheduledtasks| Shows all scheduled tasks on the machine.
+services | Shows all services on the machine.
+trace | Sets the terminal's logging mode to debug.
+
+
+### Advanced commands
+The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
+
+Command | Description
+:---|:---
+analyze | Analyses the entity with various incrimination engines to reach a verdict.
+getfile | Gets a file from the machine.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `getfile` to automatically run the prerequisite command.
+run | Runs a PowerShell script from the library on the machine.
+library | Lists files that were uploaded to the live response library.
+putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default.
+remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `remediate` to automatically run the prerequisite command.
+undo | Restores an entity that was remediated.
+
+
+## Use live response commands
+The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands#BKMK_c).
+
+The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity.
+
+### Get a file from the machine
+For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation.
+
+>[!NOTE]
+>There is a file size limit of 750mb.
+
+### Put a file in the library
+Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level.
+
+Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them.
+
+You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with.
+
+**To upload a file in the library:**
+1. Click **Upload file to library**.
+2. Click **Browse** and select the file.
+3. Provide a brief description.
+4. Specify if you'd like to overwrite a file with the same name.
+5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
+6. Click **Confirm**.
+7. (Optional) To verify that the file was uploaded to the library, run the `library` command.
+
+
+### Cancel a command
+Anytime during a session, you can cancel a command by pressing CTRL + C.
+
+>[!WARNING]
+>Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled.
+
+
+
+### Automatically run prerequisite commands
+Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error.
+
+You can use the auto flag to automatically run prerequisite commands, for example:
+
+```
+getfile c:\Users\user\Desktop\work.txt -auto
+```
+
+
+## Run a PowerShell script
+Before you can run a PowerShell script, you must first upload it to the library.
+
+After uploading the script to the library, use the `run` command to run the script.
+
+If you plan to use an unsigned script in the session, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
+
+>[!WARNING]
+>Allowing the use of unsigned scripts may increase your exposure to threats.
+
+
+
+## Apply command parameters
+- View the console help to learn about command parameters. To learn about an individual command, run:
+
+ `help `
+
+- When applying parameters to commands, note that parameters are handled based on a fixed order:
+
+ ` param1 param2`
+
+- When specifying parameters outside of the fixed order, specify the name of the parameter with a hyphen before providing the value:
+
+ ` -param2_name param2`
+
+- When using commands that have prerequisite commands, you can use flags:
+
+ ` -type file -id - auto` or `remediate file - auto`.
+
+
+
+## Supported output types
+Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands:
+
+- `-output json`
+- `-output table`
+
+>[!NOTE]
+>Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown.
+
+
+## Supported output pipes
+Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt.
+
+Example:
+
+```
+processes > output.txt
+```
+
+
+
+## View the command log
+Select the **Command log** tab to see the commands used on the machine during a session.
+Each command is tracked with full details such as:
+- ID
+- Command line
+- Duration
+- Status and input or output side bar
+
+
+
+
+## Limitations
+- Live response sessions are limited to 10 live response sessions at a time
+- Large scale command execution is not supported
+- A user can only initiate one session at a time
+- A machine can only be in one session at a time
+- There is a file size limit of 750mb when downloading files from a machine
+
+## Related topic
+- [Live response command examples](live-response-command-examples.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
index 2dc83b0d07..22efe55158 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
@@ -22,8 +22,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[!include[Prerelease information](prerelease.md)]
-
+
The machines status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.
The dashboard is structured into two sections:
@@ -80,4 +79,4 @@ For example, to show data about Windows 10 machines with Active sensor health st
## Related topic
-- [Threat protection report ](threat-protection-reports.md)
\ No newline at end of file
+- [Threat protection report](threat-protection-reports.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
index c02a9598e4..9a0cc2d05f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
@@ -26,11 +26,11 @@ ms.topic: article
Microsoft Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**.
-You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view.
+You can manage alerts by selecting an alert in the **Alerts queue**, or the **Alerts** tab of the Machine page for an individual device.
Selecting an alert in either of those places brings up the **Alert management pane**.
-
+
## Link to another incident
You can create a new incident from the alert or link to an existing incident.
@@ -40,11 +40,11 @@ If an alert is no yet assigned, you can select **Assign to me** to assign the al
## Suppress alerts
-There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security Center. Microsoft Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
+There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security Center. Microsoft Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
-When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
+When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue, prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
There are two contexts for a suppression rule that you can choose from:
@@ -60,7 +60,6 @@ You can use the examples in the following table to help you choose the context f
| **Suppress alert on this machine** | Alerts with the same alert title and on that specific machine only will be suppressed.
All other alerts on that machine will not be suppressed. | - A security researcher is investigating a malicious script that has been used to attack other machines in your organization.
- A developer regularly creates PowerShell scripts for their team.
|
| **Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed. | - A benign administrative tool is used by everyone in your organization.
|
-
### Suppress an alert and create a new suppression rule:
Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the context, you’ll be able to configure the action and scope on the alert.
@@ -68,13 +67,13 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
2. Select **Create a suppression rule**.
- You can create a suppression rule based on the following attributes:
+ You can create a suppression condition using these attributes. An AND operator is applied between each condition, so suppression occurs only if all conditions are met.
- * File hash
- * File name - wild card supported
- * File path - wild card supported
- * IP
- * URL - wild card supported
+ * File SHA1
+ * File name - wildcard supported
+ * Folder path - wildcard supported
+ * IP address
+ * URL - wildcard supported
3. Select the **Trigerring IOC**.
@@ -116,7 +115,7 @@ Added comments instantly appear on the pane.
## Related topics
- [Manage suppression rules](manage-suppression-rules.md)
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md)
+- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index 4db5431253..1521bb3b89 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -102,7 +102,7 @@ You'll also have access to the following sections that help you see details of t
- Investigation graph
- Alerts
- Machines
-- Threats
+- Key findings
- Entities
- Log
- Pending actions
@@ -138,7 +138,7 @@ Selecting a machine using the checkbox brings up the machine details pane where
Clicking on an machine name brings you the machine page.
-### Threats
+### Key findings
Shows details related to threats associated with this investigation.
### Entities
@@ -162,37 +162,9 @@ If there are pending actions on an Automated investigation, you'll see a pop up
-When you click on the pending actions link, you'll be taken to the pending actions page. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Pending actions**.
+When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Action center**. For more information, see [Action center](auto-investigation-action-center.md).
-The pending actions view aggregates all investigations that require an action for an investigation to proceed or be completed.
-
-
-
-Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
-
-From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
-
-Pending actions are grouped together in the following tabs:
-- Quarantine file
-- Remove persistence
-- Stop process
-- Expand pivot
-- Quarantine service
-
->[!NOTE]
->The tab will only appear if there are pending actions for that category.
-
-### Approve or reject an action
-You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
-
-Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
-
-
-
-From the panel, you can click on the Open investigation page link to see the investigation details.
-
-You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.
-
## Related topic
- [Investigate Microsoft Defender ATP alerts](investigate-alerts.md)
+- [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
index 31fb4bb075..6f2cd9df63 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
@@ -23,11 +23,15 @@ ms.date: 010/08/2018
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress.
+Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**.
+
+
+Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
+
-Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
+You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
@@ -35,28 +39,26 @@ Selecting an incident from the **Incidents queue** brings up the **Incident mana
## Assign incidents
If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
-## Change the incident status
+## Set status and classification
+### Incident status
You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents.
For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation.
Alternatively, your SoC analyst might set the incident as **Resolved** if the incident has been remediated.
-## Classify the incident
+### Classification
You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them.
-## Rename incident
-By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification.
-
-
-
-## Add comments and view the history of an incident
+### Add comments
You can add comments and view historical events about an incident to see previous changes made to it.
Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
Added comments instantly appear on the pane.
+
+
## Related topics
- [Incidents queue](incidents-queue.md)
- [View and organize the Incidents queue](view-incidents-queue.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index aac7917bca..c72919ffb8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -82,7 +82,7 @@ The attack surface reduction set of capabilities provide the first line of defen
-**[Next generation protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)**
+**[Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)**
To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index 442773e50f..ba54f650be 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -45,6 +45,16 @@ For a detailed comparison table of Windows 10 commercial edition comparison, see
For more information about licensing requirements for Microsoft Defender ATP platform on Windows Server, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114).
+## Browser requirements
+Access to Microsoft Defender ATP is done through a browser, supporting the following browsers:
+- Microsoft Edge
+- Internet Explorer version 11
+- Google Chrome
+
+>[!NOTE]
+>While other browsers might work, the mentioned browsers are the ones supported.
+
+
## Hardware and software requirements
### Supported Windows versions
- Windows 7 SP1 Enterprise
@@ -57,6 +67,7 @@ For more information about licensing requirements for Microsoft Defender ATP pla
- Windows 10 Pro
- Windows 10 Pro Education
- Windows server
+ - Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2016, version 1803
@@ -86,7 +97,7 @@ When you run the onboarding wizard for the first time, you must choose where you
> - You cannot change your data storage location after the first-time setup.
> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data.
-
+
### Diagnostic data settings
You must ensure that the diagnostic data service is enabled on all the machines in your organization.
By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
@@ -145,6 +156,9 @@ For more information on additional proxy configuration settings see, [Configure
Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
+
+
+
## Windows Defender Antivirus configuration requirement
The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 666ab6abfe..cc13be6a2b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -1,68 +1,68 @@
----
-title: Next-generation Threat & Vulnerability Management
-ms.reviewer:
-description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Threat & Vulnerability Management
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
-Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrustructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
-
-It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
-
-## Next-generation capabilities
-Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase.
-
-It is the first solution in the industry to automate the remediation process through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) for patching, configuration changes, or upgrades.
->[!Note]
-> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks.
-
-It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
-- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
-- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery
-- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
-
-### Real-time discovery
-
-To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides:
-- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
-- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, as well as software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
-- Application runtime context. Constant visibility into application usage patterns for better prioritization and decision-making. Critical dependencies, such as vulnerable runtime libraries being loaded by other applications, are made visible.
-- Configuration posture. Visibility into organizational security configuration, surfacing issues like disabled antivirus, enabled SMBv1, or misconfigurations that could allow escalation of privileges. Issues are reported in the dashboard with actionable security recommendations.
-
-### Intelligence-driven prioritization
-
-Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context:
-- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
-- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
-- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to call attention to exposed machines with business-critical applications, confidential data, or high-value users.
-
-### Seamless remediation
-
-Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
-- One-click remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click. We plan to expand this capability to other IT security management platforms.
-- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
-- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
-
-## Related topics
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Configuration score](configuration-score.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: Next-generation Threat & Vulnerability Management
+description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
+keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Threat & Vulnerability Management
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
+
+It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
+
+## Next-generation capabilities
+Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase.
+
+It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
+
+It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
+- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
+- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery
+- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
+
+### Real-time discovery
+
+To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides:
+- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
+- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, and software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
+- Application runtime context. Visibility on application usage patterns for better prioritization and decision-making.
+- Configuration posture. Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations.
+
+### Intelligence-driven prioritization
+
+Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context:
+- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk.
+- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization.
+- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users.
+
+### Seamless remediation
+
+Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
+- Remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
+- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
+- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
+
+## Related topics
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
index 9e5d1c75b1..1d8fa91df1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@@ -57,7 +57,7 @@ The following steps are required to enable this integration:
### Before you begin
Review the following details to verify minimum system requirements:
-- Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
+- Install the [February 2018 monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
>[!NOTE]
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
@@ -70,7 +70,7 @@ Review the following details to verify minimum system requirements:
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
>Don't install .NET framework 4.0.x, since it will negate the above installation.
-- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
+- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
@@ -92,7 +92,7 @@ Once completed, you should see onboarded endpoints in the portal within an hour.
### Configure proxy and Internet connectivity settings
-- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
+- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway).
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Microsoft Defender ATP service:
Agent Resource | Ports
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
index eb814bb184..d9d1de552d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
@@ -1,7 +1,7 @@
---
title: Custom detections overview
ms.reviewer:
-description: Understand how how you can leverage the power of advanced hunting to create custom detections
+description: Understand how you can leverage the power of advanced hunting to create custom detections
keywords: custom detections, detections, advanced hunting, hunt, detect, query
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -24,13 +24,16 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Alerts in Microsoft Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats.
+Alerts in Microsoft Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious events or emerging threats.
-This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
+This can be done by leveraging the power of [Advanced hunting](overview-hunting.md) through the creation of custom detection rules.
Custom detections are queries that run periodically every 24 hours and can be configured so that when the query meets the criteria you set, alerts are created and are surfaced in Microsoft Defender Security Center. These alerts will be treated like any other alert in the system.
This capability is particularly useful for scenarios when you want to pro-actively prevent threats and be notified quickly of emerging threats.
+>[!NOTE]
+>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+
## Related topic
- [Create custom detection rules](custom-detection-rules.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
index 9d743faca2..cb57adc063 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
@@ -41,7 +41,7 @@ The Microsoft secure score tile is reflective of the sum of all the Windows Defe
-Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
+Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Microsoft Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/en-us/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
@@ -74,7 +74,7 @@ Clicking on the affected machines link at the top of the table takes you to the
Within the tile, you can click on each control to see the recommended optimizations.
-Clicking the link under the Misconfigured machines column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
+Clicking the link under the **Misconfigured machines** column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
## Related topic
- [Threat analytics](threat-analytics.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index 200d144ad9..84cf299759 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -49,17 +49,25 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
-(1) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Automated investigations**, **Machines list**, **Service health**, **Advanced hunting**, and **Settings**.
-**Dashboards** | Access the Security operations, the Secure Score, or Threat analytics dashboard.
+**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Machines list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Interoperability**, **Threat & vulnerability management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**.
+**Dashboards** | Access the Security operations, the Secure Score, or Threat analytics dashboard.
**Incidents** | View alerts that have been aggregated as incidents.
-**Alerts** | View alerts generated from machines in your organizations.
+**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and the corresponding number of alerts.
+**Alerts queue** | View alerts generated from machines in your organizations.
**Automated investigations** | Displays a list of automated investigations that's been conducted in the network, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
-**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and the corresponding number of alerts.
+**Reports** | View graphs detailing alert trends over time, and alert summary charts categorizing threats by severity, status, and attack approach
+**Interoperability** | Lists supported partner applications that can work together with Microsoft Defender, as well as applications that are already connected to Microsoft Defender.
+**Threat & Vulnerability management** | View your configuration score, exposure score, exposed machines, vulnerable software, and take action on top security recommendations.
+**Evaluation and tutorials** | Manage test machines, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walkthrough in a trial environment.
**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
-**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure Score dashboard.
+**Configuration management** | Displays on-boarded machines, your organizations' security baseline, predictive analysis, and allows you to perform attack surface management on your machines.
+**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure Score dashboard.
**(2) Main portal** | Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
-**(3) Community center, Time settings, Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product. **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information. **Help and support** - Gives you access to the Microsoft Defender ATP guide, Microsoft support, and Premier support. **Feedback** - Access the feedback button to provide comments about the portal.
+**(3) Community center, Localization, Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product. **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information. **Help and support** - Gives you access to the Microsoft Defender ATP guide, Microsoft support, and Premier support. **Feedback** - Access the feedback button to provide comments about the portal.
+
+> [!NOTE]
+> For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions.
## Microsoft Defender ATP icons
The following table provides information on the icons used all throughout the portal:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
index f65850cce0..31ca59c206 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
@@ -45,7 +45,7 @@ You can access these options from Microsoft Defender Security Center. Both the P
## Create a Microsoft Defender ATP dashboard on Power BI service
Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
-1. In the navigation pane, select **Settings** > **Power BI reports**.
+1. In the navigation pane, select **Settings** > **General** > **Power BI reports**.
2. Click **Create dashboard**.
@@ -175,14 +175,10 @@ You can use Power BI Desktop to analyse data from Microsoft Defender ATP and mas
1. In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Microsoft Defender Advanced Threat Protection**.
- 
-
2. Click **Connect**.
3. On the Preview Connector windows, click **Continue**.
- 
-
4. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
@@ -191,8 +187,6 @@ You can use Power BI Desktop to analyse data from Microsoft Defender ATP and mas
6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
- 
-
7. Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source.
8. Add visuals and select fields from the available data sources.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index 2cd29e4940..ebc7ab056b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -42,6 +42,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
+- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
You can now onboard Windows Server 2008 R2 SP1.
+
- [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac)
Microsoft Defender ATP for Mac brings the next-generation protection, and endpoint detection and response coverage to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices.
- [Live response](live-response.md)
Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
new file mode 100644
index 0000000000..74282e67bc
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
@@ -0,0 +1,89 @@
+---
+title: Stream Microsoft Defender Advanced Threat Protection events.
+description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to your Event Hub.
+keywords: raw data export, streaming API, API, Azure Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Azure Event Hubs
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+
+## Before you begin:
+
+1. Create an [event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) in your tenant.
+2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
+
+## Enable raw data streaming:
+
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) with a Global Admin user.
+2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
+3. Click on **Add data export settings**.
+4. Choose a name for your new settings.
+5. Choose **Forward events to Azure Event Hubs**.
+6. Type your **Event Hubs name** and your **Event Hubs resource ID**.
+ In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**:
+
+ 
+
+7. Choose the events you want to stream and click **Save**.
+
+## The schema of the events in Azure Event Hubs:
+
+```
+{
+ "records": [
+ {
+ "time": ""
+ "tenantId": ""
+ "category": ""
+ "properties": { }
+ }
+ ...
+ ]
+}
+```
+
+- Each event hub message in Azure Event Hubs contains list of records.
+- Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
+- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](overview-hunting.md).
+
+## Data types mapping:
+
+To get the data types for event properties do the following:
+
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
+2. Run the following query to get the data types mapping for each event:
+
+```
+{EventType}
+| getschema
+| project ColumnName, ColumnType
+
+```
+
+- Here is an example for Machine Info event:
+
+
+
+## Related topics
+- [Overview of Advanced Hunting](overview-hunting.md)
+- [Microsoft Defender ATP streaming API](raw-data-export.md)
+- [Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)
+- [Azure Event Hubs documentation](https://docs.microsoft.com/en-us/azure/event-hubs/)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
new file mode 100644
index 0000000000..1cea01f7d1
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
@@ -0,0 +1,89 @@
+---
+title: Stream Microsoft Defender Advanced Threat Protection events.
+description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to your Storage account.
+keywords: raw data export, streaming API, API, Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Storage account
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+
+## Before you begin:
+
+1. Create a [Storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview) in your tenant.
+2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
+
+## Enable raw data streaming:
+
+1. Log in to [Microsoft Defender ATP portal](https://securitycenter.windows.com) with Global Admin user.
+2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
+3. Click on **Add data export settings**.
+4. Choose a name for your new settings.
+5. Choose **Forward events to Azure Storage**.
+6. Type your **Storage Account Resource Id**. In order to get your **Storage Account Resource Id**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**:
+
+ 
+
+7. Choose the events you want to stream and click **Save**.
+
+## The schema of the events in the Storage account:
+
+- A blob container will be created for each event type:
+
+
+
+- The schema of each row in a blob is the following JSON:
+
+```
+{
+ "time": ""
+ "tenantId": ""
+ "category": ""
+ "properties": { }
+}
+```
+
+- Each blob contains multiple rows.
+- Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
+- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](overview-hunting.md).
+
+## Data types mapping:
+
+In order to get the data types for our events properties do the following:
+
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
+2. Run the following query to get the data types mapping for each event:
+
+```
+{EventType}
+| getschema
+| project ColumnName, ColumnType
+
+```
+
+- Here is an example for Machine Info event:
+
+
+
+## Related topics
+- [Overview of Advanced Hunting](overview-hunting.md)
+- [Microsoft Defender Advanced Threat Protection Streaming API](raw-data-export.md)
+- [Stream Microsoft Defender Advanced Threat Protection events to your Azure storage account](raw-data-export-storage.md)
+- [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
new file mode 100644
index 0000000000..1349b4a57b
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
@@ -0,0 +1,43 @@
+---
+title: Stream Microsoft Defender Advanced Threat Protection event
+description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to Event Hubs or Azure storage account
+keywords: raw data export, streaming API, API, Event hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Raw Data Streaming API (Preview)
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+
+## Stream Advanced Hunting events to Event Hubs and/or Azure storage account.
+
+Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](overview-hunting.md) to an [Event Hubs](https://docs.microsoft.com/en-us/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/en-us/azure/event-hubs/).
+
+## In this section
+
+Topic | Description
+:---|:---
+[Stream Microsoft Defender ATP events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](overview-hunting.md) to Event Hubs.
+[Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Microsoft Defender ATP to stream [Advanced Hunting](overview-hunting.md) to your Azure storage account.
+
+
+## Related topics
+- [Overview of Advanced Hunting](overview-hunting.md)
+- [Azure Event Hubs documentation](https://docs.microsoft.com/en-us/azure/event-hubs/)
+- [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 80f4ea3708..e2db21f7ff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -20,30 +20,40 @@ ms.topic: article
# Take response actions on a file
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink)
-Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center.
+Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details in the Action center.
->[!IMPORTANT]
->These response actions are only available for machines on Windows 10, version 1703 or later.
+Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new and old page layouts by toggling **new File page**. The rest of this article describes the newer page layout.
-You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file.
+Response actions run along the top of the file page, and include:
+
+- Stop and Quarantine File
+- Add Indicator
+- Download file
+- Action center
+
+You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep analysis and read past reports by selecting the **Deep analysis** tab. It's located below the file information cards.
## Stop and quarantine files in your network
-You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed.
+You can contain an attack in your organization by stopping the malicious process and quarantining the file where it was observed.
>[!IMPORTANT]
>You can only take this action if:
+>
> - The machine you're taking the action on is running Windows 10, version 1703 or later
> - The file does not belong to trusted third-party publishers or not signed by Microsoft
> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
+The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data, such as any registry keys.
-The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
+This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
>[!NOTE]
>You’ll be able to restore the file from quarantine at any time.
@@ -55,13 +65,13 @@ The action takes effect on machines with Windows 10, version 1703 or later, wher
- **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
- **Search box** - select File from the drop–down menu and enter the file name
-2. Open the **Actions menu** and select **Stop and Quarantine File**.
+2. Go to the top bar and select **Stop and Quarantine File**.
-3. Specify a reason, then click **Yes, stop and quarantine**.
+3. Specify a reason, then click **Confirm**.
- 
+ 
The Action center shows the submission information:
@@ -80,14 +90,9 @@ When the file is being removed from a machine, the following notification is sho
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
->[!IMPORTANT]
->The **Action** button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal of critical system files and files used by important applications.
+For files that widely used throughout an organization, a warning is shown before an action is implemented, to validate that the operation is intended.
-
-
-For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
-
-## Remove file from quarantine
+## Restore file from quarantine
You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run the following command on each machine where the file was quarantined.
@@ -98,118 +103,84 @@ You can roll back and remove a file from quarantine if you’ve determined that
b. Right–click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
- ```
+
+ ```Powershell
“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
```
> [!NOTE]
> Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
-## Block files in your network
+## Add indicator to block or allow a file
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
>[!IMPORTANT]
+>
>- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
+>
>- The Antimalware client version must be 4.18.1901.x or later.
->- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
+>- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
>- This response action is available for machines on Windows 10, version 1703 or later.
>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action.
>[!NOTE]
-> The PE file needs to be in the machine timeline for you to be able to take this action.
->- There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
+> The PE file needs to be in the machine timeline for you to be able to take this action.
+>
+> There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
### Enable the block file feature
-Before you can block files, you'll need to enable the feature.
-
-1. In the navigation pane, select **Settings** > **Advanced features** > **Block file**.
-
-2. Toggle the setting between **On** and **Off** and select **Save preferences**.
-
- 
+To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
-### Block a file
+### Allow or block file
-1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
+When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it.
- - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
- - **Search box** - select File from the drop–down menu and enter the file name
+Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue.
-2. Open the **Actions menu** and select **Block**.
+ See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files.
- 
+To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position that the **Add Indicator** action was, before you added the indicator.
-3. Specify a reason and select **Yes, block file** to take action on the file.
+You can also edit indicators from the **Settings** page, under **Rules** > **Indicators**. Indicators are listed in this area by their file's hash.
- 
+## Download or collect file
- The Action center shows the submission information:
- 
+Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file.
- - **Submission time** - Shows when the action was submitted.
- - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
- - **Status** - Indicates whether the file was added to or removed from the blacklist.
+
-When the file is blocked, there will be a new event in the machine timeline.
+When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are downloading the file. You can also set a password to open the file.
->[!NOTE]
->-If a file was scanned before the action was taken, it may take longer to be effective on the device.
+
-**Notification on machine user**:
-When a file is being blocked on the machine, the following notification is displayed to inform the user that the file was blocked:
-
-
-
->[!NOTE]
->The **Action** button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization caused by the removal of files that might be related to the operating system.
-
-
-
-For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
-
-## Remove file from blocked list
-
-1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
-
- - **Alerts** - Click the file links from the Description or Details in the Artifact timeline
- - **Search box** - Select File from the drop–down menu and enter the file name
-
-2. Open the **Actions** menu and select **Remove file from blocked list**.
-
- 
-
-3. Type a comment and select **Yes** to take action on the file. The file will be allowed to run in the organization.
-
-## Check activity details in Action center
-
-The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
+If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a **Collect file** button in the same location. If a file has not been seen in the organization in the past 30 days, **Collect file** will be disabled.
## Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
-The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
+The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
Deep analysis currently supports extensive analysis of portable executable (PE) files (including _.exe_ and _.dll_ files).
-Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the File view page, under a new **Deep analysis summary** section. The summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk.
+Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to display the date and time of the latest results available, as well as a summary of the report itself.
+
+The Deep analysis summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk. If nothing was found, these sections will simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
-### Submit files for analysis
+Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the the file's profile page.
-Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
-
-In the file's page, **Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
+**Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
> [!NOTE]
> Only files from Windows 10 can be automatically collected.
-You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
+You can also manually submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
> [!NOTE]
-> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Microsoft Defender ATP.
+> Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Microsoft Defender ATP.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications.
@@ -221,7 +192,7 @@ When the sample is collected, Microsoft Defender ATP runs the file in is a secur
- **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
- Search box - select **File** from the drop–down menu and enter the file name
-2. In the **Deep analysis** section of the file view, click **Submit**.
+2. In the **Deep analysis** tab of the file view, click **Submit**.
@@ -232,7 +203,7 @@ A progress bar is displayed and provides information on the different stages of
> [!NOTE]
> Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–submit files for deep analysis to get fresh data on the file.
-### View deep analysis reports
+**View deep analysis reports**
View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
@@ -244,29 +215,32 @@ You can view the comprehensive report that provides details on the following sec
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
-2. Click **See the report below**. Information on the analysis is displayed.
+2. Select the **Deep analysis** tab. If there are any previous reports, the report summary will appear in this tab.
- 
+ 
-### Troubleshoot deep analysis
+**Troubleshoot deep analysis**
If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
-2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
-3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
-4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
+1. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
+1. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
+1. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
- ```
+ ```Powershell
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: AllowSampleCollection
- Type: DWORD
+ Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection
```
-5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md).
-6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
-## Related topic
+1. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md).
+1. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
+
+## Related topics
+
- [Take response actions on a machine](respond-machine-alerts.md)
+- [Investigate files](investigate-files.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md
index 389a39fd4a..409f485d23 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md
@@ -31,7 +31,7 @@ You first need to [create an app](apis-intro.md).
## Use case
A common scenario is scheduling an advanced query and using the results for follow up actions and processing.
-In this section we share sample for this purpose using [Microsoft Flow](https://flow.microsoft.com/) (or [Logic Apps](https://azure.microsoft.com/en-us/services/logic-apps/)).
+In this section we share sample for this purpose using [Microsoft Flow](https://flow.microsoft.com/) (or [Logic Apps](https://azure.microsoft.com/services/logic-apps/)).
## Define a flow to run query and parse results
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
index 1c62e63285..bd86e1319d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
@@ -37,7 +37,7 @@ You first need to [create an app](apis-intro.md).
Set-ExecutionPolicy -ExecutionPolicy Bypass
```
->For more details, see [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
+>For more details, see [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy)
## Get token
diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
index 5dbaa71b01..f7c9eff384 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
@@ -116,13 +116,6 @@ The tile shows you a list of user accounts with the most active alerts and the n
Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user.md).
-## Suspicious activities
-This tile shows audit events based on detections from various security components.
-
-
-
-
-
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink)
## Related topics
@@ -130,4 +123,3 @@ This tile shows audit events based on detections from various security component
- [Portal overview](portal-overview.md)
- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md)
- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
index 0bafd26ecf..a1c5557fed 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
@@ -1,7 +1,7 @@
---
-title: Microsoft Defender Advanced Threat Protection Threat analytics
+title: Track and respond to emerging threats with Microsoft Defender ATP threat analytics
ms.reviewer:
-description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization.
+description: Learn about emerging threats and attack techniques and how to stop them. Assess their impact to your organization and evaluate your organizational resilience.
keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -9,8 +9,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
+ms.author: lomayor
+author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -18,49 +18,46 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Threat analytics
+# Track and respond to emerging threats with threat analytics
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to quickly assess their security posture, covering the impact of emerging threats and their organizational resilience.
-Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to be able to quickly assess their security posture, including impact, and organizational resilience in the context of specific emerging threats.
+Threat analytics is a set of reports published by Microsoft security researchers as soon as emerging threats and outbreaks are identified. The reports help you assess the impact of threats to your environment and identify actions that can contain them.
-Threat Analytics is a set of interactive reports published by the Microsoft Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help you the assess impact of threats in your environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
-
+## View the threat analytics dashboard
->[!NOTE]
->The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts being resolved within a few days.
+The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It provides several overviews about the threats covered in the reports:
-Each threat report provides a summary to describe details such as where the threat is coming from, where it's been seen, or techniques and tools that were used by the threat.
+- **Latest threats** — lists the most recently published threat reports, along with the number of machines with resolved and unresolved alerts.
+- **High-impact threats** — lists the threats that have had the highest impact on the organization in terms of the number of machines that have had related alerts, along with the number of machines with resolved and unresolved alerts.
+- **Threat summary** — shows the number of threats among the threats reported in threat analytics with actual alerts.
-The dashboard shows the impact in your organization through the following tiles:
-- Machines with alerts - shows the current distinct number of impacted machines in your organization
-- Machines with alerts over time - shows the distinct number of impacted over time
-- Mitigation recommendations - lists the measurable mitigations and the number of machines that do not have each of the mitigations in place
-- Mitigation status - shows the number of mitigated and unmitigated machines. Machines are considered mitigated if they have all the measurable mitigations in place.
-- Mitigation status over time - shows the distinct number of machines that have been mitigated, unmitigated, and unavailable over time
+
+
+Select a threat on any of the overviews or on the table to view the report for that threat.
+
+## View a threat analytics report
+
+Each threat report generally provides an overview of the threat and an analysis of the techniques and tools used by the threat. It also provides worldwide impact information, mitigation recommendations, and detection information. It includes several cards that show dynamic data about how your organization is impacted by the threat and how prepared it is to stop the threat.
-## Organizational impact
-You can assess the organizational impact of a threat using the **Machines with alerts** and **Machines with alerts over time** tiles.
+### Organizational impact
+Each report includes cards designed to provide information about the organizational impact of a threat:
+- **Machines with alerts** — shows the current number of distinct machines in your organization that have been impacted by the threat. A machine is categorized as **Active** if there is at least 1 alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the machine have been resolved.
+- **Machines with alerts over time** — shows the number of distinct machines with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
-A machine is categorized as **Active** if there is at least 1 alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the machine are resolved.
-
-
-The **Machine with alerts over time**, shows the number of distinct machines with **Active** and **Resolved alerts over time**. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts being resolved within a few days.
-## Organizational resilience
-The **Mitigation recommendations** section provides specific actionable recommendations to improve your visibility into this threat and increase your organizational resilience.
-
-The **Mitigation status** and **Mitigation status over time** shows the endpoint configuration status assessed based on the recommended mitigations.
+### Organizational resilience
+Each report also includes cards that provide an overview of how resilient your organization can be against a given threat:
+- **Mitigation status** — shows the number of machines that have and have not applied mitigations for the threat. Machines are considered mitigated if they have all the measurable mitigations in place.
+- **Vulnerability patching status** — shows the number of machines that have applied security updates or patches that address vulnerabilities exploited by the threat.
+- **Mitigation recommendations** — lists specific actionable recommendations to improve your visibility into the threat and increase your organizational resilience. This card lists only measurable mitigations along with the number of machines that don't have these mitigations in place.
>[!IMPORTANT]
->- The chart only reflects mitigations that are measurable and where an evaluation can be made on the machine state as being compliant or non-compliant. There can be additional mitigations or compliance actions that currently cannot be computed or measured that are not reflected in the charts and are covered in the threat description under **Mitigation recommendations** section.
->- Even if all mitigations were measurable, there is no absolute guarantee of complete resilience but reflects the best possible actions that need to be taken to improve resiliency.
-
-
+>- Charts only reflect mitigations that are measurable, meaning an evaluation can be made on whether a machine has applied the mitigations or not. Check the report overview for additional mitigations that are not reflected in the charts.
+>- Even if all mitigations were measurable, they don't guarantee complete resilience. They reflect the best possible actions needed to improve resiliency.
>[!NOTE]
->The Unavailable category indicates that there is no data available from the specific machine yet.
-
-
+>Machines are counted as "unavailable" if they have been unable to transmit data to the service.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 20faa27ae0..e3f2bdf6ef 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -1,7 +1,6 @@
---
title: Threat & Vulnerability Management scenarios
-ms.reviewer:
-description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when collaborating with IT Administrators and SecOps while protecting their organization from cybersecurity threats.
+description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when you collaborate with IT Administrators and SecOps as you protect your organization from cybersecurity threats.
keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -9,8 +8,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
+ms.author: dolmont
+author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -22,87 +21,136 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[!include[Prerelease information](prerelease.md)]
-
## Before you begin
Ensure that your machines:
- Are onboarded to Microsoft Defender Advanced Threat Protection
-- Running with Windows 10 1709 (Fall Creators Update) or later
+- Run with Windows 10 1709 (Fall Creators Update) or later
+
+>[!NOTE]
+>Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
+
- Have the following mandatory updates installed:
- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)
- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464)
+- Are onboarded to Microsoft Intune and System Center Configuration Manager (SCCM). If you are use SCCM, update your console to the latest May version 1905
- Have at least one security recommendation that can be viewed in the machine page
- Are tagged or marked as co-managed
## Reduce your threat and vulnerability exposure
-Threat & Vulnerability Management introduces a new exposure score metric which visually represents how exposed your machines are to imminent threats.
+Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
-- Weaknesses, such as vulnerabilities and misconfigurations discovered on the device
+- Weaknesses, such as vulnerabilities discovered on the device
- External and internal threats such as public exploit code and security alerts
-- Likelihood of the device getting breached given its current security posture
+- Likelihood of the device to get breached given its current security posture
- Value of the device to the organization given its role and content
The exposure score is broken down into the following levels:
-- 0 to 29: low exposure score
-- 30 to 69: medium exposure score
-- 70 to 100: high exposure score
+- 0–29: low exposure score
+- 30–69: medium exposure score
+- 70–100: high exposure score
-You can reduce the exposure score by remediating issues based on prioritized security recommendations. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
+You can remediate the issues based on prioritized security recommendations to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
To lower down your threat and vulnerability exposure:
-1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. This opens the **Security recommendation** page.
+1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. The **Security recommendation** page opens.
- >>
+ >>
>[!NOTE]
> There are two types of recommendations:
> - Security update which refers to recommendations that require a package installation
> - Configuration change which refers to recommendations that require a registry or GPO modification
- > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon.
+ > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
-2. In the **Security recommendations** page, you will see the description of what needs to be done and why. It shows the vulnerability details, such as the associated exploits affecting what machines and its business impact. Click **Open software page** option from the flyout menu. 
+2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. 
-3. Click **Installed machines** and select the affected machine from the list to open the flyout page with the relevant machine details, exposure and risk levels, alert and incident activities. 
+3. Click **Installed machines** and select the affected machine from the list to open the flyout panel with the relevant machine details, exposure and risk levels, alert and incident activities. 
-4. Click **Open machine page** to connect to the machine and apply the selected recommendation. 
+4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. 
5. Allow a few hours for the changes to propagate in the system.
-6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate won't be listed there anymore, and the exposure score should decrease.
+6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
## Improve your security configuration
>[!NOTE]
-> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). We’ll keep the secure score page available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page.
+> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). The secure score page is available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page.
-Remediating issues in the security recommendations list will improve your configuration. As you do so, your configuration score improves, which means building your organization's resilience against cybersecurity threats and vulnerabilities stronger.
+You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
-1. From the Configuration score widget, select **Security controls**. This opens the **Security recommendations** page showing the list of issues related to security controls.
+1. From the Configuration score widget, select **Security controls**. The **Security recommendations** page opens and shows the list of issues related to security controls.
- >>
+ >
-2. Select the first item on the list. This opens the flyout menu with the description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
- 
+2. Select the first item on the list. The flyout panel will open with a description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
+ 
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
- > >.
- >
- > You will see a confirmation message that the remediation task has been created.
- > 
+ >.
+
+ >You will see a confirmation message that the remediation task has been created.
+ >
4. Save your CSV file.
- 
+ 
-5. Send a follow up email to your IT Administrator and allow the time that you have alloted for the remediation to propagate in the system.
+5. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
-6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be be listed there anymore, and your configuration score should increase.
+6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
+## Request a remediation
+>[!NOTE]
+>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
+
+The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow.
+
+Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
+
+1. Click a security recommendation you would like to request remediation for, and then click **Remediation options**.
+
+2. Select **Open a ticket in Intune (for AAD joined devices)**, select a due date, and add optional notes for the IT Administrator. Click **Submit request**.
+
+3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
+
+4. Go to the **Remediation** page to view the status of your remediation request.
+
+See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/atp-manage-vulnerabilities) for details.
+
+>[!NOTE]
+>If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
+
+## File for exception
+With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request.
+
+There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.
+
+Exceptions can be created for both *Security update* and *Configuration change* recommendations.
+
+When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
+
+
+1. Navigate to the **Security recommendations** page under the **Threat & Vulnerability Management** section menu.
+
+2. Click the top-most recommendation. A flyout panel opens with the recommendation details.
+
+3. Click **Exception options**.
+
+4. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
+
+5. Click **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
+
+6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
-
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
index 5402aa8cf9..e620a05684 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
@@ -39,7 +39,7 @@ Each layer in the threat protection stack plays a critical role in protecting cu
Microsoft Defender ATP provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers.
## Azure Information Protection
-Keep sensitive data secure while enabling productivity in the workplace through data data discovery and data protection.
+Keep sensitive data secure while enabling productivity in the workplace through data discovery and data protection.
## Conditional Access
Microsoft Defender ATP's dynamic machine risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
index 3275739c27..c745b29ece 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
@@ -35,7 +35,9 @@ Cyberforensic investigations often rely on time stamps to piece together the seq
Microsoft Defender ATP can display either Coordinated Universal Time (UTC) or local time.
-Your current time zone setting is shown in the Microsoft Defender ATP menu. You can change the displayed time zone in the **Time zone** menu .
+Your current time zone setting is shown in the Microsoft Defender ATP menu. You can change the displayed time zone in the **Time zone** menu.
+
+.
### UTC time zone
Microsoft Defender ATP uses UTC time by default.
@@ -56,7 +58,7 @@ To set the time zone:
1. Click the **Time zone** menu .
2. Select the **Timezone UTC** indicator.
-3. Select **Timezone UTC** or your local time zone, for example -7:00.
+3. Select **Timezone UTC** or your local time zone, for example -7:00.
### Regional settings
To apply different date formats for Microsoft Defender ATP, use regional settings for Internet Explorer (IE) and Microsoft Edge (Edge). If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
new file mode 100644
index 0000000000..c9f75c07aa
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
@@ -0,0 +1,56 @@
+---
+title: Troubleshoot Microsoft Defender ATP live response issues
+description: Troubleshoot issues that might arise when using live response in Microsoft Defender ATP
+keywords: troubleshoot live response, live, response, locked, file
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: troubleshooting
+---
+
+# Troubleshoot Microsoft Defender Advanced Threat Protection live response issues
+
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+
+This page provides detailed steps to troubleshoot live response issues.
+
+## File cannot be accessed during live response sessions
+If while trying to take an action during a live response session, you encounter an error message stating that the file can't be accessed, you'll need to use the steps below to address the issue.
+
+1. Copy the following script code snippet and save it as a PS1 file:
+
+ ```
+ $copied_file_path=$args[0]
+ $action=Copy-Item $copied_file_path -Destination $env:TEMP -PassThru -ErrorAction silentlyContinue
+
+ if ($action){
+ Write-Host "You copied the file specified in $copied_file_path to $env:TEMP Succesfully"
+ }
+
+ else{
+ Write-Output "Error occoured while trying to copy a file, details:"
+ Write-Output $error[0].exception.message
+
+ }
+ ```
+
+
+2. Add the script to the live response library.
+3. Run the script with one parameter: the file path of the file to be copied.
+4. Navigate to your TEMP folder.
+5. Run the action you wanted to take on the copied file.
+
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
index 3df5dd590d..3cd0504b1f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
@@ -19,7 +19,7 @@ ms.topic: troubleshooting
# Troubleshoot service issues
-This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
+This section addresses issues that might arise as you use the Microsoft Defender Advanced Threat service.
## Server error - Access is denied due to invalid credentials
If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md
index 800b62bffd..0cf451828c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md
@@ -25,7 +25,7 @@ Troubleshoot issues that might arise as you use Microsoft Defender ATP capabilit
Topic | Description
:---|:---
Troubleshoot sensor state | Find solutions for issues related to the Microsoft Defender ATP sensor
-Troubleshoot service issues | Fix issues related to the Windows Defender Advanced Threat service
+Troubleshoot service issues | Fix issues related to the Microsoft Defender Advanced Threat service
Troubleshoot attack surface reduction | Fix issues related to network protection and attack surface reduction rules
Troubleshoot next generation protection | If you encounter a problem with antivirus, you can search the tables in this topic to find a matching issue and potential solution
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 93c50f478c..b25ce8e1e3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -1,77 +1,79 @@
----
-title: What's in the dashboard and what it means for my organization's security posture
-ms.reviewer:
-description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions in addressing cybersecurity threat vulnerabilities and building their organization's security resilience.
-keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: eADQiWindows 10XVcnh
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-# Threat & Vulnerability Management dashboard overview
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
-- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
-- Invaluable machine vulnerability context during incident investigations
-- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM)
-
- >[!NOTE]
- > Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks.
-
-You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
-- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines
-- Correlate EDR insights with endpoint vulnerabilities and process them
-- Select remediation options, triage and track the remediation tasks
-
-## Threat & Vulnerability Management in Microsoft Defender Security Center
-When you open the portal, you’ll see the main areas of the capability:
-
- 
-
- 
-
-- (1) Menu in the navigation pane
-- (2) Threat & Vulnerability Management icon
-- (3) Threat & Vulnerability Management dashboard
-
-You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
-
-Area | Description
-:---|:---
-(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
-(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, and **Software inventory**.
-**Dashboards** | Get a high-level view of the organization exposure score, MDATP configuration score, top remediation activities, top security recommendations, top vulnerable software, and top exposed machines data.
-**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, and have the option to open the software page, and see the remediation options.
-**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV.
-**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the vulnerabilities and misconfigurations associated and its machine and version distribution details.
-(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, **Top exposed machines**, and **Threat campaigns**.
-**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down your organization’s exposure score to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
-**MDATP Configuration score** | See the security posture of your organization’s operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security recommendation** page for details.
-**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it will take you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, OS platform, its health state, when it was last seen, and its tags.
-**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts , associated public exploits , and recommendation insights . You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
-**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page.
-**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities.
-**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.
-
-See [Microsoft Defender ATP icons](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Configuration score](configuration-score.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: What's in the dashboard and what it means for my organization's security posture
+description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions to address cybersecurity threat vulnerabilities and build their organization's security resilience.
+keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+# Threat & Vulnerability Management dashboard overview
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
+Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
+- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
+- Invaluable machine vulnerability context during incident investigations
+- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM)
+
+You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
+- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines
+- Correlate EDR insights with endpoint vulnerabilities and process them
+- Select remediation options, triage and track the remediation tasks
+- Select exception options and track active exceptions
+
+## Threat & Vulnerability Management in Microsoft Defender Security Center
+When you open the portal, you’ll see the main areas of the capability:
+
+ 
+
+ 
+
+- (1) Menu in the navigation pane
+- (2) Threat & Vulnerability Management icon
+- (3) Threat & Vulnerability Management dashboard
+
+You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
+
+Area | Description
+:---|:---
+(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
+(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**.
+**Dashboards** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data.
+**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
+**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information.
+**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
+**Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information.
+(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**.
+**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data that you want to see in the dashboard and widgets by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages only.
+**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. See [Exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score) for more information.
+**Organization Configuration score** | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. You can click the bars and it takes you to the **Security recommendation** page for details. See [Configuration score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score) for more information.
+**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it takes you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
+**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts , associated public exploits , and recommendation insights . You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
+**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page.
+**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities, and active exceptions.
+**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.
+
+See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
new file mode 100644
index 0000000000..f6488ecbd0
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -0,0 +1,48 @@
+---
+title: Exposure score
+description: Your exposure level reflects how vulnerable your organization is to cybersecurity threats. Apply the Threat & Vulnerability Management security recommendations to keep your exposure level low.
+keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 06/30/2019
+---
+# Exposure score
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Your exposure score reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation.
+
+The widget also gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
+
+
+
+## How it works
+
+Several factors affect your organization exposure score:
+- Weakness discovered on the device
+- Likelihood of a device getting breached
+- Value of the device to the organization
+- Relevant alert discovered on the device
+
+Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details.
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
new file mode 100644
index 0000000000..6e208209cb
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -0,0 +1,66 @@
+---
+title: Remediation
+description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
+keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Remediation
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>[!NOTE]
+>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
+
+After your organization's cybersecurity weaknesses are identified and mapped to actionable security recommendations, you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
+
+You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
+
+## Navigate through your remediation options
+You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard.
+1. From the flyout panel, you'll see the security recommendation details including your next steps. Click **Remediation options**.
+2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
+
+>[!NOTE]
+>If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
+
+3. Select a remediation due date.
+4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance.
+
+If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
+## How it works
+
+When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity.
+
+It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune.
+
+You also have the option to export all remediation activity data to CSV for records, reporting purposes, or if you want to notify your IT administration counterpart that a remediation ticket has been submitted.
+
+The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
+
+However, if the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The exceptions you've filed will also show up in the **Remediation** page, in the **Exceptions** tab.
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendation](tvm-security-recommendation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
new file mode 100644
index 0000000000..a866f2ef4f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -0,0 +1,66 @@
+---
+title: Security recommendation
+description: The weaknesses identified in the environment are mapped to actionable security recommendations and prioritized by their impact on the organizational exposure score.
+keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Security recommendation
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+The cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
+
+Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and SCCM. It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collect information from your environment.
+
+## The basis of the security recommendation
+Each machine in the organization is scored based on three important factors: threat, likelihood to be breached, and value, to help customers to focus on the right things at the right time.
+
+- Threat - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the correponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
+
+- Breach likelihood - Your organization's security posture and resilience against threats
+
+- Business value - Your organization's assets, critical processes, and intellectual properties
+
+
+## Navigate through your security recommendations
+You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need as you require it.
+
+There are security recommendations for application, operating system, network, accounts, and security controls.
+
+In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
+
+The top security recommendations lists down the improvement opportunities prioritized based on the three important factors mentioned in the previous section - threat, likelihood to be breached, and value.
+
+You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, how many exposed devices are associated with the security recommendation, vulnerabilities, and other threats.
+
+From that page, you can do any of the following depending on what you need to do:
+
+- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, and charts so you can see the exposure trend over time.
+
+- Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
+
+- Choose from exception options - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive.
+
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
new file mode 100644
index 0000000000..6954b3f5d6
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -0,0 +1,44 @@
+---
+title: Software inventory
+description: Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the software inventory page. You can see the name of the product, vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected.
+keywords: microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Software inventory
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
+
+## Navigate through your software inventory
+1. Select **Software inventory** from the Threat & Vulnerability management navigation menu.
+2. In the **Software inventory** page, select the application that you want to investigate and a flyout panel opens up with the software details, vendor information, prevalence in the organization, exposed machines, threat context, and its impact to your organization's exposure score.
+3. In the flyout panel, select **Open software page** to dive deeper into your software inventory. You will see how many weaknesses are discovered with the application, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
+
+## How it works
+In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment.
+
+Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular application is connected to a live campaign. It also provides a link to a Threat Analytics report soon as it's available.
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendation](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
new file mode 100644
index 0000000000..108aef13b2
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -0,0 +1,78 @@
+---
+title: Weaknesses
+description: The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, breach, and threat insights.
+keywords: mdatp threat & vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Weaknesses
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
+
+The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights.
+
+## Navigate through your organization's weaknesses page
+You can see the list of vulnerabilities in three ways:
+
+*Vulnerabilities in global search*
+1. Click the global search drop-down menu.
+2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then click the search icon. The **Weaknesses** page opens with the CVE information that you are looking for.
+
+3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates.
+
+>[!NOTE]
+>To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search.
+
+*Weaknesses page in the menu*
+1. Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open up the list of vulnerabilities found in your organization.
+2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+
+*Top vulnerable software widget in the dashboard*
+1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
+
+2. Click the software that you want to investigate and it takes you to the software page. You will the weaknesses found in your machine per severity level, in which machines are they installed, version distribution, and the corresponding security recommendation.
+3. Select the **Discovered vulnerabilities** tab.
+4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+
+## How it works
+When new vulnerabilities are released, you would want know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page.
+
+If the **Exposed Machines** column shows 0, that means you are not infected.
+
+If there's a number in the **Exposed Machines**, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk.
+
+You can also see the related alert and threat insights in the **Threat** column.
+
+The breach insights icons are highlighted if there are active alerts associated with the vulnerability found in your organization.
+
+
+The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is connected to specific campaign for which, Threat Analytics report links are provided that you can read.
+
+
+ >[!NOTE]
+ > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
+
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendation](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index 9723b0afa6..a923e76e1e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -45,7 +45,7 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
>[!NOTE]
>This setting is only available in the Microsoft Defender ATP administrator (default) role.
- - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
+ - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
- **Live response capabilities** - Users can take basic or advanced live response commands.
- Basic commands allow users to:
@@ -90,4 +90,4 @@ After creating roles, you'll need to create a machine group and provide access t
## Related topic
- [User basic permissions to access the portal](basic-permissions.md)
-- [Create and manage machine groups](machine-groups.md)
\ No newline at end of file
+- [Create and manage machine groups](machine-groups.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
index f6465788fd..c3753c466c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
@@ -42,6 +42,8 @@ On the top navigation you can:
## Sort and filter the incidents queue
You can apply the following filters to limit the list of incidents and get a more focused view.
+### Severity
+
Incident severity | Description
:---|:---
High (Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on machines.
@@ -49,27 +51,17 @@ Medium (Orange) | Threats rarely observed in the organization, such as anom
Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
Informational (Grey) | Informational incidents are those that might not be considered harmful to the network but might be good to keep track of.
+## Assigned to
+You can choose to filter the list by selecting assigned to anyone or ones that are assigned to you.
+
### Category
Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context.
-### Alerts
-Indicates the number of alerts associated with or part of the incidents.
-
-
-### Machines
-You can limit to show only the machines at risk which are associated with incidents.
-
-### Users
-You can limit to show only the users of the machines at risk which are associated with incidents.
-
-### Assigned to
-You can choose to show between unassigned incidents or those which are assigned to you.
-
### Status
-You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved
+You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved.
-### Classification
-Use this filter to choose between focusing on incidents flagged as true or false incidents.
+### Data sensitivity
+Use this filter to show incidents that contain sensitivity labels.
## Related topics
- [Incidents queue](incidents-queue.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index b25652932d..994b79b7b6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -28,6 +28,12 @@ The following features are generally available (GA) in the latest release of Mic
For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection).
+## June 2019
+
+- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
+
+- [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization.
+
## May 2019
- [Threat protection reports](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection)
The threat protection report provides high-level information about alerts generated in your organization.
@@ -35,7 +41,7 @@ For more information preview features, see [Preview features](https://docs.micro
- [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)
Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
-- [Indicators](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/ti-indicator)
APIs for indicators are now generally available.
+- [Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ti-indicator)
APIs for indicators are now generally available.
- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/partner-applications)
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index d0df6caa9a..3168a333af 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -106,7 +106,7 @@ Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improv
For more information, see [Windows Defender in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
-For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation).
+For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation).
### Data Execution Prevention
@@ -192,7 +192,7 @@ Control Flow Guard (CFG) is a mitigation that does not need configuration within
| **Heap protections**
help prevent
exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.
**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. |
| **Kernel pool protections**
help prevent
exploitation of pool memory
used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.
**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. |
| **Control Flow Guard**
helps mitigate exploits
that are based on
flow between code locations
in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.
**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. |
-| **Protections built into Microsoft Edge** (the browser)
helps mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.
**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer-11), later in this topic. |
+| **Protections built into Microsoft Edge** (the browser)
helps mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.
**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer11), later in this topic. |
### SMB hardening improvements for SYSVOL and NETLOGON shares
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
index bc76ebc546..af37ad2e44 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 06/27/2019
---
# Domain member: Disable machine account password changes
@@ -38,8 +38,20 @@ Verify that the **Domain member: Disable machine account password changes** opti
### Best practices
-1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions.
-2. Do not use this policy setting in an attempt to support dual-boot scenarios that use the same machine account. If you want to dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to make it easier for organizations that stockpile pre-built computers that are put into production months later; those devices do not have to be rejoined to the domain.
+1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions.
+2. Do not use this policy setting to try to support dual-boot scenarios that use the same machine account. If you want to configure dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to help organizations that stockpile pre-built computers that are put into production months later. Those devices do not have to be rejoined to the domain.
+3. You may want to consider using this policy setting in specific environments, such as the following:
+
+ - Non-persistent Virtual Desktop Infrastructure implementations. In such implementations, each session starts from a read-only base image.
+ - Embedded devices that do not have write access to the OS volume.
+
+ In either case, a password change that was made during normal operations would be lost as soon as the session ends. We strongly recommend that you plan password changes for maintenance windows. Add the password changes to the updates and modifications that Windows performs during maintenance windows. To trigger a password update on a specific OS volume, run the following command:
+
+ ```
+ Nltest /sc_change_pwd:
+ ```
+
+ In this command, \ represents the domain of the local computer. For more information about maintenance windows and non-persistent VDI implementations, see [Optimizing Windows 10, version 1803, for a Virtual Desktop Infrastructure (VDI) role: VDI optimization principles: Non-Persistent VDI](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-1803#vdi-optimization-principles).
### Location
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
index a9d641a335..b4f0324679 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 05/31/2018
+ms.date: 06/27/2019
---
# Domain member: Maximum machine account password age
@@ -28,20 +28,22 @@ Describes the best practices, location, values, and security considerations for
The **Domain member: Maximum machine account password age** policy setting determines when a domain member submits a password change.
-In Active Directory–based domains, each device has an account and password. By default, the domain members submit a password change every 30 days. Increasing this interval significantly, or setting it to **0** so that a device no longer submits a password change, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts.
+In Active Directory–based domains, each device has an account and password. By default, the domain members submit a password change every 30 days. You can extend or reduce this interval. Additionally, you can use the **Domain member: Disable machine account password changes** policy to disable the password change requirement completely. However, before you consider this option, review the implications as described in [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md).
-For more information, see [Machine Account Password Process](https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/).
+> [!IMPORTANT]
+> Significantly increasing the password change interval (or disabling password changes) gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts.
+
+For more information, see [Machine Account Password Process](https://techcommunity.microsoft.com/t5/Ask-the-Directory-Services-Team/Machine-Account-Password-Process/ba-p/396026).
### Possible values
-- User-defined number of days between 0 and 999
-- Not defined.
+- User-defined number of days between 1 and 999, inclusive
+- Not defined
### Best practices
-1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
-Setting the value to fewer days can increase replication and impact domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would impact domain controllers in large organizations with many computers or slow links between sites.
-2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer starts after being offline more than 30 days, the Netlogon service will notice the password age and initiate a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer will not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days.
+1. We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
+2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer is turned on after being offline more than 30 days, the Netlogon service notices the password age and initiates a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer does not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and then configure the value for this policy setting to a greater number of days.
### Location
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index 66aa8cbcb8..8a376e6b4f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -32,16 +32,17 @@ For more information, see [article 977321](https://support.microsoft.com/kb/9773
The following table lists and explains the allowed encryption types.
-
-| Encryption type | Description and version support |
-|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES |
-| DES_CBC_MD5 | Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default. |
-| RC4_HMAC_MD5 | Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
-| AES128_HMAC_SHA1 | Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
-| AES256_HMAC_SHA1 | Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
-| Future encryption types | Reserved by Microsoft for additional encryption types that might be implemented. |
-
+
+| Encryption type | Description and version support |
+| - | - |
+| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES| by default.
+| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES by default. |
+| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2.|
+| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. |
+| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. |
+| Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.|
+
+
### Possible values
@@ -81,16 +82,17 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Windows Server 2008 R2 and Windows 7 do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running
-Windows Server 2008 R2 and Windows 7. You can also disable DES for your computers running Windows Vista and Windows Server 2008.
+Windows Server 2008 R2, Windows 7 and Windows 10, do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running
+Windows Server 2008 R2, Windows 7 and Windows 10. You can also disable DES for your computers running Windows Vista and Windows Server 2008.
### Countermeasure
-Do not configure this policy. This will force the computers running Windows Server 2008 R2 and Windows 7 to use the AES or RC4 cryptographic suites.
+Do not configure this policy. This will force the computers running Windows Server 2008 R2, Windows 7 and Windows 10 to use the AES or RC4 cryptographic suites.
### Potential impact
-If you do not select any of the encryption types, computers running Windows Server 2008 R2 and Windows 7 might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol.
+If you do not select any of the encryption types, computers running Windows Server 2008 R2, Windows 7 and Windows 10, might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol.
+
If you do select any encryption type, you will lower the effectiveness of encryption for Kerberos authentication but you will improve interoperability with computers running older versions of Windows.
Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption.
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index ea05d79cc2..a6ae751c35 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -305,7 +305,7 @@ At the level of each organizational unit in the Active Directory hierarchy, one,
This order means that the local Group Policy Object is processed first, and Group Policy Objects that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites the earlier Group Policy Objects.
-This is the default processing order and administrators can specify exceptions to this order. A Group Policy Object that is linked to a site, domain, or organizational unit (not a local Group Policy Object) can be set to **Enforced** with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as **Block Inheritance**. Group Policy Object links that are set to **Enforced** are always applied, however, and they cannot be blocked.
+This is the default processing order and administrators can specify exceptions to this order. A Group Policy Object that is linked to a site, domain, or organizational unit (not a local Group Policy Object) can be set to **Enforced** with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as **Block Inheritance**. Group Policy Object links that are set to **Enforced** are always applied, however, and they cannot be blocked. For more information see [Group Policy Basics – Part 2: Understanding Which GPOs to Apply](https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/15/group-policy-basics-part-2-understanding-which-gpos-to-apply/).
### Security settings policy processing
diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
index f03034aac2..ba47760e7f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
@@ -41,7 +41,7 @@ MpCmdRun.exe [command] [-options]
| Command | Description |
|:--------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------|
| \-? **or** -h | Displays all available options for this tool |
-| \-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]] [-Timeout ] [-Cancel] | Scans for malicious software |
+| \-Scan [-ScanType #] [-File \ [-DisableRemediation] [-BootSectorScan]] [-Timeout \] [-Cancel] | Scans for malicious software |
| \-Trace [-Grouping #] [-Level #] | Starts diagnostic tracing |
| \-GetFiles | Collects support information |
| \-GetFilesDiagTrack | Same as Getfiles but outputs to temporary DiagTrack folder |
@@ -49,11 +49,11 @@ MpCmdRun.exe [command] [-options]
| \-RemoveDefinitions [-DynamicSignatures] | Removes only the dynamically downloaded Security intelligence |
| \-RemoveDefinitions [-Engine] | Restores the previous installed engine |
| \-SignatureUpdate [-UNC \| -MMPC] | Checks for new Security intelligence updates |
-| \-Restore [-ListAll \| [[-Name ] [-All] \| [-FilePath ]] [-Path ]] | Restores or lists quarantined item(s) |
+| \-Restore [-ListAll \| [[-Name \] [-All] \| [-FilePath \]] [-Path \]] | Restores or lists quarantined item(s) |
| \-AddDynamicSignature [-Path] | Loads dynamic Security intelligence |
| \-ListAllDynamicSignatures | Lists the loaded dynamic Security intelligence |
| \-RemoveDynamicSignature [-SignatureSetID] | Removes dynamic Security intelligence |
-| \-CheckExclusion -path | Checks whether a path is excluded |
+| \-CheckExclusion -path \ | Checks whether a path is excluded |
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index 3c8c01c7e8..4c13b517db 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -65,6 +65,9 @@ Block at first sight requires a number of settings to be configured correctly or
+> [!Warning]
+> Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus).
+
For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
index bbad08d05e..a780487207 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -23,7 +23,7 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!IMPORTANT]
-> [Windows Defender Advanced Threat Protection ](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection) does not adhere to Windows Defender Antivirus exclusion settings. This means that any Windows Defender exclusions, no matter how you created them, are not applied by Windows Defender ATP.
+> [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection) does not adhere to Windows Defender Antivirus exclusion settings. This means that any Windows Defender exclusions, no matter how you created them, are not applied by Windows Defender ATP.
You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists.
@@ -150,7 +150,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use
**Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:**
-Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
+Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
ExclusionExtension
@@ -185,34 +185,34 @@ The following table describes how the wildcards can be used and provides some ex
| Wildcard |
- Use in file and file extension exclusions |
+ Use in file name and file extension exclusions |
Use in folder exclusions |
Example use |
- Example matches> |
+ Example matches |
- | (asterisk) |
+ * (asterisk) |
Replaces any number of characters.
Only applies to files in the last folder defined in the argument. |
- Replaces a single folder.
Use multiple with folder slashes \ to indicate multiple, nested folders. After matching to the number of wilcarded and named folders, all subfolders will also be included. |
+ Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders. After matching the number of wilcarded and named folders, all subfolders will also be included. |
- - C:\MyData\.txt
- - C:\somepath\\Data
- - C:\Serv\\\Backup
+
- C:\MyData\*.txt
+ - C:\somepath\*\Data
+ - C:\Serv\*\*\Backup
|
- - C:\MyData\notes.txt
+ - C:\MyData\notes.txt
- Any file in:
- - C:\somepath\Archives\Data and its subfolders
- - C:\somepath\Authorized\Data and its subfolders
+ - C:\somepath\Archives\Data and its subfolders
+ - C:\somepath\Authorized\Data and its subfolders
- Any file in:
- - C:\Serv\Primary\Denied\Backup and its subfolders
- - C:\Serv\Secondary\Allowed\Backup and its subfolders
+ - C:\Serv\Primary\Denied\Backup and its subfolders
+ - C:\Serv\Secondary\Allowed\Backup and its subfolders
|
@@ -227,7 +227,7 @@ The following table describes how the wildcards can be used and provides some ex
Replaces a single character in a folder name.
- After matching to the number of wilcarded and named folders, all subfolders will also be included.
+ After matching the number of wilcarded and named folders, all subfolders will also be included.
|
@@ -238,9 +238,9 @@ The following table describes how the wildcards can be used and provides some ex
|
- - C:\MyData\my1.zip
- - Any file in C:\somepath\P\Data and its subfolders
- - Any file in C:\somepath\test01\Data and its subfolders
+ - C:\MyData\my1.zip
+ - Any file in C:\somepath\P\Data and its subfolders
+ - Any file in C:\somepath\test01\Data and its subfolders
|
@@ -255,7 +255,7 @@ The following table describes how the wildcards can be used and provides some ex
- - C:\ProgramData\CustomLogFiles\Folder1\file1.txt
+ - C:\ProgramData\CustomLogFiles\Folder1\file1.txt
|
@@ -286,7 +286,7 @@ If you use PowerShell, you can retrieve the list in two ways:
**Validate the exclusion list by using MpCmdRun:**
-To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
+To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
```DOS
MpCmdRun.exe -CheckExclusion -path
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index 72ecea3686..c06a9f2d2f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -54,7 +54,7 @@ As a cloud service, it is required that computers have access to the internet an
| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|*.wdcp.microsoft.com *.wdcpalt.microsoft.com *.wd.microsoft.com|
| *Microsoft Update Service (MU)*| Security intelligence and product updates |*.update.microsoft.com|
| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| *.download.microsoft.com|
-| *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission |*.blob.core.windows.net|
+| *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net |
| *Certificate Revocation List (CRL)* |Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs |
| *Symbol Store *|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols |
| *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: * vortex-win.data.microsoft.com * settings-win.data.microsoft.com|
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index ef3d91de6b..d2191e0488 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -111,7 +111,7 @@ See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-de
**Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:**
-Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
+Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
ExclusionProcess
@@ -158,7 +158,7 @@ If you use PowerShell, you can retrieve the list in two ways:
**Validate the exclusion list by using MpCmdRun:**
-To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
+To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
```DOS
MpCmdRun.exe -CheckExclusion -path
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index 1a297b77d7..caae6efc4e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -166,7 +166,7 @@ This section lists the default exclusions for all Windows Server 2016 roles.
- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
> [!NOTE]
- > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions).
+ > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions).
- *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index b1dc15b985..6506a13f61 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -83,7 +83,7 @@ Open the Intune management portal either by searching for Intune on https://port
1. Description: *Optional*
1. OMA-URI: **./Vendor/MSFT/Defender/SharedSignatureRoot**
1. Data type: **String**
- 1. Value: **\\\wdav-update\** (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be)
+ 1. Value: **\\\wdav-update\** (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be)
1. Click **Ok** to close the details blade, then **OK** again to close the **Custom OMA-URI Settings** blade. Click **Create** to save the new profile. The profile details page now appears.
1. Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**.
1. Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesn’t make sense, go back to the groups blade and confirm the group contains the right users or devices.
@@ -94,7 +94,7 @@ Open the Intune management portal either by searching for Intune on https://port
1. In the **Group Policy Management Editor** go to **Computer configuration**.
1. Click **Administrative templates**.
1. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**
-1. Double-click Define security intelligence location for VDI clients and set the option to Enabled. A field automatically appears, enter *\\\wdav-update *(see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). Click **OK**.
+1. Double-click Define security intelligence location for VDI clients and set the option to Enabled. A field automatically appears, enter *\\\wdav-update *(see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). Click **OK**.
1. Deploy the GPO to the VMs you want to test.
#### Use PowerShell to enable the shared security intelligence feature:
@@ -197,7 +197,7 @@ This setting will prevent a scan from occurring after receiving an update. You c
### Exclusions
On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
-- [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus)
+- [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus)
## Additional resources
diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index 4bbfd25108..83abf9cc69 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -92,7 +92,7 @@ Use the following cmdlets to enable cloud-delivered protection:
```PowerShell
Set-MpPreference -MAPSReporting Advanced
-Set-MpPreference -SubmitSamplesConsent Always
+Set-MpPreference -SubmitSamplesConsent AlwaysPrompt
```
>[!NOTE]
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_32_Main_App_Fix.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_32_Main_App_Fix.png
new file mode 100644
index 0000000000..9c347679fe
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_32_Main_App_Fix.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_33_SecurityPrivacySettings_NoPrompt.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_33_SecurityPrivacySettings_NoPrompt.png
new file mode 100644
index 0000000000..03fa2f0b9c
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_33_SecurityPrivacySettings_NoPrompt.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_34_MAU.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_34_MAU.png
new file mode 100644
index 0000000000..99e4d16920
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_34_MAU.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png
index 2cb9a5a416..1fba4fa7f5 100644
Binary files a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index ca65e8d570..a76cb6ae4a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -60,7 +60,7 @@ Microsoft Update allows for rapid releases, which means it will download small d
The WSUS, Configuration Manager, and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger).
> [!IMPORTANT]
-> If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC when the current update is considered to be out-of-date (by default, this is 2 consecutive days of not being able to apply updates from the WSUS or Microsoft Update services).
+> If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC when the current update is considered to be out-of-date (by default, this is 14 consecutive days of not being able to apply updates from the WSUS or Microsoft Update services).
> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:
@@ -119,11 +119,11 @@ Use the following PowerShell cmdlets to set the update order.
```PowerShell
Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}
-Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce {\\UNC SHARE PATH|\\UNC SHARE PATH}
+Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\UNC SHARE PATH}
```
See the following for more information:
- [Set-MpPreference -SignatureFallbackOrder](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturefallbackorder)
-- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
+- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSource](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
- [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
@@ -133,7 +133,7 @@ Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com
```WMI
SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSouce
+SignatureDefinitionUpdateFileSharesSource
```
See the following for more information:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
index c261037801..73f3bdc5e1 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
@@ -22,21 +22,23 @@ ms.topic: conceptual
**Applies to:**
-[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
->[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+This topic describes how to deploy Microsoft Defender ATP for Mac manually. A successful deployment requires the completion of all of the following steps:
+- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
+- [Application installation](#application-installation)
+- [Client configuration](#client-configuration)
## Prerequisites and system requirements
-Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
## Download installation and onboarding packages
Download the installation and onboarding packages from Windows Defender Security Center:
1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
-2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**.
+2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**.
3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
@@ -46,7 +48,7 @@ Download the installation and onboarding packages from Windows Defender Security
Extract the contents of the .zip files:
```bash
- mavel-macmini:Downloads test$ ls -l
+ ls -l
total 721152
-rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
@@ -76,32 +78,87 @@ To complete this process, you must have admin privileges on the machine.
-The installation will proceed.
+The installation proceeds.
> [!NOTE]
-> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time.
+> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but real-time protection will be disabled.
+
+### Fixing disabled Real-Time Protection
+
+If you did not enable Microsoft's driver during installation, then the application displays a banner prompting you to enable it:
+
+ 
+
+You can also run ```mdatp --health```. It reports if Real-Time Protection is enabled but not available:
+
+```bash
+mdatp --health
+...
+realTimeProtectionAvailable : false
+realTimeProtectionEnabled : true
+...
+```
+
+> [!NOTE]
+> You have a 30 minute window to enable Real-Time Protection from the warning banner, immediately following installation.
+
+The warning banner contains a **Fix** button, which allows you to quickly enable Real-Time Protection, without having to open a command prompt. Select the **Fix** button. It prompts the **Security & Privacy** system window, where you have to **Allow** system software from developers "Microsoft Corporation".
+
+If you don't see a prompt, it means that 30 or more minutes have already passed, and Real-Time Protection has still not been enabled:
+
+
+
+In this case, you need to perform the following steps to enable Real-Time Protection instead.
+
+1. In Terminal, attempt to install the driver. (The operation will fail)
+ ```bash
+ sudo kextutil /Library/Extensions/wdavkext.kext
+ Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
+ Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
+ Diagnostics for /Library/Extensions/wdavkext.kext:
+ ```
+
+2. Open **System Preferences...** > **Security & Privacy** from the menu. (Close it first, if it's opened.)
+
+3. **Allow** system software from developers "Microsoft Corporation"
+
+4. In Terminal, install the driver again. This time the operation will succeed:
+
+```bash
+sudo kextutil /Library/Extensions/wdavkext.kext
+```
+
+The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real-Time Protection is both enabled and available:
+
+```bash
+mdatp --health
+...
+realTimeProtectionAvailable : true
+realTimeProtectionEnabled : true
+...
+```
## Client configuration
1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac.
- The client machine is not associated with orgId. Note that the orgid is blank.
+ The client machine is not associated with orgId. Note that the *orgId* attribute is blank.
```bash
- mavel-mojave:wdavconfig testuser$ mdatp --health orgId
+ mdatp --health orgId
```
2. Install the configuration file on a client machine:
```bash
- mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py
+ python WindowsDefenderATPOnboarding.py
Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
```
-3. Verify that the machine is now associated with orgId:
+3. Verify that the machine is now associated with your organization and reports a valid *orgId*:
```bash
- mavel-mojave:wdavconfig testuser$ mdatp --health orgId
+ mdatp --health orgId
E6875323-A6C0-4C60-87AD-114BBE7439B8
```
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
index 6f3b99dc46..da2a6a8dcd 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
@@ -22,24 +22,27 @@ ms.topic: conceptual
**Applies to:**
-[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
->[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment requires the completion of all of the following steps:
+- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
+- [Client device setup](#client-device-setup)
+- [Create System Configuration profiles](#create-system-configuration-profiles)
+- [Publish application](#publish-application)
## Prerequisites and system requirements
-Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
## Download installation and onboarding packages
Download the installation and onboarding packages from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**.
-2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android** and the deployment method to **Mobile Device Management / Microsoft Intune**.
+2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS, or Android** and the deployment method to **Mobile Device Management / Microsoft Intune**.
3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
-5. Download **IntuneAppUtil** from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos).
+5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
@@ -83,21 +86,21 @@ Download the installation and onboarding packages from Microsoft Defender Securi
## Client device setup
-You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp).
+You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
-1. You'll be asked to confirm device management.
+1. You are asked to confirm device management.
-Select **Open System Preferences**, locate **Management Profile** on the list and select **Approve...**. Your Management Profile would be displayed as **Verified**:
+Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
2. Select **Continue** and complete the enrollment.
-You may now enroll additional devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
+You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
-3. In Intune, open **Manage** > **Devices** > **All devices**. You'll see your device among those listed:
+3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
@@ -105,17 +108,17 @@ You may now enroll additional devices. You can also enroll them later, after you
1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
-3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above.
+3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.
4. Select **OK**.
5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
-6. Repeat steps 1 through 5 for additional profiles.
+6. Repeat steps 1 through 5 for more profiles.
7. Create a new profile one more time, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
8. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
-Once the Intune changes are propagated to the enrolled devices, you'll see them listed under **Monitor** > **Device status**:
+Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
@@ -125,7 +128,10 @@ Once the Intune changes are propagated to the enrolled devices, you'll see them
2. Select **App type=Other/Line-of-business app**.
3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
4. Select **Configure** and add the required information.
-5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any arbitrary value.
+5. Use **macOS Sierra 10.12** as the minimum OS and set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
+
+ > [!CAUTION]
+ > Failure to set *Ignore app version* to **Yes** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md) for additional information about how the product is updated.
@@ -138,11 +144,11 @@ Once the Intune changes are propagated to the enrolled devices, you'll see them
8. Change **Assignment type** to **Required**.
-9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
+9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
-10. After some time the application will be published to all enrolled devices. You'll see it listed on **Monitor** > **Device**, under **Device install status**:
+10. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
@@ -153,7 +159,7 @@ Once the Intune changes are propagated to the enrolled devices, you'll see them
-2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that we added in Intune.:
+2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune:
3. You should also see the Microsoft Defender icon in the top-right corner:
@@ -162,7 +168,7 @@ Once the Intune changes are propagated to the enrolled devices, you'll see them
## Logging installation issues
-See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
+For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) .
## Uninstallation
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
index b7524656f9..44f2ed7150 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
@@ -22,10 +22,14 @@ ms.topic: conceptual
**Applies to:**
-[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
->[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps:
+- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
+- [Create JAMF policies](#create-jamf-policies)
+- [Client device setup](#client-device-setup)
+- [Deployment](#deployment)
+- [Check onboarding status](#check-onboarding-status)
## Prerequisites and system requirements
@@ -60,7 +64,7 @@ Download the installation and onboarding packages from Windows Defender Security
mavel-macmini:Downloads test$
```
-## Create JAMF Policies
+## Create JAMF policies
You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client devices.
@@ -74,9 +78,9 @@ The configuration profile contains a custom settings payload that includes:
To set the onboarding information, add a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_, as a custom setting. You can do this by navigating to **Computers**>**Configuration Profiles**, selecting **New**, then choosing **Custom Settings**>**Configure**. From there, you can upload the property list.
>[!IMPORTANT]
- > You must set the the Preference Domain as "com.microsoft.wdav.atp"
+ > You must set the Preference Domain as "com.microsoft.wdav.atp"
- 
+
### Approved Kernel Extension
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md
index 5bdebb3c04..91a5f56395 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md
@@ -1,6 +1,6 @@
---
title: Installing Microsoft Defender ATP for Mac with different MDM product
-description: Describes how to install Microsoft Defender ATP for Mac, using an unsupported MDM solution.
+description: Describes how to install Microsoft Defender ATP for Mac on other management solutions.
keywords: microsoft, defender, atp, mac, installation, deploy, macos, mojave, high sierra, sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,65 +17,63 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Deployment with a different MDM system
+# Deployment with a different Mobile Device Management (MDM) system
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
## Prerequisites and system requirements
-Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
## Approach
-Your organization may use a Mobile Device Management (MDM) solution we do not officially support.
-This does not mean you will be unable to deploy or run Microsoft Defender ATP for Mac.
-However, we will not be able to provide support for deploying or managing Defender via these solutions.
+> [!CAUTION]
+> Currently, Microsoft oficially supports only Intune and JAMF for the deployment and management of Microsoft Defender ATP for Mac. Microsoft makes no warranties, express or implied, with respect to the information provided below.
+
+If your organization uses a Mobile Device Management (MDM) solution that is not officially supported, this does not mean you are unable to deploy or run Microsoft Defender ATP for Mac.
Microsoft Defender ATP for Mac does not depend on any vendor-specific features. It can be used with any MDM solution that supports the following features:
-- Deploying a macOS .pkg to managed machines.
-- Deploying macOS system configuration profiles to managed machines.
-- Running an arbitrary admin-configured tool/script on managed machines.
+- Deploy a macOS .pkg to managed machines.
+- Deploy macOS system configuration profiles to managed machines.
+- Run an arbitrary admin-configured tool/script on managed machines.
-The majority of modern MDM solutions include these features, however, they may call them differently.
+Most modern MDM solutions include these features, however, they may call them differently.
-You can deploy Defender without the last requirement from the list above, however:
+You can deploy Defender without the last requirement from the preceding list, however:
-- You won't be able to collect status in a centralized way
-- If you decide to uninstall Defender, you'll need to logon to the client machine locally as an administrator
+- You will not be able to collect status in a centralized way
+- If you decide to uninstall Defender, you will need to logon to the client machine locally as an administrator
## Deployment
-Most MDM solution use the same model for managing macOS machines, with similar terminology.
-Use [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) as a template.
+Most MDM solutions use the same model for managing macOS machines, with similar terminology. Use [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) as a template.
### Package
Configure deployment of a [required application package](microsoft-defender-atp-mac-install-with-jamf.md#package),
-with the installation package (wdav.pkg) downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
+with the installation package (wdav.pkg) downloaded from [Microsoft Defender Security Center](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
-Your MDM solution can allow you uploading of an arbitrary application package, or require you to wrap it into a custom package first.
+In order to deploy the package to your enterprise, use the instructions associated with your MDM solution.
### License settings
-Setup [a system configuration profile](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile).
+Set up [a system configuration profile](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile).
Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender ATP for Mac is not part of macOS.
-Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can extracted from an onboarding package downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
-Your system may support an arbitrary property list in XML format. You can just upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
+Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
+Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
Alternatively, it may require you to convert the property list to a different format first.
-Note that your custom profile would have an id, name or domain attribute. You must use exactly "com.microsoft.wdav.atp".
-MDM will use it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client machine, and Defender will use this file for loading onboarding info.
+Typically, your custom profile has an id, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
+MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client machine, and Defender uses this file for loading the onboarding information.
-### KEXT
+### Kernel extension policy
-Setup a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to whitelist kernel extensions provided by Microsoft.
+Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to whitelist kernel extensions provided by Microsoft.
-## Was it successful?
+## Check installation status
-Run [mdatp](microsoft-defender-atp-mac-install-with-jamf.md#check-onboarding-status) on a client machine.
+Run [mdatp](microsoft-defender-atp-mac-install-with-jamf.md#check-onboarding-status) on a client machine to check the onboarding status.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
new file mode 100644
index 0000000000..856b617100
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
@@ -0,0 +1,364 @@
+---
+title: Set preferences for Microsoft Defender ATP for Mac
+ms.reviewer:
+description: Describes how to configure Microsoft Defender ATP for Mac in enterprises.
+keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, mojave, high sierra, sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Set preferences for Microsoft Defender ATP for Mac
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+>[!IMPORTANT]
+>This topic contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise environments. If you are interested in configuring the product on a device from the command-line, please refer to the [Resources](microsoft-defender-atp-mac-resources.md#configuring-from-the-command-line) page.
+
+In enterprise environments, Microsoft Defender ATP for Mac can be managed through a configuration profile. This profile is deployed from management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
+
+This topic describes the structure of this profile (including a recommended profile that you can use to get started) and instructions for how to deploy the profile.
+
+## Configuration profile structure
+
+The configuration profile is a .plist file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences.
+
+The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
+
+### Antivirus engine preferences
+
+The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of the product.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | antivirusEngine |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+#### Enable / disable real-time protection
+
+Whether real-time protection (scan files as they are accessed) is enabled or not.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | enableRealTimeProtection |
+| **Data type** | Boolean |
+| **Possible values** | true (default)
false |
+
+#### Scan exclusions
+
+Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | exclusions |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+**Type of exclusion**
+
+Specifies the type of content excluded from the scan.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | $type |
+| **Data type** | String |
+| **Possible values** | excludedPath
excludedFileExtension
excludedFileName |
+
+**Path to excluded content**
+
+Used to exclude content from the scan by full file path.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | path |
+| **Data type** | String |
+| **Possible values** | valid paths |
+| **Comments** | Applicable only if *$type* is *excludedPath* |
+
+**Path type (file / directory)**
+
+Indicates if the *path* property refers to a file or directory.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | isDirectory |
+| **Data type** | Boolean |
+| **Possible values** | false (default)
true |
+| **Comments** | Applicable only if *$type* is *excludedPath* |
+
+**File extension excluded from the scan**
+
+Used to exclude content from the scan by file extension.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | extension |
+| **Data type** | String |
+| **Possible values** | valid file extensions |
+| **Comments** | Applicable only if *$type* is *excludedFileExtension* |
+
+**Name of excluded content**
+
+Used to exclude content from the scan by file name.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | name |
+| **Data type** | String |
+| **Possible values** | any string |
+| **Comments** | Applicable only if *$type* is *excludedFileName* |
+
+#### Threat type settings
+
+The *threatTypeSettings* preference in the antivirus engine is used to control how certain threat types are handled by the product.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | threatTypeSettings |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+**Threat type**
+
+Type of the threat for which the behavior is configured.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | key |
+| **Data type** | String |
+| **Possible values** | potentially_unwanted_application
archive_bomb |
+
+**Action to take**
+
+Action to take when coming across a threat of the type specified in the preceding section. Can be:
+
+- **Audit**: your device is not protected against this type of threat, but an entry about the threat is logged.
+- **Block**: your device is protected against this type of threat and you are notified in the user interface and the security console.
+- **Off**: your device is not protected against this type of threat and nothing is logged.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | value |
+| **Data type** | String |
+| **Possible values** | audit (default)
block
off |
+
+### Cloud delivered protection preferences
+
+The *cloudService* entry in the configuration profile is used to configure the cloud driven protection feature of the product.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | cloudService |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+#### Enable / disable cloud delivered protection
+
+Whether cloud delivered protection is enabled on the device or not. To improve the security of your services, we recommend keeping this feature turned on.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | enabled |
+| **Data type** | Boolean |
+| **Possible values** | true (default)
false |
+
+#### Diagnostic collection level
+
+Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | diagnosticLevel |
+| **Data type** | String |
+| **Possible values** | optional (default)
required |
+
+#### Enable / disable automatic sample submissions
+
+Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are prompted if the submitted file is likely to contain personal information.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.wdav |
+| **Key** | automaticSampleSubmission |
+| **Data type** | Boolean |
+| **Possible values** | true (default)
false |
+
+## Recommended configuration profile
+
+To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
+
+The following configuration profile will:
+- Enable real-time protection (RTP)
+- Specify how the following threat types are handled:
+ - **Potentially unwanted applications (PUA)** are blocked
+ - **Archive bombs** (file with a high compression rate) are audited to the product logs
+- Enable cloud delivered protection
+- Enable automatic sample submission
+
+```XML
+
+
+
+
+ antivirusEngine
+
+ enableRealTimeProtection
+
+ threatTypeSettings
+
+
+ key
+ potentially_unwanted_application
+ value
+ block
+
+
+ key
+ archive_bomb
+ value
+ audit
+
+
+
+ cloudService
+
+ enabled
+
+ automaticSampleSubmission
+
+
+
+
+```
+
+## Full configuration profile example
+
+The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.
+
+```XML
+
+
+
+
+ antivirusEngine
+
+ enableRealTimeProtection
+
+ exclusions
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /var/log/system.log
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /home
+
+
+ $type
+ excludedFileExtension
+ extension
+ pdf
+
+
+ allowedThreats
+
+ eicar
+
+ threatTypeSettings
+
+
+ key
+ potentially_unwanted_application
+ value
+ block
+
+
+ key
+ archive_bomb
+ value
+ audit
+
+
+
+ cloudService
+
+ enabled
+
+ diagnosticLevel
+ optional
+ automaticSampleSubmission
+
+
+
+
+```
+
+## Configuration profile deployment
+
+Once you've built the configuration profile for your enterprise, you can deploy it through the management console that your enterprise is using. The following sections provide instructions on how to deploy this profile using JAMF and Intune.
+
+### JAMF deployment
+
+From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with *com.microsoft.wdav* as the preference domain and upload the .plist produced earlier.
+
+>[!CAUTION]
+>You must enter the correct preference domain (*com.microsoft.wdav*), otherwise the preferences will not be recognized by the product.
+
+### Intune deployment
+
+1. Open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+
+2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select Configure.
+
+3. Save the .plist produced earlier as **com.microsoft.wdav.xml**.
+
+4. Enter **com.microsoft.wdav** as the **custom configuration profile name**.
+
+5. Open the configuration profile and upload **com.microsoft.wdav.xml**. This file was created in step 3.
+
+6. Select **OK**.
+
+7. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
+
+>[!CAUTION]
+>You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
+
+## Resources
+
+- [Configuration Profile Reference (Apple developer documentation)](https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md
new file mode 100644
index 0000000000..eb3359531d
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md
@@ -0,0 +1,264 @@
+---
+title: Privacy for Microsoft Defender ATP for Mac
+ms.reviewer:
+description: Describes privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Mac.
+keywords: microsoft, defender, atp, mac, privacy, diagnostic
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Privacy for Microsoft Defender ATP for Mac
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Microsoft Defender ATP for Mac.
+
+This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected.
+
+## Overview of privacy controls in Microsoft Defender ATP for Mac
+
+This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Mac.
+
+### Diagnostic data
+
+Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements.
+
+Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations.
+
+There are two levels of diagnostic data for Microsoft Defender ATP client software that you can choose from:
+
+* **Required**: The minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and performing as expected on the device it’s installed on.
+
+* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.
+
+By default, both optional and required diagnostic data are sent to Microsoft.
+
+### Cloud delivered protection data
+
+Cloud delivered protection is used to provide increased and faster protection with access to the latest protection data in the cloud.
+
+Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.
+
+### Sample data
+
+Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples so they can be analyzed. Enabling automatic sample submission is optional.
+
+When this feature is enabled and the sample that is collected is likely to contain personal information, the user is prompted for consent.
+
+## Manage privacy controls with policy settings
+
+If you're an IT administrator, you might want to configure these controls at the enterprise level.
+
+The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md).
+
+As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization.
+
+## Diagnostic data events
+
+This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected.
+
+### Data fields that are common for all events
+There is some information about events that is common to all events, regardless of category or data subtype.
+
+The following fields are considered common for all events:
+
+| Field | Description |
+| ----------------------- | ----------- |
+| platform | The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized. |
+| machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
+| sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
+| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. |
+| hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
+| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. |
+| app_version | Version of the Microsoft Defender ATP for Mac application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.|
+| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. |
+| supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. |
+| release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. |
+
+
+### Required diagnostic data
+
+**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and perform as expected on the device it’s installed on.
+
+Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender ATP feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender ATP features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced.
+
+#### Software setup and inventory data events
+
+**Microsoft Defender ATP installation / uninstallation**
+
+The following fields are collected:
+
+| Field | Description |
+| ---------------- | ----------- |
+| correlation_id | Unique identifier associated with the installation. |
+| version | Version of the package. |
+| severity | Severity of the message (for example Informational). |
+| code | Code that describes the operation. |
+| text | Additional information associated with the product installation. |
+
+**Microsoft Defender ATP configuration**
+
+The following fields are collected:
+
+| Field | Description |
+| --------------------------------------------------- | ----------- |
+| antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. |
+| cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. |
+| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. |
+| cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. |
+| cloud_service.service_uri | URI used to communicate with the cloud. |
+| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). |
+| cloud_service.automatic_sample_submission | Whether automatic sample submission is turned on or not. |
+| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. |
+
+#### Product and service performance data events
+
+**Kernel extension statistics**
+
+The following fields are collected:
+
+| Field | Description |
+| ---------------- | ----------- |
+| version | Version of Microsoft Defender ATP for Mac. |
+| instance_id | Unique identifier generated on kernel extension startup. |
+| trace_level | Trace level of the kernel extension. |
+| ipc.connects | Number of connection requests received by the kernel extension. |
+| ipc.rejects | Number of connection requests rejected by the kernel extension. |
+| ipc.connected | Whether there is any active connection to the kernel extension. |
+
+#### Support data
+
+**Diagnostic logs**
+
+Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs:
+
+- All files under */Library/Logs/Microsoft/mdatp/*
+- Subset of files under */Library/Application Support/Microsoft/Defender/* that are created and used by Microsoft Defender ATP for Mac
+- Subset of files under */Library/Managed Preferences* that are used by Microsoft Defender ATP for Mac
+
+### Optional diagnostic data
+
+**Optional diagnostic data** is additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and fix issues.
+
+If you choose to send us optional diagnostic data, required diagnostic data is also included.
+
+Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product).
+
+#### Software setup and inventory data events
+
+**Microsoft Defender ATP configuration**
+
+The following fields are collected:
+
+| Field | Description |
+| -------------------------------------------------- | ----------- |
+| connection_retry_timeout | Connection retry time out when communication with the cloud. |
+| file_hash_cache_maximum | Size of the product cache. |
+| crash_upload_daily_limit | Limit of crash logs uploaded daily. |
+| antivirus_engine.exclusions[].is_directory | Whether the exclusion from scanning is a directory or not. |
+| antivirus_engine.exclusions[].path | Path that was excluded from scanning. |
+| antivirus_engine.exclusions[].extension | Extension excluded from scanning. |
+| antivirus_engine.exclusions[].name | Name of the file excluded from scanning. |
+| antivirus_engine.scan_cache_maximum | Size of the product cache. |
+| antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. |
+| antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. |
+| filesystem_scanner.full_scan_directory | Full scan directory. |
+| filesystem_scanner.quick_scan_directories | List of directories used in quick scan. |
+| edr.latency_mode | Latency mode used by the detection and response component. |
+| edr.proxy_address | Proxy address used by the detection and response component. |
+
+**Microsoft Auto-Update configuration**
+
+The following fields are collected:
+
+| Field | Description |
+| --------------------------- | ----------- |
+| how_to_check | Determines how product updates are checked (for example automatic or manual). |
+| channel_name | Update channel associated with the device. |
+| manifest_server | Server used for downloading updates. |
+| update_cache | Location of the cache used to store updates. |
+
+### Product and service usage
+
+#### Diagnostic log upload started report
+
+The following fields are collected:
+
+| Field | Description |
+| ---------------- | ----------- |
+| sha256 | SHA256 identifier of the support log. |
+| size | Size of the support log. |
+| original_path | Path to the support log (always under */Library/Application Support/Microsoft/Defender/wdavdiag/*). |
+| format | Format of the support log. |
+
+#### Diagnostic log upload completed report
+
+The following fields are collected:
+
+| Field | Description |
+| ---------------- | ----------- |
+| request_id | Correlation ID for the support log upload request. |
+| sha256 | SHA256 identifier of the support log. |
+| blob_sas_uri | URI used by the application to upload the support log. |
+
+#### Product and service performance data events
+
+**Unexpected application exit (crash)**
+
+Unexpected application exits and the state of the application when that happens.
+
+**Kernel extension statistics**
+
+The following fields are collected:
+
+| Field | Description |
+| ------------------------------ | ----------- |
+| pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. |
+| pkt_ack_conn_timeout | |
+| ipc.ack_pkts | |
+| ipc.nack_pkts | |
+| ipc.send.ack_no_conn | |
+| ipc.send.nack_no_conn | |
+| ipc.send.ack_no_qsq | |
+| ipc.send.nack_no_qsq | |
+| ipc.ack.no_space | |
+| ipc.ack.timeout | |
+| ipc.ack.ackd_fast | |
+| ipc.ack.ackd | |
+| ipc.recv.bad_pkt_len | |
+| ipc.recv.bad_reply_len | |
+| ipc.recv.no_waiter | |
+| ipc.recv.copy_failed | |
+| ipc.kauth.vnode.mask | |
+| ipc.kauth.vnode.read | |
+| ipc.kauth.vnode.write | |
+| ipc.kauth.vnode.exec | |
+| ipc.kauth.vnode.del | |
+| ipc.kauth.vnode.read_attr | |
+| ipc.kauth.vnode.write_attr | |
+| ipc.kauth.vnode.read_ex_attr | |
+| ipc.kauth.vnode.write_ex_attr | |
+| ipc.kauth.vnode.read_sec | |
+| ipc.kauth.vnode.write_sec | |
+| ipc.kauth.vnode.take_own | |
+| ipc.kauth.vnode.denied | |
+| ipc.kauth.file_op.mask | |
+| ipc.kauth_file_op.open | |
+| ipc.kauth.file_op.close | |
+
+## Resources
+
+- [Privacy at Microsoft](https://privacy.microsoft.com/)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
index 3b68d01cfd..5c90d72b3d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
@@ -22,10 +22,7 @@ ms.topic: conceptual
**Applies to:**
-[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
-
->[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
## Collecting diagnostic information
@@ -34,7 +31,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
1. Increase logging level:
```bash
- mavel-mojave:~ testuser$ mdatp --log-level verbose
+ mdatp --log-level verbose
Creating connection to daemon
Connection established
Operation succeeded
@@ -42,19 +39,18 @@ If you can reproduce a problem, please increase the logging level, run the syste
2. Reproduce the problem
-3. Run `mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The command will print out location with generated zip file.
+3. Run `mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
```bash
- mavel-mojave:~ testuser$ mdatp --diagnostic --create
+ mdatp --diagnostic --create
Creating connection to daemon
Connection established
- "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip"
```
4. Restore logging level:
```bash
- mavel-mojave:~ testuser$ mdatp --log-level info
+ mdatp --log-level info
Creating connection to daemon
Connection established
Operation succeeded
@@ -64,13 +60,13 @@ If you can reproduce a problem, please increase the logging level, run the syste
If an error occurs during installation, the installer will only report a general failure.
-The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
+The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
## Uninstalling
There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune.
-### Within the GUI
+### Interactive uninstallation
- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**.
@@ -104,7 +100,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
In the Microsoft Defender ATP portal, you'll see two categories of information:
-- AV alerts, including:
+- Antivirus alerts, including:
- Severity
- Scan type
- Device information (hostname, machine identifier, tenant identifier, app version, and OS type)
@@ -123,7 +119,5 @@ In the Microsoft Defender ATP portal, you'll see two categories of information:
## Known issues
-- Not fully optimized for performance or disk space yet.
- Full Microsoft Defender ATP integration is not available yet.
-- Mac devices that switch networks may appear multiple times in the Microsoft Defender ATP portal.
- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md
new file mode 100644
index 0000000000..92ee617ff5
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md
@@ -0,0 +1,144 @@
+---
+title: Deploy updates for Microsoft Defender ATP for Mac
+ms.reviewer:
+description: Describes how to control updates for Microsoft Defender ATP for Mac in enterprise environments.
+keywords: microsoft, defender, atp, mac, updates, deploy
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Deploy updates for Microsoft Defender ATP for Mac
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+Microsoft regularly publishes software updates to improve performance, security, and to deliver new features.
+
+To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. By default, MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually.
+
+
+
+If you decide to deploy updates by using your software distribution tools, you should configure MAU to manually check for software updates. You can deploy preferences to configure how and when MAU checks for updates for the Macs in your organization.
+
+## Use msupdate
+
+MAU includes a command line tool, called *msupdate*, that is designed for IT administrators so that they have more precise control over when updates are applied. Instructions for how to use this tool can be found in [Update Office for Mac by using msupdate](https://docs.microsoft.com/en-us/deployoffice/mac/update-office-for-mac-using-msupdate).
+
+In MAU, the application identifier for Microsoft Defender ATP for Mac is *WDAV00*. To download and install the latest updates for Microsoft Defender ATP for Mac, execute the following command from a Terminal window:
+
+```
+./msupdate --install --apps wdav00
+```
+
+## Set preferences for Microsoft AutoUpdate
+
+This section describes the most common preferences that can be used to configure MAU. These settings can be deployed as a configuration profile through the management console that your enterprise is using. An example of a configuration profile is shown in the following sections.
+
+### Set the channel name
+
+The channel determines the type and frequency of updates that are offered through MAU. Devices in `InsiderFast` (corresponding to the Insider Fast channel) can try out new features before devices in `External` (corresponding to the Insider Slow channel) and `Production`.
+
+The `Production` channel contains the most stable version of the product.
+
+>[!TIP]
+>In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `InsiderFast` or `External`.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.autoupdate2 |
+| **Key** | ChannelName |
+| **Data type** | String |
+| **Possible values** | InsiderFast
External
Production |
+
+### Set update check frequency
+
+Change how often MAU searches for updates.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.autoupdate2 |
+| **Key** | UpdateCheckFrequency |
+| **Data type** | Integer |
+| **Default value** | 720 (minutes) |
+| **Comment** | This value is set in minutes. |
+
+### Change how MAU interacts with updates
+
+Change how MAU searches for updates.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.autoupdate2 |
+| **Key** | HowToCheck |
+| **Data type** | String |
+| **Possible values** | Manual
AutomaticCheck
AutomaticDownload |
+| **Comment** | Note that AutomaticDownload will do a download and install silently if possible. |
+
+### Disable Insider checkbox
+
+Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.autoupdate2 |
+| **Key** | DisableInsiderCheckbox |
+| **Data type** | Boolean |
+| **Possible values** | False (default)
True |
+
+### Limit the telemetry that is sent from MAU
+
+Set to false to send minimal heartbeat data, no application usage, and no environment details.
+
+|||
+|:---|:---|
+| **Domain** | com.microsoft.autoupdate2 |
+| **Key** | SendAllTelemetryEnabled |
+| **Data type** | Boolean |
+| **Possible values** | True (default)
False |
+
+## Example configuration profile
+
+The following configuration profile is used to:
+- Place the device in the Insider Fast channel
+- Automatically download and install updates
+- Enable the "Check for updates" button in the user interface
+- Allow users on the device to enroll into the Insider channels
+
+```XML
+
+
+
+
+ ChannelName
+ InsiderFast
+ HowToCheck
+ AutomaticDownload
+ EnableCheckForUpdatesButton
+
+ DisableInsiderCheckbox
+
+ SendAllTelemetryEnabled
+
+
+
+```
+
+To configure MAU, you can deploy this configuration profile from the management tool that your enterprise is using:
+- From JAMF, upload this configuration profile and set the Preference Domain to *com.microsoft.autoupdate2*.
+- From Intune, upload this configuration profile and set the custom configuration profile name to *com.microsoft.autoupdate2*.
+
+## Resources
+
+- [msupdate reference](https://docs.microsoft.com/en-us/deployoffice/mac/update-office-for-mac-using-msupdate)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
index b3ad2a2c8c..92f683ebdf 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
@@ -20,82 +20,94 @@ ms.topic: conceptual
# Microsoft Defender Advanced Threat Protection for Mac
->[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac.
-This topic describes how to install and use Microsoft Defender ATP for Mac.
+> [!CAUTION]
+> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to lead to performance problems and unpredictable side effects.
-## What’s new in the public preview
+## What’s new in the latest release
-Since opening the limited preview, we've been working non-stop to enhance the product, by listening to customer feedback. We've reduced the time it takes for devices to appear in Microsoft Defender Security Center, immediately following deployment. We've improved threat handling, enhanced the user experience, and fixed bugs. Other updates to Microsoft Defender ATP for Mac include:
+Since the announcement of the public preview, Microsoft has been working non-stop to enhance the product, by listening to customer feedback. We've added management features and more granular controls for diagnostic data collection, refined the user experience, and fixed bugs.
-- Enhanced accessibility
-- Improved performance
-- improved client product health monitoring
-- Localization into 37 languages
-- Improved anti-tampering protections
-- Feedback and samples can now be submitted via the interface.
-- Product health can be queried with JAMF or the command line.
-- Admins can set their cloud preference for any location, not just for those in the US.
+If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to **Help** > **Send feedback**.
-## Installing and configuring
-
-There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
-
-In general you'll need to take the following steps:
-
-- Ensure you have a Microsoft Defender ATP subscription and have access to the Microsoft Defender ATP Portal
-- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
- - Via the command line tool:
- - [Manual deployment](microsoft-defender-atp-mac-install-manually.md)
- - Via third party tools:
- - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md)
- - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md)
- - [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md)
-
-Whichever method you choose, you will first need to visit the onboarding page in the Microsoft Defender ATP portal.
+## How to install Microsoft Defender ATP for Mac
### Prerequisites
-You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine.
+- Access to the Microsoft Defender Security Center portal
+- Beginner-level experience in macOS and BASH scripting
+- Administrative privileges on the device (in case of manual deployment)
-You should also have access to Microsoft Defender Security Center.
-
-### System Requirements
-
-- macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra)
-- Disk space during preview: 1GB
-
-Beta versions of macOS are not supported.
+### System requirements
> [!CAUTION]
-> Running other third-party endpoint protection alongside Microsoft Defender ATP for Mac may lead to performance problems and unpredictable side effects.
+> The three most recent major releases of macOS are supported. Beta versions of macOS are not supported.
+
+- Supported macOS versions: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra)
+- Disk space: 650 MB
After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
-The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them:
+The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
-| Service | Description | URL |
-| -------------- | ------------------------------------ | -------------------------------------------------------------------- |
-| ATP | Advanced threat protection service | [https://x.cp.wd.microsoft.com](https://x.cp.wd.microsoft.com), [https://cdn.x.cp.wd.microsoft.com](https://cdn.x.cp.wd.microsoft.com) |
+| Service location | DNS record |
+| ---------------------------------------- | ----------------------- |
+| Common URLs for all locations | x.cp.wd.microsoft.com
cdn.x.cp.wd.microsoft.com
eu-cdn.x.cp.wd.microsoft.com
wu-cdn.x.cp.wd.microsoft.com
*.blob.core.windows.net
officecdn-microsoft-com.akamaized.net |
+| European Union | europe.x.cp.wd.microsoft.com |
+| United Kingdon | unitedkingdom.x.cp.wd.microsoft.com |
+| United States | unitedstates.x.cp.wd.microsoft.com |
-To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping]([https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
+Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
+- Web Proxy Auto-discovery Protocol (WPAD)
+- Manual static proxy configuration
+
+If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.
+
+To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
If you prefer the command line, you can also check the connection by running the following command in Terminal:
```bash
-testuser$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
-The output from this command should look like this:
+The output from this command should be similar to the following:
> `OK https://x.cp.wd.microsoft.com/api/report`
>
> `OK https://cdn.x.cp.wd.microsoft.com/ping`
+> [!CAUTION]
+> We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
-We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
+### Installation instructions
+
+There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
+
+In general you need to take the following steps:
+
+- Ensure that you have a Microsoft Defender ATP subscription and have access to the Microsoft Defender ATP Portal
+- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
+ - Via third-party management tools:
+ - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md)
+ - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md)
+ - [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md)
+ - Via the command-line tool:
+ - [Manual deployment](microsoft-defender-atp-mac-install-manually.md)
+
+## How to update Microsoft Defender ATP for Mac
+
+Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used.
+
+To read more on how to configure MAU in enterprise environments, refer to [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md)
+
+## How to configure Microsoft Defender ATP for Mac
+
+Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md).
## Resources
-For additional information about logging, uninstalling, or known issues, see our [Resources](microsoft-defender-atp-mac-resources.md) page.
+- For more information about logging, uninstalling, or known issues, see the [Resources](microsoft-defender-atp-mac-resources.md) page.
+
+- [Privacy for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-privacy.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 2023523f4a..c074504ddd 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -1,58 +1,58 @@
----
-title: Prevent security settings changes with Tamper Protection
-ms.reviewer:
-manager: dansimp
-description: Use tamper protection to prevent malicious apps from changing important security settings.
-keywords: malware, defender, antivirus, tamper protection
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
----
-
-# Prevent security settings changes with tamper protection
-
-**Applies to:**
-
-- Windows 10
-
-Tamper Protection helps prevent malicious apps from changing important security settings. These settings include:
-
-- Real-time protection
-- Cloud-delivered protection
-- IOfficeAntivirus (IOAV)
-- Behavior monitoring
-- Removing security intelligence updates
-
-With Tamper Protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings:
-
-- Mobile device management (MDM) apps like Intune
-- Enterprise configuration management apps like System Center Configuration Manager (SCCM)
-- Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures
-- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup)
-- Group Policy
-- Other Windows Management Instrumentation (WMI) apps
-
-The Tamper Protection setting doesn't affect how third party antivirus apps register with the Windows Security app.
-
-On computers running Windows 10 Enterprise E5, users can't change the Tamper Protection setting.
-
-Tamper Protection is set to **On** by default. If you set Tamper Protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & Threat Protection**.
-
-## Configure tamper protection
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Select **Virus & threat protection**, then select **Virus & threat protection settings**.
-3. Set **Tamper Protection** to **On** or **Off**.
-
->[!NOTE]
->Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
->
->To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later.
->
->Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
+---
+title: Prevent security settings changes with Tamper Protection
+ms.reviewer:
+manager: dansimp
+description: Use tamper protection to prevent malicious apps from changing important security settings.
+keywords: malware, defender, antivirus, tamper protection
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: dansimp
+ms.author: dansimp
+---
+
+# Prevent security settings changes with tamper protection
+
+**Applies to:**
+
+- Windows 10
+
+Tamper Protection helps prevent malicious apps from changing important security settings. These settings include:
+
+- Real-time protection
+- Cloud-delivered protection
+- IOfficeAntivirus (IOAV)
+- Behavior monitoring
+- Removing security intelligence updates
+
+With Tamper Protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings:
+
+- Mobile device management (MDM) apps like Intune
+- Enterprise configuration management apps like System Center Configuration Manager (SCCM)
+- Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures
+- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup)
+- Group Policy
+- Other Windows Management Instrumentation (WMI) apps
+
+The Tamper Protection setting doesn't affect how third party antivirus apps register with the Windows Security app.
+
+On computers running Windows 10 Enterprise E5, users can't change the Tamper Protection setting.
+
+Tamper Protection is set to **On** by default. If you set Tamper Protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & Threat Protection**.
+
+## Configure tamper protection
+
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+2. Select **Virus & threat protection**, then select **Virus & threat protection settings**.
+3. Set **Tamper Protection** to **On** or **Off**.
+
+>[!NOTE]
+>Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
+>
+>To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later.
+>
+>Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
index 81599231f8..a194696c88 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
@@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
@@ -22,7 +21,9 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you may encounter problems or issues.
+You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx).
+
+When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you might encounter problems or issues.
Typically, the most common indicators of a problem are:
- You only see a small number or subset of all the devices you were expecting to see
@@ -52,7 +53,9 @@ In order for devices to properly show up in Update Compliance, you have to meet
> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level).
> - It has been 3 days since all requirements have been met
-If the above pre-requisites have all been met, you may need to proceed to the next step to collect diagnostic information and send it to us.
+“You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
+
+If the above pre-requisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
> [!div class="nextstepaction"]
> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data-update-compliance.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index a4c209b5bd..52e8586de1 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -57,8 +57,7 @@ The table in this section lists the main Windows Defender Antivirus event IDs an
-
-
+
| Event ID: 1000 |
@@ -1687,7 +1686,7 @@ The Windows Defender Antivirus client attempted to download and install the late
To troubleshoot this event:
- Restart the computer and try again.
-- Download the latest definitions from the Windows Defender Security Intelligence site.
+
- Download the latest definitions from the Microsoft Security Intelligence site.
Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.
- Contact Microsoft Technical Support.
@@ -2716,7 +2715,7 @@ This section provides the following information about Windows Defender Antivirus
Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.
-
+
| Error code: 0x80508007 |
@@ -2758,7 +2757,7 @@ This error indicates that there might be a problem with your security product.
- Update the definitions. Either:
- Click the Update definitions button on the Update tab in Windows Defender Antivirus.
 Or,
-- Download the latest definitions from the Windows Defender Security Intelligence site.
+
- Download the latest definitions from the Microsoft Security Intelligence site.
Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.
@@ -2916,7 +2915,7 @@ The following error codes are used during internal testing of Windows Defender A
If you see these errors, you can try to [update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
-
+
| Internal error codes |
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index c33eca6f6f..294b63f287 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -26,6 +26,14 @@ The [Microsoft Component Object Model (COM)](https://docs.microsoft.com/windows/
Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+**NOTE**: To add this functionality to other versions of Windows 10, you can install the following or later updates:
+
+- Windows 10, 1809 June 18, 2019—KB4501371 (OS Build 17763.592) (https://support.microsoft.com/help/4501371/windows-10-update-kb4501371)
+- Windows 10, 1803 June 18, 2019—KB4503288 (OS Build 17134.858) (https://support.microsoft.com/help/4503288/windows-10-update-kb4503288)
+- Windows 10, 1709 June 18, 2019—KB4503281 (OS Build 16299.1237) (https://support.microsoft.com/help/4503281/windows-10-update-kb4503281)
+- Windows 10, 1703 June 18, 2019—KB4503289 (OS Build 15063.1897) (https://support.microsoft.com/help/4503289/windows-10-update-kb4503289
+- Windows 10, 1607 June 18, 2019—KB4503294 (OS Build 14393.3053) (https://support.microsoft.com/help/4503294/windows-10-update-kb4503294)
+
### Get COM object GUID
Get GUID of application to allow in one of the following ways:
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
index 7342686647..30acb5dae4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -23,7 +23,7 @@ ms.date: 05/03/2018
Running Appication Control in audit mode allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies.
-Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see [Create an initial Windows Defender Application Control policy from a reference computer](#create-initial-default-policy).
+Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see [Create an initial Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md).
**To audit a Windows Defender Application Control policy with local policy:**
@@ -94,7 +94,7 @@ Use the following procedure after you have been running a computer with a WDAC p
- Any applications that actually should not be allowed to run in your environment. Edit these out of the .xml file. If they remain in the .xml file, and the information in the file is merged into your existing WDAC policy, the policy will treat the applications as trusted, and allow them to run.
-You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section, [Merge Windows Defender Application Control policies](#merge-windows-defender-application-control-policies).
+You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section, [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).
> [!NOTE]
-> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies.
+> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 6df51f6694..abc8820fab 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -75,5 +75,19 @@ Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and re
### Merging policies
-When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID , then regardless of what the GUIDS and types are for any subsequent policies, the merged policy will be a base policy with ID .
+When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDS and types are for any subsequent policies, the merged policy will be a base policy with ID \.
+### Deploying policies
+
+In order to deploy policies using the new multiple policy format you will need to:
+
+1. Ensure policies are copied to the right location
+ - Policies must be copied to this directory: C:\Windows\System32\CodeIntegrity\CiPolicies\Active
+2. Binary policy files must have the correct name which takes the format {PolicyGUID}.cip
+ - Ensure that the name of the binary policy file is exactly the same as the PolicyID in the policy
+ - For example if the policy XML had the ID as {A6D7FBBF-9F6B-4072-BF37-693741E1D745} the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip
+3. Reboot the system or use WMI to rebootlessly refresh the policy
+
+```powershell
+Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = 'C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip'}
+```
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 1f0c64f9c3..61a3e06b58 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -14,6 +14,9 @@ author: dansimp
ms.date: 05/17/2018
---
+> [!NOTE]
+> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/).
+
# Deploy Windows Defender Application Control policies by using Microsoft Intune
**Applies to:**
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 18aaf0b398..960a7fb0ca 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -70,6 +70,7 @@ You can set several rule options within a WDAC policy. Table 2 describes each ru
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.|
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
+| **17 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. |
## Windows Defender Application Control file rule levels
diff --git a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
index 693cce1792..b00e9c0154 100644
--- a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
+++ b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
@@ -65,7 +65,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code
` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update`
> [!NOTE]
- > should be the full path to the certificate that you exported in step 3.
+ > \ should be the full path to the certificate that you exported in step 3.
Also, adding update signers is crucial to being able to modify or disable this policy in the future.
6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
index 18738ef4ec..8d7885f549 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
@@ -27,7 +27,7 @@ Dynamic Code Security is not enabled by default because existing policies may no
Additionally, a small number of .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled.
Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy.
-To enable Dynamic Code Security, add the following option to the section of your policy:
+To enable Dynamic Code Security, add the following option to the `` section of your policy:
```xml
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 4104a10a84..aa3c23a2cf 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -22,25 +22,42 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019.
+
+Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1704 and 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019.
+
To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
+
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
- Obfuscated or otherwise suspicious scripts
- Behaviors that apps don't usually initiate during normal day-to-day work
-You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
+You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center.
For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+## Review attack surface reduction events in the Microsoft Security Center
+
+Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
+
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment.
+
+Here is an example query:
+
+```
+MiscEvents
+| where ActionType startswith 'Asr'
+```
+
## Review attack surface reduction events in Windows Event Viewer
You can review the Windows event log to view events that are created when attack surface reduction rules fire:
@@ -63,6 +80,8 @@ Event ID | Description
1121 | Event when rule fires in Block-mode
1122 | Event when rule fires in Audit-mode
+The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed.
+
## Attack surface reduction rules
@@ -141,7 +160,7 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
-Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. You can exclude scripts so they're allowed to run.
+Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
>[!IMPORTANT]
>File and folder exclusions don't apply to this attack surface reduction rule.
@@ -179,7 +198,7 @@ This rule blocks the following file types from launching unless they either meet
- Executable files (such as .exe, .dll, or .scr)
>[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+>You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
>[!IMPORTANT]
>The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
@@ -197,7 +216,7 @@ GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.
>[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+>You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
Intune name: Advanced ransomware protection
@@ -207,7 +226,7 @@ GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
-Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
+Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
>[!NOTE]
>In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
@@ -284,3 +303,5 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+- [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
+
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
index 3e7dd85f9c..6dd4b9f19f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
@@ -42,7 +42,7 @@ The limited subset of rules that can be used in Windows 10 Enterprise E3 include
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
-For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard).
+For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard).
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
index 00e0789bab..3029df4d23 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
@@ -45,7 +45,7 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
Here is an example query
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index 4559d896b6..2b7dec1738 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -40,7 +40,7 @@ You can exclude files and folders from being evaluated by attack surface reducti
An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules.
-An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
+An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
index 43cdc009e2..6e52ff5447 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
@@ -42,7 +42,7 @@ You can add additional folders to be protected, but you cannot remove the defaul
Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
-You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
You can use the Windows Security app or Group Policy to add and remove additional protected folders.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index c238e5c8c2..f6197a0a67 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -208,7 +208,7 @@ Where:
For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
```PowerShell
-Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
+Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
```
You can disable audit mode by using the same command but replacing `-Enable` with `-Disable`.
@@ -227,7 +227,7 @@ Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThun
Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available
Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
-Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
+Validate heap integrity | System and app-level | TerminateOnError | Audit not available
Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
Block remote images | App-level only | BlockRemoteImages | Audit not available
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index 6240e524cc..b346df9a75 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -53,7 +53,7 @@ You can exclude files and folders from being evaluated by most attack surface re
>- Block process creations originating from PSExec and WMI commands
>- Block JavaScript or VBScript from launching downloaded executable content
-You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
+You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
@@ -73,9 +73,9 @@ The following procedures for enabling ASR rules include instructions for how to
## MDM
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
-The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules).
+The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules).
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
index 0c1ff68ba4..29ed15335f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
@@ -72,7 +72,7 @@ For more information about disabling local list merging, see [Prevent or allow u
## MDM
-Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
+Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
## SCCM
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
index dcffecd121..5652a45bd4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -1,3 +1,4 @@
+---
ms.reviewer:
title: Import custom views to see attack surface reduction events
description: Use Windows Event Viewer to import individual views for each of the features.
@@ -65,7 +66,7 @@ You can also manually navigate to the event area that corresponds to the feature
3. On the left panel, under **Actions**, click **Create Custom View...**
- 
+ 
4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
@@ -179,6 +180,4 @@ Controlled folder access | Windows Defender (Operational) | 1127 | Blocked Contr
Controlled folder access | Windows Defender (Operational) | 1128 | Audited Controlled folder access sector write block event
Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode
-
-
Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
index c5ee205c10..d701915788 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
@@ -45,6 +45,19 @@ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http
>[!WARNING]
>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
+## Review exploit protection events in the Microsoft Security Center
+
+Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
+
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.
+
+Here is an example query:
+
+```
+MiscEvents
+| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
+```
+
## Review exploit protection events in Windows Event Viewer
You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png
index 3289ace8cf..eac90e96f5 100644
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png and b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png
index 5bc0f3e22b..67abde13e0 100644
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png and b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
index 7bf07fbce8..e4fccb655d 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -49,7 +49,14 @@ Windows 10 version 1709 or later | [Windows Defender AV real-time protection](..
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
+
+Here is an example query
+
+```
+MiscEvents
+| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
+```
## Review network protection events in Windows Event Viewer
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index 15fd8b2886..58f95ecbc5 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -39,9 +39,9 @@ The following tables provide more information about the hardware, firmware, and
|--------------------------------|----------------------------------------------------|-------------------|
| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | |
| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
-| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
+| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
@@ -64,7 +64,7 @@ The following tables describe additional hardware and firmware qualifications, a
| Protections for Improved Security | Description | Security benefits |
|---------------------------------------------|----------------------------------------------------|-----|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies).
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies).
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
| Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index 9ae361f1fd..89c98507fe 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -86,4 +86,53 @@ This can only be done in Group Policy.
6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+
+## Notifications
+
+| Purpose | Notification text | Toast Identifier | Critical? |
+|---------|------------------|-------------|-----------|
+| Network isolation | Your IT administrator has caused Windows Defender to disconnect your device. Contact IT help desk. | SENSE_ISOLATION | Yes |
+| Network isolation customized | _Company name_ has caused Windows Defender to disconnect your device. Contact IT help desk _phone number_, _email address_, _url_. | SENSE_ISOLATION_CUSTOM (body) | Yes |
+| Restricted access | Your IT administrator has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk. | SENSE_PROCESS_RESTRICTION | Yes |
+| Restricted access customized | _Company_ has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk. | SENSE_PROCESS_RESTRICTION_CUSTOM (body) | Yes |
+| HVCI, driver compat check fails (upon trying to enable) | There may be an incompatibility on your device. | HVCI_ENABLE_FAILURE | Yes |
+| HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes |
+| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Windows Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes |
+| Remediation failure | Windows Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes |
+| Follow-up action (restart & scan) | Windows Defender Antivirus found _threat_ in _file name_. Please restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |
+| Follow-up action (restart) | Windows Defender Antivirus found _threat_ in _file_. Please restart your device. | WDAV_REBOOT | Yes |
+| Follow-up action (Full scan) | Windows Defender Antivirus found _threat_ in _file_. Please run a full scan of your device. | FULLSCAN_REQUIRED | Yes |
+| Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Windows Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes |
+| OS support ending warning | Support for your version of Windows is ending. When this support ends, Windows Defender Antivirus won’t be supported, and your device might be at risk. | SUPPORT_ENDING | Yes |
+| OS support ended, device at risk | Support for your version of Windows has ended. Windows Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes |
+| Summary notification, items found | Windows Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No |
+| Summary notification, items found, no scan count | Windows Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No |
+| Summary notification, **no** items found, scans performed | Windows Defender Antivirus did not find any threats since your last summary. Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No |
+| Summary notification, **no** items found, no scans | Windows Defender Antivirus did not find any threats since your last summary. | RECAP_NO_THREATS | No |
+| Scan finished, manual, threats found | Windows Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No |
+| Scan finished, manual, **no** threats found | Windows Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No |
+| Threat found | Windows Defender Antivirus found threats. Get details. | CRITICAL | No |
+| LPS on notification | Windows Defender Antivirus is periodically scanning your device. You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |
+| Long running BaFS | Your IT administrator requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS | No |
+| Long running BaFS customized | _Company_ requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No |
+| Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No |
+| Sense detection customized | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED_CUSTOM (body) | No |
+| Ransomware specific detection | Windows Defender Antivirus has detected threats which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No |
+| ASR (HIPS) block | Your IT administrator caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED | No |
+| ASR (HIPS) block customized | _Company_ caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED_CUSTOM (body) | No |
+| CFA (FolderGuard) block | Controlled folder access blocked _process_ from making changes to the folder _path_ | FOLDERGUARD_BLOCKED | No |
+| Network protect (HIPS) network block customized | _Company_ caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED_CUSTOM (body) | No |
+| Network protection (HIPS) network block | Your IT administrator caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED | No |
+| PUA detection, not blocked | Your settings cause the detection of any app that might perform unwanted actions on your computer. | PUA_DETECTED | No |
+| PUA notification | Your IT settings caused Windows Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED | No |
+| PUA notification, customized | _Company_ caused Windows Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED_CUSTOM (body) | No |
+| Network isolation ended | | | No |
+| Network isolation ended, customized | | | No |
+| Restricted access ended | | | No |
+| Restricted access ended, customized | | | No |
+| Dynamic lock on, but bluetooth off | | | No |
+| Dynamic lock on, bluetooth on, but device unpaired | | | No |
+| Dynamic lock on, bluetooth on, but unable to detect device | | | No |
+| NoPa or federated no hello | | | No |
+| NoPa or federated hello broken | | | No |
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
index 24b4c8ebd1..1a7b1eae79 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
@@ -21,7 +21,7 @@ ms.author: dansimp
Windows Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.
-See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune.
+See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune.
## Group Policy settings
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index ceb1488e72..be6c791392 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -61,7 +61,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
>[!NOTE]
->To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity).
+>To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity).
## Requirements Met by System Guard Enabled Machines
Any machine with System Guard enabled will automatically meet the following low-level hardware requirements:
diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
index 5c31e736a7..a0422c4a14 100644
--- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
@@ -33,7 +33,7 @@ The following sample file uses item-level targeting to ensure that the registry
>**Note:** The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization.
-``` syntax
+```xml
diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
index 7382a66a00..04739b0f9c 100644
--- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
@@ -71,4 +71,4 @@ For more information about this design:
- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md).
-**Next: **[Domain Isolation Policy Design](domain-isolation-policy-design.md)
+**Next:** [Domain Isolation Policy Design](domain-isolation-policy-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
index accc64084b..efa67c42bc 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
@@ -57,4 +57,4 @@ By using the Active Directory Users and Computers snap-in, Woodgrove Bank create
Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
-**Next: **[Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
+**Next:** [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
index 3bd6236176..1be717ce49 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
@@ -45,4 +45,4 @@ For more info about this design:
- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
-**Next: **[Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
+**Next:** [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
index 851b77b568..ea78e8de16 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
@@ -29,10 +29,6 @@ To configure Windows Defender Firewall with Advanced Security to log dropped pac
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-In this topic:
-
-- [To configure the Windows Defender Firewall with Advanced Security log](#to-configure-the-windows-firewall-log)
-
## To configure the Windows Defender Firewall with Advanced Security log
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index 9dc6366064..8de4021830 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -27,9 +27,7 @@ ms.date: 04/11/2019
To get started, open Device Configuration in Intune, then create a new profile.
Choose Windows 10 as the platform, and Endpoint Protection as the profile type.
-Select Windows Defender Firewall.
-Add a firewall rule to this new Endpoint Protection profile using the Add button at the bottom of the blade.
-
+Select Windows Defender Firewall.
>[!IMPORTANT]
diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
index 048a242e05..83f35fe206 100644
--- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -52,4 +52,4 @@ The information that you gather will help you answer the following questions. Th
This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide.
-**Next: **[Gathering the Information You Need](gathering-the-information-you-need.md)
+**Next:** [Gathering the Information You Need](gathering-the-information-you-need.md)
diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
index e5abd70033..d7bed686fa 100644
--- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
@@ -144,4 +144,4 @@ With the other information that you have gathered in this section, this informat
The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan.
-**Next: **[Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
+**Next:** [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
index 45577c869a..0fa1893aa6 100644
--- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
@@ -32,4 +32,4 @@ Generally, the task of determining zone membership is not complex, but it can be
| SENSITIVE001 | Yes| Yes| Not required.| Running Windows Server 2012. Ready for inclusion.| $0| Isolated server (in zone by itself)|
| PRINTSVR1 | Yes| Yes| Not required.| Running Windows Server 2008 R2. Ready for inclusion.| $0| Boundary|
-**Next: **[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
+**Next:** [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
index 8179db1063..d0e345f2c5 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
@@ -63,4 +63,4 @@ The following groups were created by using the Active Directory Users and Comput
>**Note:** If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
-**Next: **[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
+**Next:** [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md
index 2330b6ee32..ced058672b 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md
@@ -67,4 +67,4 @@ The GPO for devices that are running at least Windows Server 2008 should includ
- If domain member devices must communicate with devices in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs.
-**Next: **[Planning Server Isolation Zones](planning-server-isolation-zones.md)
+**Next:** [Planning Server Isolation Zones](planning-server-isolation-zones.md)
diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md
index 93dbefc241..5911a0bedc 100644
--- a/windows/security/threat-protection/windows-firewall/exemption-list.md
+++ b/windows/security/threat-protection/windows-firewall/exemption-list.md
@@ -57,4 +57,4 @@ To keep the number of exemptions as small as possible, you have several options:
As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](boundary-zone.md) section.
-**Next: **[Isolated Domain](isolated-domain.md)
+**Next:** [Isolated Domain](isolated-domain.md)
diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
index fef8bc41e2..5127569bc4 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
@@ -110,5 +110,5 @@ The following groups were created by using the Active Directory Users and Comput
In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there.
-**Next: **[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
+**Next:** [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
index 5b0c733db4..cd4b6c6d78 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
@@ -37,4 +37,4 @@ Active Directory is another important item about which you must gather informati
- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Defender Firewall connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other.
-**Next: **[Gathering Information about Your Devices](gathering-information-about-your-devices.md)
+**Next:** [Gathering Information about Your Devices](gathering-information-about-your-devices.md)
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
index 34b00db3ac..992c8390e8 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
@@ -118,4 +118,4 @@ Some of the more common applications and protocols are as follows:
- **Other traffic**. Windows Defender Firewall can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured.
-**Next: **[Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
+**Next:** [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
index 79f64faa4e..2feb5a2fd1 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
@@ -59,4 +59,4 @@ Whether you use an automatic, manual, or hybrid option to gather the information
This inventory will be critical for planning and implementing your Windows Defender Firewall design.
-**Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md)
+**Next:** [Gathering Other Relevant Information](gathering-other-relevant-information.md)
diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
index 7a20dd71a7..5d29784f77 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
@@ -82,4 +82,4 @@ Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Ne
Message Analyzer is available on the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=44226).
-**Next: **[Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
+**Next:** [Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
index 65e05e7876..006015b36a 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
@@ -48,4 +48,4 @@ Copy the firewall rules for the boundary zone from the GPO that contains the fir
Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
-**Next: **[Encryption Zone GPOs](encryption-zone-gpos.md)
+**Next:** [Encryption Zone GPOs](encryption-zone-gpos.md)
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
index 0820c4aacb..e16a7ecc32 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
@@ -50,7 +50,7 @@ Change the action for every inbound firewall rule from **Allow the connection**
Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
-**Next: **[Server Isolation GPOs](server-isolation-gpos.md)
+**Next:** [Server Isolation GPOs](server-isolation-gpos.md)
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
index 81e55a89ac..e44b50dd82 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
@@ -70,4 +70,4 @@ This GPO provides the following rules:
- A firewall exception rule to allow required network traffic for the WGBank dashboard program. This inbound rule allows network traffic for the program Dashboard.exe in the %ProgramFiles%\\WGBank folder. The rule is also filtered to only allow traffic on port 1551. This rule is applied only to the domain profile.
-**Next: **[Isolated Domain GPOs](isolated-domain-gpos.md)
+**Next:** [Isolated Domain GPOs](isolated-domain-gpos.md)
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
index 4701b4565d..eda2c2ccc5 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
@@ -88,4 +88,4 @@ This GPO provides the following rules:
- Authentication mode is set to **Do not authenticate**.
-**Next: **[GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)
+**Next:** [GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
index 6e5fc43ced..bfe618f15f 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
@@ -31,5 +31,5 @@ Because so many of the settings and rules for this GPO are common to those in th
>**Important:** Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the device. If you attach a network adapter to a device that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the device.
-**Next: **[Boundary Zone GPOs](boundary-zone-gpos.md)
+**Next:** [Boundary Zone GPOs](boundary-zone-gpos.md)
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md
index 7c2bb196ff..bb06dc1bff 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md
@@ -64,4 +64,4 @@ GPOs for devices running at least Windows Vista and Windows Server 2008 should
>**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
-**Next: **[Boundary Zone](boundary-zone.md)
+**Next:** [Boundary Zone](boundary-zone.md)
diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
index 8c6362f758..9c73c224b9 100644
--- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
@@ -38,4 +38,4 @@ Use the following table to determine which Windows Firewall with Advanced Securi
To examine details for a specific design, click the design title at the top of the column in the preceding table.
-**Next: **[Basic Firewall Policy Design](basic-firewall-policy-design.md)
+**Next:** [Basic Firewall Policy Design](basic-firewall-policy-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
index bba537328b..17d43619ee 100644
--- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
@@ -29,12 +29,6 @@ This procedure shows you how to open the Windows Defender Firewall with Advanced
To complete this procedure, you must be a member of the Administrators group. For more information, see Additional considerations.
-## Opening Windows Defender Firewall
-
-- [Using the Windows interface](#to-open-windows-firewall-with-advanced-security-using-the-ui)
-
-- [Using a command line](#to-open-windows-firewall-with-advanced-security-from-a-command-prompt)
-
## To open Windows Defender Firewall using the UI
Click Start, type **Windows Defender Firewall**, and the press ENTER.
diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
index 71ef3b2620..100858ecbe 100644
--- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
@@ -59,4 +59,4 @@ When the clients and servers have the certificates available, you can configure
Starting in Windows Server 2012,you can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell.
-**Next: **[Documenting the Zones](documenting-the-zones.md)
+**Next:** [Documenting the Zones](documenting-the-zones.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
index 0536c63506..0798ba72d5 100644
--- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
@@ -43,5 +43,5 @@ Multiple GPOs might be delivered to each group. Which one actually becomes appli
If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the device. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific.
-**Next: **[Planning Network Access Groups](planning-network-access-groups.md)
+**Next:** [Planning Network Access Groups](planning-network-access-groups.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
index fb13446ed6..3043878e04 100644
--- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
+++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
@@ -38,4 +38,4 @@ For the Woodgrove Bank scenario, access to the devices running SQL Server that s
>**Note:** Membership in a NAG does not control the level of IPsec traffic protection. The IKE negotiation is only aware of whether the device or user passed or failed the Kerberos V5 authentication process. The connection security rules in the applied GPO control the security methods that are used for protecting traffic and are independent of the identity being authenticated by Kerberos V5.
-**Next: **[Planning the GPOs](planning-the-gpos.md)
+**Next:** [Planning the GPOs](planning-the-gpos.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
index f1977f0234..f42eca057b 100644
--- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
@@ -79,4 +79,4 @@ GPOs for devices running at least Windows Server 2008 should include the follow
>**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
-**Next: **[Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
+**Next:** [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
index f75466f965..8138bd8ee1 100644
--- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
@@ -55,4 +55,4 @@ The following is a list of the firewall settings that you might consider for inc
- **Outbound rules**. Only create outbound rules to block network traffic that must be prevented in all cases. If your organization prohibits the use of certain network programs, you can support that policy by blocking the known network traffic used by the program. Be sure to test the restrictions before you deploy them to avoid interfering with traffic for needed and authorized programs.
-**Next: **[Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
+**Next:** [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
index b00682c8e7..6992965186 100644
--- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
@@ -95,4 +95,4 @@ After you have selected a design and assigned your devices to zones, you can beg
When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
-**Next: **[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
+**Next:** [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
index 46d4138780..a3ca3c4b6e 100644
--- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
@@ -47,4 +47,4 @@ The following component is recommended for this deployment goal:
Other means of deploying a firewall policy are available, such as creating scripts that use the netsh command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations.
-**Next: **[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
+**Next:** [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index d82a578afb..4f5c2b1cb0 100644
--- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -45,4 +45,4 @@ The following components are required for this deployment goal:
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
-**Next: **[Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
+**Next:** [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
index 66ddfe63d9..b34c8d48ea 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
@@ -49,4 +49,4 @@ The following components are required for this deployment goal:
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
-**Next: **[Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+**Next:** [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index 015a1f0957..cbdd8e51d9 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -59,4 +59,4 @@ The following components are required for this deployment goal:
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
-**Next: **[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
+**Next:** [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
index a22b209144..dbffb1b8f1 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
@@ -36,4 +36,4 @@ This GPO is identical to the GPO\_DOMISO\_Encryption GPO with the following chan
>**Important:** Earlier versions of Windows support only device-based authentication. If you specify that user authentication is mandatory, only users on devices that are running at least Windows Vista or Windows Server 2008 can connect.
-**Next: **[Planning GPO Deployment](planning-gpo-deployment.md)
+**Next:** [Planning GPO Deployment](planning-gpo-deployment.md)
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
index f693d8a70b..b93e884682 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
@@ -82,4 +82,4 @@ If Woodgrove Bank wants to implement server isolation without domain isolation,
You do not have to include the encryption-capable rules on all devices. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contain connection security rules to support encryption.
-**Next: **[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
+**Next:** [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
index 8a3e3033be..1eeea3dc76 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
@@ -59,4 +59,4 @@ For more info about this design:
- For a list of tasks that you can use to deploy your server isolation policy design, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
-**Next: **[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
+**Next:** [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index f5a711db65..d9cd25a523 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -1,177 +1,177 @@
----
-title: Common Criteria Certifications
-description: This topic details how Microsoft supports the Common Criteria certification program.
-ms.prod: w10
-audience: ITPro
-author: dulcemontemayor
-ms.author: dolmont
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 3/20/2019
-ms.reviewer:
----
-
-# Common Criteria Certifications
-
-Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria certifications of Microsoft Windows products.
-
-## Common Criteria Security Targets
-
-### Information for Systems Integrators and Accreditors
-
-The Security Target describes security functionality and assurance measures used to evaluate Windows.
-
- - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
- - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
- - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
- - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
- - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
- - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
- - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
- - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
- - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
- - [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
- - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
- - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf)
- - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf)
- - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf)
- - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf)
- - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf)
- - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
- - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
- - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
- - [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305)
- - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
- - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
- - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
- - [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf)
- - [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
- - [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
-
-## Common Criteria Deployment and Administration
-
-### Information for IT Administrators
-
-These documents describe how to configure Windows to replicate the configuration used during the Common Criteria evaluation.
-
-**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2**
-
-
- - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
- - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
- - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
- - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
- - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
- - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx)
- - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf)
- - [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx)
- - [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf)
- - [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf)
- - [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf)
-
-**Windows 8.1 and Windows Phone 8.1**
-
- - [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
- - [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
-
-**Windows 8, Windows RT, and Windows Server 2012**
-
- - [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
- - [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
- - [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
- - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
-
-**Windows 7 and Windows Server 2008 R2**
-
- - [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
- - [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308)
-
-**Windows Vista and Windows Server 2008**
-
- - [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
- - [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
-
-**Windows Server 2003 SP2 including R2, x64, and Itanium**
-
- - [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949)
- - [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc)
-
-**Windows Server 2003 SP1(x86), x64, and IA64**
-
- - [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef)
- - [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8)
-
-**Windows Server 2003 SP1**
-
- - [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc)
- - [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38)
-
-**Windows XP Professional SP2 (x86) and x64 Edition**
-
- - [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee)
- - [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694)
- - [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779)
- - [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431)
- - [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54)
- - [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569)
-
-**Windows XP Professional SP2, and XP Embedded SP2**
-
- - [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60)
- - [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de)
- - [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8)
-
-**Windows Server 2003 Certificate Server**
-
- - [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
- - [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
- - [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
-
-## Common Criteria Evaluation Technical Reports and Certification / Validation Reports
-
-### Information for Systems Integrators and Accreditors
-
-An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team.
-
- - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
- - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
- - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
- - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
- - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
- - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
- - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
- - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf)
- - [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
- - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf)
- - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf)
- - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf)
- - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf)
- - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf)
- - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf)
- - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
- - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
- - [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
- - [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
- - [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
- - [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
- - [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef)
- - [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658)
- - [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- - [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- - [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- - [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265)
- - [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf)
- - [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
- - [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
- - [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
-
-## Other Common Criteria Related Documents
-
- - [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc)
-
+---
+title: Common Criteria Certifications
+description: This topic details how Microsoft supports the Common Criteria certification program.
+ms.prod: w10
+audience: ITPro
+author: dulcemontemayor
+ms.author: dolmont
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 3/20/2019
+ms.reviewer:
+---
+
+# Common Criteria Certifications
+
+Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria certifications of Microsoft Windows products.
+
+## Common Criteria Security Targets
+
+### Information for Systems Integrators and Accreditors
+
+The Security Target describes security functionality and assurance measures used to evaluate Windows.
+
+ - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
+ - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
+ - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
+ - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
+ - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
+ - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
+ - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
+ - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
+ - [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
+ - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
+ - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf)
+ - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf)
+ - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf)
+ - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf)
+ - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf)
+ - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
+ - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
+ - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
+ - [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305)
+ - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
+ - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
+ - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
+ - [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf)
+ - [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
+ - [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
+
+## Common Criteria Deployment and Administration
+
+### Information for IT Administrators
+
+These documents describe how to configure Windows to replicate the configuration used during the Common Criteria evaluation.
+
+**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2**
+
+
+ - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
+ - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
+ - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
+ - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
+ - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx)
+ - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf)
+ - [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx)
+ - [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf)
+ - [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf)
+ - [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf)
+
+**Windows 8.1 and Windows Phone 8.1**
+
+ - [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
+ - [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
+
+**Windows 8, Windows RT, and Windows Server 2012**
+
+ - [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
+ - [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
+ - [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
+ - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
+
+**Windows 7 and Windows Server 2008 R2**
+
+ - [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
+ - [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308)
+
+**Windows Vista and Windows Server 2008**
+
+ - [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
+ - [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
+
+**Windows Server 2003 SP2 including R2, x64, and Itanium**
+
+ - [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949)
+ - [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc)
+
+**Windows Server 2003 SP1(x86), x64, and IA64**
+
+ - [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef)
+ - [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8)
+
+**Windows Server 2003 SP1**
+
+ - [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc)
+ - [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38)
+
+**Windows XP Professional SP2 (x86) and x64 Edition**
+
+ - [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee)
+ - [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694)
+ - [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779)
+ - [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431)
+ - [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54)
+ - [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569)
+
+**Windows XP Professional SP2, and XP Embedded SP2**
+
+ - [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60)
+ - [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de)
+ - [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8)
+
+**Windows Server 2003 Certificate Server**
+
+ - [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
+ - [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
+ - [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
+
+## Common Criteria Evaluation Technical Reports and Certification / Validation Reports
+
+### Information for Systems Integrators and Accreditors
+
+An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team.
+
+ - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
+ - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
+ - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
+ - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
+ - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
+ - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
+ - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
+ - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
+ - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf)
+ - [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
+ - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf)
+ - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf)
+ - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf)
+ - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf)
+ - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf)
+ - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf)
+ - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
+ - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
+ - [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
+ - [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
+ - [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
+ - [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
+ - [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef)
+ - [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658)
+ - [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
+ - [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
+ - [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
+ - [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265)
+ - [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf)
+ - [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
+ - [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
+ - [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
+
+## Other Common Criteria Related Documents
+
+ - [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc)
+
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md
index 8ea1c320ba..4d844ddf4c 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md
@@ -4,8 +4,8 @@
### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
### [Get support](get-support-for-security-baselines.md)
## [Windows security configuration framework](windows-security-configuration-framework.md)
-### [Level 5 enterprise security](level-5-enterprise-security.md)
-### [Level 4 enterprise high security](level-4-enterprise-high-security.md)
-### [Level 3 enterprise VIP security](level-3-enterprise-vip-security.md)
-### [Level 2 enterprise dev/ops workstation](level-2-enterprise-devops-security.md)
-### [Level 1 enterprise administrator workstation](level-1-enterprise-administrator-security.md)
+### [Level 1 enterprise basic security](level-1-enterprise-basic-security.md)
+### [Level 2 enterprise enhanced security](level-2-enterprise-enhanced-security.md)
+### [Level 3 enterprise high security](level-3-enterprise-high-security.md)
+### [Level 4 enterprise dev/ops workstation](level-4-enterprise-devops-security.md)
+### [Level 5 enterprise administrator workstation](level-5-enterprise-administrator-security.md)
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png b/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png
index 06f66acf99..242f5dd9bc 100644
Binary files a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png and b/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png differ
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-classification.png b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-classification.png
deleted file mode 100644
index 75467f2098..0000000000
Binary files a/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-classification.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-deployment-methodologies.png b/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-deployment-methodologies.png
deleted file mode 100644
index 4f869474e2..0000000000
Binary files a/windows/security/threat-protection/windows-security-configuration-framework/images/security-control-deployment-methodologies.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md
new file mode 100644
index 0000000000..60e0c1e82c
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md
@@ -0,0 +1,358 @@
+---
+title: Level 1 enterprise basic security configuration
+description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 1 enterprise security configuration.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: appcompatguy
+author: appcompatguy
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 05/29/2019
+---
+
+# Level 1 Enterprise Basic Security configuration
+
+**Applies to**
+
+- Windows 10
+
+Level 1 is the minimum security configuration for an enterprise device.
+Microsoft recommends the following configuration for level 1 devices.
+
+## Hardware
+
+Devices targeting Level 1 should support the following hardware features:
+
+- [Trusted Platform Module (TPM) 2.0](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-tpm)
+- [Bitlocker Drive Encryption](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-bitlocker)
+- [UEFI Secure Boot](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-secure-boot)
+- Drivers and Firmware Distributed through Windows Update
+
+## Policies
+
+The policies in level 1 enforce a reasonable security level while minimizing the impact to users or to applications.
+Microsoft recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and controls, noting that the timeline can generally be short given the limited potential impact of the security controls.
+
+### Security Template Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|-------------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Account Lockout | Account Lockout Duration | 15 | The number of minutes a locked-out account remains locked out before automatically becoming unlocked. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. |
+| Account Lockout | Account Lockout Threshold | 10 | The number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. |
+| Account Lockout | Reset account lockout conter after | 15 | The number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. |
+| Password Policy | Enforce password history | 24 | The number of unique new passwords that must be associated with a user account before an old password can be reused. |
+| Password Policy | Minimum password length | 14 | The least number of characters that a password for a user account may contain. |
+| Password Policy | Password must meet complexity requirements | Enabled | Determines whether passwords must meet complexity requirements:
1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
2) Contain characters from three of the following categories:
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
-Non-alphanumeric characters (special characters):
(~!@#$%^&*_-+=`\|\\(){}[]:;"'<>,.?/)
Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. |
+| Password Policy | Store passwords using reversible encryption | Disabled | Determines whether the operating system stores passwords using reversible encryption. |
+| Security Options | Accounts: Limit local account use of blank passwords to console logon only | Enabled | This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. |
+| Security Options | Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled | Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing Group Policy may override the subcategory settings of new machines as they are joined to the domain or upgraded. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. |
+| Security Options | Domain member: Digitally encrypt or sign secure channel data (always) | Enabled | This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. This setting determines whether all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
- Domain member: Digitally encrypt secure channel data (when possible)
- Domain member: Digitally sign secure channel data (when possible) |
+| Security Options | Domain member: Digitally encrypt secure channel data (when possible) | Enabled | This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. |
+| Security Options | Domain member: Digitally sign secure channel data (when possible) | Enabled | This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed, which ensures that it cannot be tampered with in transit. |
+| Security Options | Domain member: Disable machine account password changes | Disabled | Determines whether a domain member periodically changes its computer account password. |
+| Security Options | Domain member: Maximum machine account password age | 30 | Determines how often a domain member will attempt to change its computer account password |
+| Security Options | Domain member: require strong (Windows 2000 or later) session key | Enabled | Determines whether 128-bit key strength is required for encrypted secure channel data |
+| Security Options | Interactive logon: Machine inactivity limit | 900 | The number of seconds of inactivity before the session is locked |
+| Security Options | Interactive logon: Smart card removal behavior | Lock Workstation | This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. If you click **Lock Workstation** in the **Properties** for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart cards with them, and still maintain protected sessions. For this setting to work beginning with Windows Vista, the Smart Card Removal Policy service must be started. |
+| Security Options | Microsoft network client: Digitally sign communications (always) | Enabled | This security setting determines whether packet signing is required by the SMB client component. |
+| Security Options | Microsoft network client: Send unencrypted password to third party SMB servers| Disabled | If this security setting is enabled, the Server Message Block (SMB) redirector can send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. |
+| Security Options | Microsoft network server: Digitally sign communications (always) | Enabled | This security setting determines whether packet signing is required by the SMB server component. |
+| Security Options | Network access: Allow anonymous SID/Name translation | Disabled | This security setting determines if an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, a user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. |
+| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts | Enabled | This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. |
+| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled | This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. |
+| Security Options | Network access: Restrict anonymous access to Named Pipes and Shares | Enabled | When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
- Network access: Named pipes that can be accessed anonymously
- Network access: Shares that can be accessed anonymously |
+| Security Options | Network access: Restrict clients allowed to make remote calls to SAM | O:BAG:BAD:(A;;RC;;;BA) | This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used. |
+| Security Options | Network security: Allow LocalSystem NULL session fallback | Disabled | Allow NTLM to fall back to NULL session when used with LocalSystem |
+| Security Options | Network security: Do not store LAN Manager hash value on next password change | Enabled | This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. |
+| Security Options | Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send NTLMv2 response only\\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). |
+| Security Options | Network security: LDAP client signing requirements | Negotiate signing | This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller. |
+| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. |
+| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. |
+| Security Options | System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) | Enabled | This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create. |
+| Security Options | User Account Control: Admin approval mode for the built-in administrator | Enabled | The built-in Administrator account uses Admin Approval Mode - any operation that requires elevation of privilege will prompt to user to approve that operation |
+| Security Options | User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop | When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. |
+| Security Options | User Account Control: Detect application installations and prompt for elevation | Enabled | When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. |
+| Security Options | User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled | This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\\Program Files\\, including subfolders - …\\Windows\\system32\\ - …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows |
+| Security Options | User Account Control: Run all Administrators in admin approval mode | Enabled | This policy must be enabled, and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. |
+| Security Options | User Account Control: Virtualize file and registry write failures to per-user locations | Enabled | This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. |
+| User Rights Assignments | Access Credential Manager as a trusted caller | No One (blank) | This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities.|
+| User Rights Assignment | Access this computer from the network | Administrators; Remote Desktop Users | This user right determines which users and groups can connect to the computer over the network. Remote Desktop Services are not affected by this user right. |
+| User Rights Assignments | Act as part of the operating system | No One (blank) | This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
+| User Rights Assignments | Allow log on locally | Administrators; Users | Determines which users can log on to the computer |
+| User Rights Assignments | Back up files and directories | Administrators | Determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system |
+| User Rights Assignments | Create a pagefile | Administrators | Determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file |
+| User Rights Assignments | Create a token object | No One (blank) | Determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. |
+| User Rights Assignments | Create global objects | Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE | This security setting determines whether users can create global objects that are available to all sessions. |
+| User Rights Assignments | Create permanent shared objects | No One (blank) | Determines which accounts can be used by processes to create a directory object using the object manager |
+| User Rights Assignments | Debug programs | Administrators | Determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. |
+| User Rights Assignment | Enable computer and user accounts to be trusted for delegation | No One (blank) | This security setting determines which users can set the Trusted for Delegation setting on a user or computer object. |
+| User Rights Assignments | Force shutdown from a remote system | Administrators | Determines which users can shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. |
+| User Rights Assignment | Impersonate a client after authentication | Administrators, SERVICE, Local Service, Network Service | Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. |
+| User Rights Assignments | Load and unload device drivers | Administrators | Determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| User Rights Assignment | Lock pages in memory | No One (blank) | Determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random-access memory (RAM). |
+| User Rights Assignments | Manage auditing and security log | Administrators | Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. |
+| User Rights Assignments | Modify firmware environment variables | Administrators | Determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. |
+| User Rights Assignment | Perform volume maintenance tasks | Administrators | This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. |
+| User Rights Assignment | Profile single process | Administrators | This security setting determines which users can use performance monitoring tools to monitor the performance of non-system processes. |
+| User Rights Assignments | Restore files and directories | Administrators | Determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object |
+| User Rights Assignments | Take ownership of files or other objects | Administrators | Determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads |
+
+### Advanced Audit Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|---------|----------------|--------------|-------------|
+| Account Logon | Audit Credential Validation | Success and Failure | Audit events generated by validation tests on user account logon credentials. Occurs only on the computer that is authoritative for those credentials. |
+| Account Management | Audit Security Group Management | Success | Audit events generated by changes to security groups, such as creating, changing or deleting security groups, adding or removing members, or changing group type. |
+| Account Management | Audit User Account Management | Success and Failure | Audit changes to user accounts. Events include creating, changing, deleting user accounts; renaming, disabling, enabling, locking out, or unlocking accounts; setting or changing a user account’s password; adding a security identifier (SID) to the SID History of a user account; configuring the Directory Services Restore Mode password; changing permissions on administrative user accounts; backing up or restoring Credential Manager credentials |
+| Detailed Tracking | Audit PNP Activity | Success | Audit when plug and play detects an external device |
+| Detailed Tracking | Audit Process Creation | Success | Audit events generated when a process is created or starts; the name of the application or user that created the process is also audited |
+| Logon/ Logoff | Audit Account Lockout | Failure | Audit events generated by a failed attempt to log on to an account that is locked out |
+| Logon/ Logoff | Audit Group Membership | Success | Audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. |
+| Logon/ Logoff | Audit Logon | Success and Failure | Audit events generated by user account logon attempts on the computer |
+| Logon/ Logoff | Audit Other Logon / Logoff Events | Success and Failure | Audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as Terminal Services session disconnections, new Terminal Services sessions locking and unlocking a workstation, invoking or dismissing a screen saver, detection of a Kerberos replay attack, or access to a wireless network granted to a user or computer account |
+| Logon/ Logoff | Audit Special Logon | Success | Audit events generated by special logons such as the use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level, or a logon by a member of a Special Group (Special Groups enable you to audit events generated when a member of a certain group has logged on to your network) |
+| Object Access | Audit Detailed File Share | Failure | Audit attempts to access files and folders on a shared folder; the Detailed File Share setting logs an event every time a file or folder is accessed |
+| Object Access | Audit File Share | Success and Failure | Audit attempts to access a shared folder; an audit event is generated when an attempt is made to access a shared folder |
+| Object Access | Audit Other Object Access Events | Success and Failure | Audit events generated by the management of task scheduler jobs or COM+ objects |
+| Object Access | Audit Removable Storage | Success and Failure | Audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. |
+| Policy Change | Audit Audit Policy Change | Success | Audit changes in the security audit policy settings |
+| Policy Change | Audit Authentication Policy Change | Success | Audit events generated by changes to the authentication policy |
+| Policy Change | Audit MPSSVC Rule-Level Policy Change | Success and Failure | Audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. |
+| Policy Change | Audit Other Policy Change Events | Failure | Audit events generated by other security policy changes that are not audited in the policy change category, such as Trusted Platform Module (TPM) configuration changes, kernel-mode cryptographic self tests, cryptographic provider operations, cryptographic context operations or modifications, applied Central Access Policies (CAPs) changes, or boot Configuration Data (BCD) modifications |
+| Privilege Use | Audit Sensitive Privilege Use | Success and Failure | Audit events generated when sensitive privileges (user rights) are used |
+| System | Audit Other System Events | Success and Failure | Audit any of the following events: Startup and shutdown of the Windows Firewall service and driver, security policy processing by the Windows Firewall Service, cryptography key file and migration operations. |
+| System | Audit Security State Change | Success | Audit events generated by changes in the security state of the computer such as startup and shutdown of the computer, change of system time, recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. |
+| System | Audit Security System Extension | Success | Audit events related to security system extensions or services |
+| System | Audit System Integrity | Success and Failure | Audit events that violate the integrity of the security subsystem |
+
+### Windows Defender Firewall Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|---------|----------------|--------------|-------------|
+| Domain Profile / State | Firewall State | On | Enables the firewall when connected to the domain profile |
+| Domain Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the domain profile |
+| Domain Profile / State | Outbound Connections | Allow | Outbound connections for which there is no rule blocking the connection will be allowed in the domain profile |
+| Domain Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the domain profile |
+| Domain Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a domain connection |
+| Domain Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a domain connection |
+| Domain Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a domain connection |
+| Private Profile / State | Firewall State | On | Enables the firewall when connected to the private profile |
+| Private Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the private profile |
+| Private Profile / State | Outbound Connections | Allow | Outbound connections for which there is no rule blocking the connection will be allowed in the private profile |
+| Private Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the private profile |
+| Private Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a private connection |
+| Private Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a private connection |
+| Private Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a private connection |
+| Public Profile / State | Firewall State | On | Enables the firewall when connected to the public profile |
+| Public Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the public profile |
+| Public Profile / State | Outbound Connections | Allow | Outbound connections for which there is no rule blocking the connection will be allowed in the public profile |
+| Public Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the public profile |
+| Public Profile / Settings | Apply local firewall rules | No | Users cannot create new firewall rules |
+| Public Profile / Settings | Apply local connection security rules | No | Ensures local connection rules will not be merged with Group Policy settings in the domain |
+| Public Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a public connection |
+| Public Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a public connection |
+| Public Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a public connection |
+
+### Computer Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|---------|----------------|--------------|-------------|
+| LAPS | Enable local admin password management | Enabled | Activates LAPS for the device |
+| MS Security Guide | Apply UAC restrictions to local accounts on network logon | Enabled | Filters the user account token for built-in administrator accounts for network logons |
+| MS Security Guide | Configure SMB v1 client driver | Disable driver (recommended) | Configure the startup mode for the kernel mode driver that implements client-side SMBv1 processing (MrxSmb10). This setting includes a dropdown that is activated when the Enabled radio button is selected and that controls the “Start” registry value in HKLM\\SYSTEM\\CurrentControlSet\\Services\\MrxSmb10. |
+| MS Security Guide | Configure SMB v1 server | Disabled | Disable or enable server-side processing of the SMBv1 protocol |
+| MS Security Guide | Enabled Structured Exception Handling Overwrite Protection (SEHOP)| Enabled | This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems. |
+| MS Security Guide | NetBT NodeType Configuration | P-node (recommended) | The NetBT NodeType setting determines what methods NetBT uses to register and resolve names:
- A B-node computer uses broadcasts.
- A P-node computer uses only point-to-point name queries to a name server (WINS).
- An M-node computer broadcasts first, and then queries the name server.
- An H-node computer queries the name server first, and then broadcasts.
Resolution through LMHOSTS or DNS follows these methods. If the NodeType value is present, it overrides any DhcpNodeType value.
If neither NodeType nor DhcpNodeType is present, the computer uses B-node if there are no WINS servers configured for the network, or H-node if there is at least one WINS server configured. |
+| MS Security Guide | WDigest Authentication | Disabled | When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. WDigest is disabled by default in Windows 10. This setting ensures this is enforced. |
+| MSS | MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. |
+| MSS | MSS: (DisableIPSourceRouting) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. |
+| MSS | MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes | Disabled | Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first. |
+| MSS | MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | Enabled | Prevents a denial-of-service (DoS) attack against a WINS server. The DoS consists of sending a NetBIOS Name Release Request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability. |
+| Network / DNS Client | Turn off multicast name resolution | Enabled | Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.
If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.|
+| Network / Lanman Workstation | Enable insecure guest logons | Disabled | Determines if the SMB client will allow insecure guest logons to an SMB server |
+| Network / Network Connections | Prohibit use of Internet Connection Sharing on your DNS domain network | Enabled | Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. |
+| Network / Network Provider | Hardened UNC Paths | \\\\\*\\SYSVOL and \\\\\*\\NETLOGON RequireMutualAuthentication = 1, RequireIntegrity = 1 | This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. |
+| Network / Windows Connection Manager | Prohibit connection to non-domain networks when connected to domain authenticated network | Enabled | This policy setting prevents computers from connecting to both a domain-based network and a non-domain-based network at the same time. |
+| System / Credentials Delegation | Encryption Oracle Remediation | Force Updated Clients | Enryption Oracle Remediation |
+| System / Credentials Delegation | Remote host allows delegation of non-exportable credentials | Enabled | When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode. |
+| System / Device Installation / Device Installation Restrictions | Prevent installation of devices that match any of these device IDs | [[[main setting]]] = Enabled
Also apply to matching devices that are already installed = True
1 = PCI\CC_0C0A | This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in a list that you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. |
+| System / Device Installation / Device Installation Restrictions | Prevent installation of devices using drivers that match these device setup classes | [[[main setting]]] = Enabled
Also apply to matching devices that are already installed = True
1 = {d48179be-ec20-11d1-b6b8-00c04fa372a7} | This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. |
+| System / Early Launch Antimalware | Boot-Start Driver Initialization Policy | Good, unknown and bad but critical | Allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:
- Good: The driver has been signed and has not been tampered with.
- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.
- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.
If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started.
If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.
If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. |
+| System / Group Policy | Configure registry policy processing | Process even if the Group Policy objects have not changed = True
Do not apply during periodic background processing = False | Determines when registry policies are updated.
This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. |
+| System / Internet Communication Management / Internet Communication settings| Turn off Internet download for Web publishing and online ordering wizards | Enabled | This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. |
+| System / Kernel DMA Protection | Enumeration policy for external devices incompatible with Kernel DMA Protection | Block all | Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system. Note: this policy does not apply to 1394, PCMCIA or ExpressCard devices. |
+| System / Power Management / Sleep Settings | Require a password when a computer wakes (on battery) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep |
+| System / Power Management / Sleep Settings | Require a password when a computer wakes (plugged in) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep |
+| System / Remote Procedure Call | Restrict Unauthenticated RPC clients | Authenticated | Controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. |
+| System / Service Control Manager Settings / Security Settings | Enable svchost.exe mitigation options | Enabled | Enables process mitigation options on svchost.exe processes.
If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code.
If you disable or do not configure this policy setting, these stricter security settings will not be applied. |
+| Windows Components / App runtime | Allow Microsoft accounts to be optional | Enabled | Lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. |
+| Windows Components / AutoPlay Policies | Disallow Autoplay for non-volume devices | Enabled | Disallows AutoPlay for MTP devices like cameras or phones. |
+| Windows Components / AutoPlay Policies | Set the default behavior for AutoRun | Do not execute any autorun commands | Sets the default behavior for Autorun commands. |
+| Windows Components / AutoPlay Policies | Turn off Autoplay | All Drives | Allows you to turn off the Autoplay feature. |
+| Windows Components / Biometrics / Facial Features | Configure enhanced anti-spoofing | Enabled | Determines whether enhanced anti-spoofing is required for Windows Hello face authentication |
+| Windows Components / BitLocker Drive Encryption | Disable new DMA devices when this computer is locked | Enabled | Allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows |
+| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow enhanced PINs for startup | Enabled | Allows you to configure whether enhanced startup PINs are used with BitLocker |
+| Windows Components / Event Log Service / Application | Specify the maximum log file size (KB) | 32768 | Specifies the maximum size of the log file in kilobytes. |
+| Windows Components / Event Log Service / Security | Specify the maximum log file size (KB) | 196608 | Specifies the maximum size of the log file in kilobytes. |
+| Windows Components / Event Log Service / System | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. |
+| Windows Components / File Explorer | Configure Windows Defender SmartScreen | [[[main setting]]] = Enabled
Pick one of the following settings = Warn and prevent bypass | Configure whether to turn on Windows Defender SmartScreen to provide warning messages to help protect your employees from potential phishing scams and malicious software|
+| Windows Components / Internet Explorer | Prevent managing SmartScreen Filter | On | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. |
+| Windows Components / Internet Explorer | Specify use of ActiveX Installer Service for installation of ActiveX controls | Enabled | This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls. If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process. |
+| Windows Components / Internet Explorer | Turn off the Security Settings Check feature | Disabled | This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk. If you enable this policy setting, the feature is turned off. If you disable or do not configure this policy setting, the feature is turned on. |
+| Windows Components / Internet Explorer / Internet Control Panel | Prevent ignoring certificate errors | Enabled | This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer. |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Allow software to run or install even if the signature is invalid | Disabled | This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for server certificate revocation | Enabled | Allows you to manage whether Internet Explorer will check revocation status of servers' certificates |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for signatures on downloaded programs | Enabled | This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn off encryption support | Use TLS 1.1 and TLS 1.2 | This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Turn on certificate address mismatch warning | Enabled | This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Access data sources across domains | Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow cut copy or paste operations from the clipboard via script | Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow drag and drop or copy and paste files | Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow loading of XAML files | Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use ActiveX controls without prompt | Enable | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use the TDC ActiveX control | Enable | This policy setting controls whether the user can run the TDC ActiveX control on websites. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scripting of Internet Explorer WebBrowser controls | Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow script-initiated windows without size or position constraints | Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scriptlets | Disable | This policy setting allows you to manage whether the user can run scriptlets. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow updates to status bar via script | Disable | This policy setting allows you to manage whether script can update the status bar within the zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow VBScript to run in Internet Explorer | Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Automatic prompting for file downloads | Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Don't run antimalware programs against ActiveX controls | Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download unsigned ActiveX controls | Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains across windows | Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains within a window | Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Include local path when user is uploading files to a server | Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Initialize and script ActiveX controls not marked as safe | Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Launching applications and files in an IFRAME | Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Logon options | Prompt for user name and password | This policy setting allows you to manage settings for logon options. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Navigate windows and frames across different domains | Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components not signed with Authenticode | Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Show security warning for potentially unsafe files | Prompt | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Protected Mode | Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on SmartScreen Filter scan | Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Userdata persistence | Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Web sites in less privileged Web content zones can navigate into this zone | Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Java permissions | Enabled: High Safety | Allows you to manage permissions for Java applets. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Don't run antimalware programs against ActiveX controls | Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-down Internet Zone | Turn on SmartScreen Filter scan | Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Intranet Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Local Machine Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone | Java permissions | Disable Java | Allows you to configure policy settings according to the default for the selected security level, such Low, Medium, or High. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Access data sources across domains | Enabled: Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow active scripting | Disable | This policy setting allows you to manage whether script code on pages in the zone is run. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow binary and script behaviors | Disable | This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow cut copy or paste operations from the clipboard via script | Enabled: Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow drag and drop or copy and paste files | Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow file downloads | Disable | This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow loading of XAML files | Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow META REFRESH | Disable | This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use ActiveX controls without prompt | Enable | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use the TDC ActiveX control | Enable | This policy setting controls whether the user can run the TDC ActiveX control on websites. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scripting of Internet Explorer WebBrowser controls | Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow script-initiated windows without size or position constraints | Enabled: Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scriptlets | Disable | This policy setting allows you to manage whether the user can run scriptlets. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow updates to status bar via script | Disable | This policy setting allows you to manage whether script can update the status bar within the zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow VBScript to run in Internet Explorer | Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Automatic prompting for file downloads | Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Don't run antimalware programs against ActiveX controls | Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download signed ActiveX controls | Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download unsigned ActiveX controls | Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains across windows | Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains within a window | Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Include local path when user is uploading files to a server | Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Initialize and script ActiveX controls not marked as safe | Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Launching applications and files in an IFRAME | Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Logon options | Anonymous logon | This policy setting allows you to manage settings for logon options. Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Navigate windows and frames across different domains | Enabled: Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components not signed with Authenticode | Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run ActiveX controls and plugins | Enabled: Disable | This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Script ActiveX controls marked safe for scripting | Disable | This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Scripting of Java applets | Disable | This policy setting allows you to manage whether applets are exposed to scripts within the zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Show security warning for potentially unsafe files | Disable | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). If you disable this policy setting, these files do not open. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Cross-Site Scripting Filter | Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Protected Mode | Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Use Pop-up Blocker | Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Userdata persistence | Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Web sites in less privileged Web content zones can navigate into this zone | Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Don't run antimalware programs against ActiveX controls | Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Initialize and script ActiveX controls not marked as safe | Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Java permissions | High Safety | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. High Safety enables applets to run in their sandbox. |
+| Windows Components / Internet Explorer / Security Features | Allow fallback to SSL 3.0 (Internet Explorer) | No sites | Allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails. |
+| Windows Components / Internet Explorer / Security Features / Add-on Management | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer | Enabled | This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer. |
+| Windows Components / Internet Explorer / Security Features / Add-on Management | Turn off blocking of outdated ActiveX controls for Internet Explorer | Disabled | This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. |
+| Windows Components / Internet Explorer / Security Features / Consistent Mime Handling | Internet Explorer Processes | Enabled | Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. |
+| Windows Components / Internet Explorer / Security Features / Mime Sniffing Safety Feature | Internet Explorer Processes | Enabled | This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. |
+| Windows Components / Internet Explorer / Security Features / MK Protocol Security Restriction | Internet Explorer Processes | Enabled | The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. |
+| Windows Components / Internet Explorer / Security Features / Notification Bar | Internet Explorer Processes | Enabled | This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes. |
+| Windows Components / Internet Explorer / Security Features / Protection from Zone Elevation | Internet Explorer Processes | Enabled | Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. |
+| Windows Components / Internet Explorer / Security Features / Restrict ActiveX Install | Internet Explorer Processes | Enabled | This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes. |
+| Windows Components / Internet Explorer / Security Features / Restrict File Download | Internet Explorer Processes | Enabled | This policy setting enables blocking of file download prompts that are not user initiated. If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. |
+| Windows Components / Internet Explorer / Security Features / Scripted Window Security Restrictions | Internet Explorer Processes | Enabled | Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. |
+| Windows Components / Microsoft Edge | Configure Windows Defender SmartScreen | Enabled | Configures whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on. If you enable this setting, Windows Defender SmartScreen is turned on and employees can't turn it off. If you disable this setting, Windows Defender SmartScreen is turned off and employees can't turn it on. If you don't configure this setting, employees can choose whether to use Windows Defender SmartScreen. |
+| Windows Components / Microsoft Edge | Prevent certificate error overrides | Enabled | Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. If enabled, overriding certificate errors are not allowed. If disabled or not configured, overriding certificate errors are allowed. |
+| Windows Components / Remote Desktop Services / Remote Desktop Connection Client | Do not allow passwords to be saved | Enabled | Controls whether passwords can be saved on this computer from Remote Desktop Connection. |
+| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Always prompt for password upon connection | Enabled | This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. |
+| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Require secure RPC communication | Enabled | Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. |
+| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Set client connection encryption level | High Level | Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. |
+| Windows Components / RSS Feeds | Prevent downloading of enclosures | Enabled | This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. if you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. |
+| Windows Components / Search | Allow indexing of encrypted files | Disabled | This policy setting allows encrypted items to be indexed. if you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting the local setting configured through Control Panel will be used. By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. |
+| Windows Components / Windows Defender Antivirus / MAPS | Join Microsoft MAPS | Advanced MAPS | Allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. |
+| Windows Components / Windows Defender Antivirus | Turn off Windows Defender Antivirus | Disabled | Turns off Windows Defender Antivirus |
+| Windows Components / Windows Defender Antivirus / MAPS | Send file samples when further analysis is required | Enabled: Send safe samples | Configures behavior of samples submission when opt-in for MAPS telemetry is set |
+| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn off real-time protection | Disabled | Turns off real-time protection prompts for known malware detection |
+| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn on behavior monitoring | Enabled | Allows you to configure behavior monitoring. |
+| Windows Components / Windows Defender Antivirus / Scan | Scan removable drives | Enabled | Allows you to manage whether to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. |
+| Windows Components / Windows Defender Antivirus / Scan | Specify the interval to run quick scans per day | 24 | Allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). |
+| Windows Components / Windows Defender SmartScreen / Explorer | Configure Windows Defender SmartScreen | [[[main setting]]] = Enabled
Pick one of the following settings = Warn and prevent bypass | Turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:
- Warn and prevent bypass
- Warn
If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet. If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings. |
+| Windows Components / Windows Defender SmartScreen / Microsoft Edge | Configure Windows Defender SmartScreen | Enabled | Turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. If you enable this policy, SmartScreen will be turned on for all users. |
+| Windows Components / Windows Ink Workspace | Allow Windows Ink Workspace | On, but disallow access above lock | Allow Windows Ink Workspace |
+| Windows Components / Windows Installer | Allow user control over installs | Disabled | Permits users to change installation options that typically are available only to system administrators |
+| Windows Components / Windows Installer | Always install with elevated privileges | Disabled | Directs Windows Installer to use elevated permissions when it installs any program on the system |
+| Windows Components / Windows Logon Options | Sign-in last interactive user automatically after a system-initiated restart | Disabled | Controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system |
+| Windows Components / Windows PowerShell | Turn on PowerShell Script Block Logging | Enabled | This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Disallow Digest authentication | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication. |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. |
+| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Disallow WinRM from storing RunAs credentials | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. |
+
+
+## Controls
+
+The controls enabled in level 1 enforce a reasonable security level while minimizing the impact to users and applications.
+
+| Feature | Config | Description |
+|-----------------------------------|-------------------------------------|--------------------|
+| [Local Admin Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) | Deployed to all devices | Generates a unique local admin password to devices, mitigating many lateral traversal attacks. |
+| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. |
+| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
+| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
+| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
+| [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) | Configure and enforce Network Protection | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. |
+
+
+## Behaviors
+
+The behaviors recommended in level 1 enforce a reasonable security level while minimizing the impact to users or to applications.
+
+| Feature | Config | Description |
+|---------|-------------------|-------------|
+| OS security updates | Deploy Windows Quality Updates within 7 days of release | As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities. |
+
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md
new file mode 100644
index 0000000000..3671675351
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md
@@ -0,0 +1,130 @@
+---
+title: Level 2 enterprise enhanced security configuration
+description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 2 enterprise security configuration.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: appcompatguy
+author: appcompatguy
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 05/29/2019
+---
+
+# Level 2 enterprise enhanced security configuration
+
+**Applies to**
+
+- Windows 10
+
+Level 2 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations.
+A level 2 configuration should include all the configurations from level 1 and add the following security policies, controls, and organizational behaviors.
+
+## Hardware
+
+Devices targeting level 2 should support all level 1 features, and add the following hardware features:
+
+- [Virtualization and HVCI Enabled](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs)
+- [Drivers and Apps HVCI-Ready](https://docs.microsoft.com/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard)
+- [Windows Hello](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements)
+- [DMA I/O Protection](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)
+
+## Policies
+
+The policies enforced in level 2 include all of the policies recommended for level 1 and adds the
+below policies to implement more controls and a more sophisticated security
+configuration than level 1. While they may have a slightly higher impact to
+users or to applications, they enforce a level of security more commensurate
+with the risks facing users with access to sensitive information. Microsoft
+recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and
+controls, with a moderate timeline that is anticipated to be slightly longer
+than the process in level 1.
+
+### Security Template Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|---------|----------------|--------------|-------------|
+| Security Options | User Account Control: Behavior of the elevation prompt for standard users | Automatically deny elevation requests | This policy setting controls the behavior of the elevation prompt for standard users. Automatically deny elevation requests: When an operation requires elevation of privilege, an access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. |
+| User Rights Assignments | Deny access to this computer from the network | NT AUTHORITY\\Local Account | Determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. |
+| User Rights Assignments | Deny log on through Remote Desktop Services | NT AUTHORITY\\Local Account | Determines which users and groups are prohibited from logging on as a Remote Desktop Services client. |
+
+### Computer Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|---------|----------------|--------------|-------------|
+| Control Panel / Personalization | Prevent enabling lock screen camera | Enabled | Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings and the camera cannot be invoked on the lock screen. |
+| Network / WLAN Service / WLAN Settings | Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts and to hotspots offering paid services | Disabled | This policy setting determines whether users can enable the following WLAN settings: "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services". |
+| System / Device Guard | Turn on Virtualization Based Security | - [[[main setting]]] = Enabled
- Virtualization Based Protection of Code Integrity = Enabled with UEFI lock
- Credential Guard Configuration = Enabled with UEFI lock
- Select Platform Security Level = Secure Boot
- Secure Launch Configuration = Enabled
- Require UEFI Memory Attributes Table = False | Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices. |
+| System / Internet Communication Management / Internet Communication settings | Turn off downloading of print drivers over HTTP | Enabled | This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing non-inbox drivers need to be downloaded over HTTP. Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. if you enable this policy setting, print drivers cannot be downloaded over HTTP. If you disable or do not configure this policy setting, users can download print drivers over HTTP. |
+| System / Logon | Turn on convenience PIN sign-in | Disabled | This policy setting allows you to control whether a domain user can sign in using a convenience PIN. |
+| System / Remote Assistance | Configure Solicited Remote Assistance | - [[[main setting]]] = Disabled
- Maximum ticket time (value) = [[[delete]]]
- Maximum ticket time (units) = [[[delete]]]
- Method for sending email invitations = [[[delete]]]
- Permit remote control of this computer = [[[delete]]] | This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. |
+| Windows Components / App Privacy | Let Windows apps activate with voice while the system is locked | Force Deny | Specifies whether Windows apps can be activated by voice while the system is locked. If you choose the "User is in control" option, employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device. If you choose the "Force Allow" option, users can interact with applications using speech while the system is locked and employees in your organization cannot change it. If you choose the "Force Deny" option, users cannot interact with applications using speech while the system is locked and employees in your organization cannot change it. If you disable or do not configure this policy setting, employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device. This policy is applied to Windows apps and Cortana. It takes precedence of the Allow Cortana above lock policy. This policy is applicable only when Allow voice activation policy is configured to allow applications to be activated with voice. |
+| Windows Components / BitLocker Drive Encryption / Removable Data Drives | Deny write access to removable drives not protected by BitLocker | Enabled | This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. Note: This policy setting can be overridden by the policy settings under User Configuration\\Administrative Templates\\System\\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled, this policy setting will be ignored. |
+| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. |
+| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. |
+| Windows Components / Internet Explorer | Prevent per-user installation of ActiveX controls | Enabled | This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. |
+| Windows Components / Internet Explorer | Security Zones: Do not allow users to add/delete sites | Enabled | Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. If you enable this policy, the site management settings for security zones are disabled. |
+| Windows Components / Internet Explorer | Security Zones: Do not allow users to change policies | Enabled | Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. |
+| Windows Components / Internet Explorer | Security Zones: Use only machine settings | Enabled | Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level. If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer. |
+| Windows Components / Internet Explorer | Turn off Crash Detection | Enabled | This policy setting allows you to manage the crash detection feature of add-on Management. If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely, to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download signed ActiveX controls | Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. |
+| Windows Components / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for files | Enabled | This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. If you enable this setting, employees can't ignore Windows Defender SmartScreen warnings and they are blocked from downloading the unverified files. If you disable or don't configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue the download process. |
+| Windows Components / Windows Defender SmartScreen / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for sites | Enabled | Lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites |
+| Windows Components / Remote Desktop Services / Remote Desktop | Do not allow drive redirection | Enabled | This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format \ on \. You can use this policy setting to override this behavior. if you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions and Clipboard file copy redirection is not allowed on computers running Windows Server 2003 Windows 8 and Windows XP. If you disable this policy setting client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. If you do not configure this policy setting client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. |
+| Windows Components / Windows Defender Antivirus | Configure detection for potentially unwanted applications | Enabled: Audit | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. |
+| Windows Components / Windows Game Recording and Broadcasting | Enables or disables Windows Game Recording and Broadcasting | Disabled | This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording will not be allowed. |
+
+### User Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|---------|----------------|--------------|-------------|
+| Start Menu and Taskbar / Notifications | Turn off toast notifications on the lock screen | Enabled | Turns off toast notifications on the lock screen. |
+| Windows Components / Cloud Content | Do not suggest third-party content in the Windows spotlight | Enabled | Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers |
+
+### Services
+
+Microsoft recommends disabling the following services when their use is not required for a user to perform their work.
+
+| Type | Name | Description |
+|------|------|-------------|
+| Scheduled Task | XblGameSaveTask | Syncs save data for Xbox Live save-enabled games |
+| Services | Xbox Accessory Management Service | Manages connected Xbox accessories |
+| Services | Xbox Game Monitoring | Monitors Xbox games currently being played |
+| Services | Xbox Live Auth Manager | Provides authentication and authorization services for interactive with Xbox Live |
+| Services | Xbox Live Game Save | Syncs save data for Xbox live save enabled games |
+| Services | Xbox Live Networking Service | Supports the Windows.Networking.XboxLive API |
+
+## Controls
+
+The controls enforced in level 2 implement more controls and a more sophisticated security
+configuration than level 1. While they may have a slightly higher impact to
+users or to applications, they enforce a level of security more commensurate
+with the risks facing users with access to sensitive information. Microsoft
+recommends using the Audit/Enforce methodology for controls with an Audit mode,
+and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do not, with a moderate timeline that
+is anticipated to be slightly longer than the process in level 1.
+
+| Feature Set | Feature | Description |
+|-------------------------------------------------------------|-------------------------------------------------------|----------------|
+| [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) | Configure and enforce Windows Hello for Business | In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. Windows Hello addresses the following problems with passwords:
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
- Passwords are subject to replay attacks.
- Users can inadvertently expose their passwords due to phishing attacks. |
+| [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/) | Configure and enforce Conditional Access rules based on
- Application Risk
- Session Risk | With conditional access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions. Conditional access policies are enforced after the first-factor authentication has been completed. Therefore, conditional access is not intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (e.g. the sign-in risk level, location of the request, and so on) to determine access. |
+| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls:
- Control flow guard (CFG)
- Data Execution Protection (DEP)
- Mandatory ASLR
- Bottom-Up ASLR
- High-entropy ASLR
- Validate Exception Chains (SEHOP)
- Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
+| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and enforce [Attack Surface Reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules)| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode |
+| [Controlled Folder Access (CFA)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) | Configure and audit [Controlled Folder Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) | Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. Controlled folder access works best with Microsoft Defender Advanced Threat Protection, which gives you detailed reporting into controlled folder access events and blocks as part of the usual alert investigation scenarios.
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode
+
+## Behaviors
+
+The behaviors recommended in level 2 implement a more sophisticated security process. While they may require a more sophisticated organization, they enforce
+a level of security more commensurate with the risks facing users with access to
+sensitive information.
+
+| Feature Set| Feature | Description |
+|------------|----------|--------------|
+| Antivirus | Configure Protection Updates to failover to retrieval from Microsoft | Sources for Windows Defender Antivirus Protection Updates can be provided in an ordered list. If you are using internal distribution, such as SCCM or WSUS, configure Microsoft Update lower in the list as a failover. |
+| OS Security Updates | Deploy Windows Quality Updates within 4 days | As the time between release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, engineering a process that provides the ability to validate and deploy quality updates addressing known security vulnerabilities is a critical aspect of security hygiene.|
+| Helpdesk| 1:1 Administration| A simple and common model for helpdesk support is to add the Helpdesk group as a permanent member of the Local Administrators group of every device. If any device is compromised and helpdesk can connect to it, then these credentials can be used to obtain privilege on any / all other devices. Design and implement a strategy to provide helpdesk support without providing 1:all admin access – constraining the value of these Helpdesk credentials |
+
+
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md
deleted file mode 100644
index 7f0491ae05..0000000000
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md
+++ /dev/null
@@ -1,142 +0,0 @@
----
-title: Level 3 enterprise VIP security configuration
-description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 3 enterprise VIP security configuration.
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/05/2018
-ms.reviewer:
----
-
-# Level 3 enterprise VIP security configuration
-
-**Applies to**
-
-- Windows 10
-
-Level 3 is the security configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described here.
-A level 3 configuration should include all the configurations from level 5 and level 4 and add the following security policies, controls, and organizational behaviors.
-
-## Policies
-
-The policies enforced in level 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).
-
-### Security Template Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|----------|-----------------|---------------|--------------|
-| [Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/) | Account lockout duration | 15 | The number of minutes a locked-out account remains locked out before automatically becoming unlocked. |
-| [Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/) | Account lockout threshold | 10 | The number of failed logon attempts that causes a user account to be locked out. |
-| [Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/) | Reset account lockout counter after | 15 | The number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. |
-| Password Policy | Maximum password age | 60 | The number of days that a password can be used before the system requires the user to change it. |
-| Password Policy | Minimum password age | 1 | The number of days that a password must be used before a user can change it. |
-| Security Options | Accounts: Administrator account status | Disabled | This security setting determines whether the local Administrator account is enabled or disabled. |
-| Security Options | Accounts: Limit local account use of blank passwords to console logon only | Enabled | This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. |
-| Security Options | Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled | Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing Group Policy may override the subcategory settings of new machines as they are joined to the domain or upgraded. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. |
-| Security Options | Domain member: Digitally encrypt or sign secure channel data (always) | Enabled | This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. This setting determines whether all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
- Domain member: Digitally encrypt secure channel data (when possible)
- Domain member: Digitally sign secure channel data (when possible) |
-| Security Options | Domain member: Digitally encrypt secure channel data (when possible) | Enabled | This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. |
-| Security Options | Domain member: Digitally sign secure channel data (when possible) | Enabled | This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed, which ensures that it cannot be tampered with in transit. |
-| Security Options | Interactive logon: Smart card removal behavior | Lock Workstation | This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. If you click **Lock Workstation** in the **Properties** for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart cards with them, and still maintain protected sessions. For this setting to work beginning with Windows Vista, the Smart Card Removal Policy service must be started. |
-| Security Options | Microsoft network client: Digitally sign communications (always) | Enabled | This security setting determines whether packet signing is required by the SMB client component. |
-| Security Options | Microsoft network server: Digitally sign communications (always) | Enabled | This security setting determines whether packet signing is required by the SMB server component. |
-| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts | Enabled | This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. |
-| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled | This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. |
-| Security Options | Network access: Restrict anonymous access to Named Pipes and Shares | Enabled | When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
- Network access: Named pipes that can be accessed anonymously
- Network access: Shares that can be accessed anonymously |
-| Security Options | Network security: Allow PKU2U authentication requests to this computer to use online identities. | Disabled | This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. |
-| Security Options | Network security: LDAP client signing requirements | Negotiate signing | This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller. |
-| Security Options | System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) | Enabled | This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create. |
-| Security Options | User Account Control: Behavior of the elevation prompt for standard users | Automatically deny elevation requests | This policy setting controls the behavior of the elevation prompt for standard users. Automatically deny elevation requests: When an operation requires elevation of privilege, an access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. |
-
-### Computer Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|----------|-----------------|---------------|--------------|
-| Control Panel / Personalization | Prevent enabling lock screen camera | Enabled | Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings and the camera cannot be invoked on the lock screen. |
-| Control Panel / Personalization | Prevent enabling lock screen slide show | Enabled | Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. if you enable this setting, users will no longer be able to modify slide show settings in PC Settings and no slide show will ever start. |
-| Windows Defender SmartScreen / Explorer | Configure App Install Control | Allow apps from Store only | App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly. |
-| System / Device Installation / Device Installation Restrictions | Prevent installation of devices that match any of these device IDs | Enabled | This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in a list that you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. |
-| System / Device Installation / Device Installation Restrictions | Prevent installation of devices using drivers that match these device setup classes | Enabled | This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. |
-| System / Internet Communication Management / Internet Communication settings | Turn off downloading of print drivers over HTTP | Enabled | This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing non-inbox drivers need to be downloaded over HTTP. Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. if you enable this policy setting, print drivers cannot be downloaded over HTTP. If you disable or do not configure this policy setting, users can download print drivers over HTTP. |
-| System / Internet Communication Management / Internet Communication settings | Turn off printing over HTTP | Enabled | This policy setting specifies whether to allow printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. if you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. Also see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. |
-| System / Logon | Enumerate local users on domain-joined computers | Disabled | This policy setting allows local users to be enumerated on domain-joined computers. if you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. |
-| System / Power Management / Sleep Settings | Allow standby states (S1-S3) when sleeping (on battery) | Disabled | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed. |
-| System / Power Management / Sleep Settings | Allow standby states (S1-S3) when sleeping (plugged in) | Disabled | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed. |
-| Windows Components / BitLocker Drive Encryption / Operating System Drives | Configure minimum PIN length for startup | Enabled: 7 | This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. if you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 4 and 20 digits. By default, the value is 6 digits. NOTE: If minimum PIN length is set below 6 digits Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. |
-| Windows Components / BitLocker Drive Encryption / Removable Data Drives | Deny write access to removable drives not protected by BitLocker | Enabled | This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. Note: This policy setting can be overridden by the policy settings under User Configuration\\Administrative Templates\\System\\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled, this policy setting will be ignored. |
-| Windows Components / Cloud Content | Turn off Microsoft consumer experiences | Enabled | This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. if you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account. If you disable or do not configure this policy setting, users may see suggestions from Microsoft and notifications about their Microsoft account. Note: This setting only applies to Enterprise and Education SKUs. |
-| Windows Components / Credential User Interface | Enumerate administrator accounts on elevation | Disabled | This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. if you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. If you disable this policy setting users will always be required to type a user name and password to elevate. |
-| Windows Components / Microsoft Edge | Configure Password Manager | Disabled | This policy setting lets you decide whether employees can save their passwords locally using Password Manager. By default, Password Manager is turned on. if you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting employees can't use Password Manager to save their passwords locally. If you don't configure this setting employees can choose whether to use Password Manager to save their passwords locally. |
-| Windows Components / Remote Desktop Services / Remote Desktop | Do not allow drive redirection | Enabled | This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format \ on \. You can use this policy setting to override this behavior. if you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions and Clipboard file copy redirection is not allowed on computers running Windows Server 2003 Windows 8 and Windows XP. If you disable this policy setting client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. If you do not configure this policy setting client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. |
-| Windows Components / RSS Feeds | Prevent downloading of enclosures | Enabled | This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. if you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. |
-| Windows Components / Search | Allow indexing of encrypted files | Disabled | This policy setting allows encrypted items to be indexed. if you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting the local setting configured through Control Panel will be used. By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. |
-| Windows Components / Windows Ink Workspace | Allow Windows Ink Workspace | On, but disallow access above lock | Allow Windows Ink Workspace |
-
-### IE Computer Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Windows Components / Internet Explorer | Prevent per-user installation of ActiveX controls | Enabled | This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. |
-| Windows Components / Internet Explorer | Security Zones: Do not allow users to add/delete sites | Enabled | Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. If you enable this policy, the site management settings for security zones are disabled. |
-| Windows Components / Internet Explorer | Security Zones: Do not allow users to change policies | Enabled | Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. |
-| Windows Components / Internet Explorer | Security Zones: Use only machine settings | Enabled | Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level. If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer. |
-| Windows Components / Internet Explorer | Turn off Crash Detection | Enabled | This policy setting allows you to manage the crash detection feature of add-on Management. If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely, to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply. |
-| Windows Components / Internet Explorer | Turn off the Security Settings Check feature | Disabled | This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled | Enabled | This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Enabled | This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn on Enhanced Protected Mode | Enabled | Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Intranet Sites: Include all network paths (UNCs) | Disabled | This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow drag and drop or copy and paste files | Enabled: Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow loading of XAML files | Enabled: Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use ActiveX controls without prompt | Enabled: Enable | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use the TDC ActiveX control | Enabled: Enable | This policy setting controls whether the user can run the TDC ActiveX control on websites. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scripting of Internet Explorer WebBrowser controls | Enabled: Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow script-initiated windows without size or position constraints | Enabled: Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scriptlets | Enabled: Disable | This policy setting allows you to manage whether the user can run scriptlets. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow updates to status bar via script | Enabled: Disable | This policy setting allows you to manage whether script can update the status bar within the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow VBScript to run in Internet Explorer | Enabled: Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download signed ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Include local path when user is uploading files to a server | Enabled: Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Navigate windows and frames across different domains | Enabled: Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Web sites in less privileged Web content zones can navigate into this zone | Enabled: Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. |
-
-### IE User Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|----------|-----------------|--------------|--------------|
-| Windows Components / Internet Explorer | Turn on the auto-complete feature for user names and passwords on forms | Disabled | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. |
-
-## Controls
-
-The controls enforced in level 3 implement complex security configuration and controls.
-They are likely to have a higher impact to users or to applications,
-enforcing a level of security commensurate with the risks facing the most targeted organizations.
-Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do
-not.
-
-| Feature Set | Feature | Description |
-|--------------|----------|--------------|
-| Exploit protection | Enable exploit protection | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at the individual app level. |
-| Windows Defender Application Control (WDAC) *or* AppLocker | Configure devices to use application whitelisting using one of the following approaches:
[AaronLocker](https://blogs.msdn.microsoft.com/aaron_margosis/2018/10/11/aaronlocker-update-v0-91-and-see-aaronlocker-in-action-on-channel-9/) (admin writeable areas) when software distribution is not always centralized
*or*
[Managed installer](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) when all software is pushed through software distribution
*or*
[Explicit control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy) when the software on a device is static and tightly controlled | Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Application Control can help mitigate these types of security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/). |
-
-## Behaviors
-
-The behaviors recommended in level 3 represent the most sophisticated security
-configuration. Removing admin rights can be difficult, but it is essential to
-achieve a level of security commensurate with the risks facing the most targeted
-organizations.
-
-| Feature Set | Feature | Description |
-|--------------|----------|--------------|
-| Remove Admin Rights | Remove as many users as possible from the local Administrators group, targeting 0. Microsoft recommends removing admin rights role by role. Some roles are more challenging, including:
- Developers, who often install rapidly iterating software which is difficult to package using current software distribution systems
- Scientists/ Doctors, who often must install and operate specialized hardware devices
- Remote locations with slow web links, where administration is delegated
It is typically easier to address these roles later in the process.
Microsoft recommends identifying the dependencies on admin rights and systematically addressing them:
- Legitimate use of admin rights: crowdsourced admin, where a new process is needed to complete that workflow
- Illegitimate use of admin rights: app compat dependency, where app remediation is the best path. The [Desktop App Assure](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-is-Desktop-App-Assure/ba-p/270232) program can assist with these app issues | Running as non-admin limits your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious code finds its way to one of those programs, it also gains unlimited access. When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privileges. If you’re running as admin, an exploit can:
- install kernel-mode rootkits and/or keyloggers
- install and start services
- install ActiveX controls, including IE and shell add-ins
- access data belonging to other users
- cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
- replace OS and other program files with trojan horses
- disable/uninstall anti-virus
- cover its tracks in the event log
- render your machine unbootable |
-
-
-
-
-
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md
new file mode 100644
index 0000000000..d1673ce03b
--- /dev/null
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md
@@ -0,0 +1,88 @@
+---
+title: Level 3 enterprise high security configuration
+description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 3 enterprise VIP security configuration.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.author: appcompatguy
+author: appcompatguy
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 05/29/2019
+---
+
+# Level 3 enterprise high security configuration
+
+**Applies to**
+
+- Windows 10
+
+Level 3 is the security configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described here.
+A level 3 configuration should include all the configurations from level 2 and level 1 and add the following security policies, controls, and organizational behaviors.
+
+## Hardware
+
+Devices targeting Level 3 should support all Level 2 and Level 1 features, and add the following hardware features:
+
+- [System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows)
+- [Modern Standby](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby)
+
+## Policies
+
+The policies enforced in level 3 include all of the policies recommended for levels 2 and 1, and adds the below policies to
+implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing
+a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using
+[the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).
+
+### Computer Policies
+
+| Feature | Policy Setting | Policy Value | Description |
+|----------|-----------------|---------------|--------------|
+| Control Panel / Personalization | Prevent enabling lock screen slide show | Enabled | Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. if you enable this setting, users will no longer be able to modify slide show settings in PC Settings and no slide show will ever start. |
+| System / Logon | Enumerate local users on domain-joined computers | Disabled | This policy setting allows local users to be enumerated on domain-joined computers. if you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. |
+| System / Power Management / Sleep Settings | Allow standby states (S1-S3) when sleeping (on battery) | Disabled | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed. |
+| System / Power Management / Sleep Settings | Allow standby states (S1-S3) when sleeping (plugged in) | Disabled | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed. |
+| Windows Components / Cloud Content | Turn off Microsoft consumer experiences | Enabled | This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. if you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account. If you disable or do not configure this policy setting, users may see suggestions from Microsoft and notifications about their Microsoft account. Note: This setting only applies to Enterprise and Education SKUs. |
+| Windows Components / Credential User Interface | Enumerate administrator accounts on elevation | Disabled | This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. if you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. If you disable this policy setting users will always be required to type a user name and password to elevate. |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled | Enabled | This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Enabled | This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows. |
+| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn on Enhanced Protected Mode | Enabled | Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. |
+| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Intranet Sites: Include all network paths (UNCs) | Disabled | This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. |
+| Windows Components / Microsoft Edge | Configure Password Manager | Disabled | This policy setting lets you decide whether employees can save their passwords locally using Password Manager. By default, Password Manager is turned on. if you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting employees can't use Password Manager to save their passwords locally. If you don't configure this setting employees can choose whether to use Password Manager to save their passwords locally. |
+
+### User Policies
+| Feature | Policy Setting | Policy Value | Description |
+|----------|-----------------|---------------|--------------|
+| Windows Components / Internet Explorer | Turn on the auto-complete feature for user names and passwords on forms | Disabled | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. |
+
+## Controls
+
+The controls enforced in level 3 implement complex security configuration and controls.
+They are likely to have a higher impact to users or to applications,
+enforcing a level of security commensurate with the risks facing the most targeted organizations.
+Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do
+not.
+
+| Feature Set | Feature | Description |
+|--------------|----------|--------------|
+| Exploit protection | Enable exploit protection | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at the individual app level. |
+| Windows Defender Application Control (WDAC) *or* AppLocker | Configure devices to use application whitelisting using one of the following approaches:
[AaronLocker](https://blogs.msdn.microsoft.com/aaron_margosis/2018/10/11/aaronlocker-update-v0-91-and-see-aaronlocker-in-action-on-channel-9/) (admin writeable areas) when software distribution is not always centralized
*or*
[Managed installer](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) when all software is pushed through software distribution
*or*
[Explicit control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy) when the software on a device is static and tightly controlled | Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Application Control can help mitigate these types of security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/). |
+
+## Behaviors
+
+The behaviors recommended in level 3 represent the most sophisticated security
+configuration. Removing admin rights can be difficult, but it is essential to
+achieve a level of security commensurate with the risks facing the most targeted
+organizations.
+
+| Feature Set | Feature | Description |
+|--------------|----------|--------------|
+| Remove Admin Rights | Remove as many users as possible from the local Administrators group, targeting 0. Microsoft recommends removing admin rights role by role. Some roles are more challenging, including:
- Developers, who often install rapidly iterating software which is difficult to package using current software distribution systems
- Scientists/ Doctors, who often must install and operate specialized hardware devices
- Remote locations with slow web links, where administration is delegated
It is typically easier to address these roles later in the process.
Microsoft recommends identifying the dependencies on admin rights and systematically addressing them:
- Legitimate use of admin rights: crowdsourced admin, where a new process is needed to complete that workflow
- Illegitimate use of admin rights: app compat dependency, where app remediation is the best path. The [Desktop App Assure](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-is-Desktop-App-Assure/ba-p/270232) program can assist with these app issues | Running as non-admin limits your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious code finds its way to one of those programs, it also gains unlimited access. When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privileges. If you’re running as admin, an exploit can:
- install kernel-mode rootkits and/or keyloggers
- install and start services
- install ActiveX controls, including IE and shell add-ins
- access data belonging to other users
- cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
- replace OS and other program files with trojan horses
- disable/uninstall anti-virus
- cover its tracks in the event log
- render your machine unbootable |
+
+
+
+
+
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-devops-security.md
similarity index 58%
rename from windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md
rename to windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-devops-security.md
index 6f5f29c049..fbcf933ccc 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-devops-security.md
@@ -1,6 +1,6 @@
---
-title: Level 2 enterprise dev/ops security workstation configuration
-description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 2 enterprise dev/ops security configuration.
+title: Level 4 enterprise dev/ops security workstation configuration
+description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 4 enterprise dev/ops security configuration.
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
@@ -11,17 +11,17 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/05/2018
+ms.date: 06/11/2019
ms.reviewer:
---
-# Level 2 enterprise dev/ops workstation security configuration
+# Level 4 enterprise dev/ops workstation security configuration
**Applies to**
- Windows 10
-We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. A level 2 configuration should include all the configurations from levels 5, 4, and 3 and additional controls. We are planning recommendations for the additional controls now, so check back soon for level 2 enterprise dev/ops security configuration guidance!
+We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. A level 4 configuration should include all the configurations from levels 3, 2, and 1 and additional controls. We are planning recommendations for the additional controls now, so check back soon for level 4 enterprise dev/ops security configuration guidance!
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md
deleted file mode 100644
index 198b148cd0..0000000000
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md
+++ /dev/null
@@ -1,210 +0,0 @@
----
-title: Level 4 enterprise high security configuration
-description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 4 enterprise security configuration.
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/05/2018
-ms.reviewer:
----
-
-# Level 4 enterprise high security configuration
-
-**Applies to**
-
-- Windows 10
-
-Level 4 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations.
-A level 4 configuration should include all the configurations from level 5 and add the following security policies, controls, and organizational behaviors.
-
-## Policies
-
-The policies enforced in level 4 implement more controls and a more sophisticated security
-configuration than level 5. While they may have a slightly higher impact to
-users or to applications, they enforce a level of security more commensurate
-with the risks facing users with access to sensitive information. Microsoft
-recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and
-controls, with a moderate timeline that is anticipated to be slightly longer
-than the process in level 5.
-
-### Security Template Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|------------------------|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Security Options | Microsoft network client: Send unencrypted password to third party | Disabled | If this security setting is enabled, the Server Message Block (SMB) redirector can send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. |
-| Security Options | Network access: Allow anonymous SID/Name translation | Disabled | This security setting determines if an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, a user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. |
-| Security Options | Network access: Restrict clients allowed to make remote calls to SAM | Enabled: Administrators (allowed) | This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used. |
-| Security Options | Network security: Allow LocalSystem NULL session fallback | Disabled | Allow NTLM to fall back to NULL session when used with LocalSystem |
-| Security Options | Network security: Do not store LAN Manager hash value on next password change | Enabled | This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. |
-| Security Options | Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send NTLMv2 response only\\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). |
-| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. |
-| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. |
-| Security Options | User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled | This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\\Program Files\\, including subfolders - …\\Windows\\system32\\ - …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows |
-| User Rights Assignment | Access this computer from the network | Administrators; Remote Desktop Users | This user right determines which users and groups can connect to the computer over the network. Remote Desktop Services are not affected by this user right. |
-| User Rights Assignment | Enable computer and user accounts to be trusted for delegation | No One (blank) | This security setting determines which users can set the Trusted for Delegation setting on a user or computer object. |
-| User Rights Assignment | Impersonate a client after authentication | Administrators, SERVICE, Local Service, Network Service | Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. |
-| User Rights Assignment | Lock pages in memory | No One (blank) | This security setting determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random-access memory (RAM). |
-| User Rights Assignment | Perform volume maintenance tasks | Administrators | This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. |
-| User Rights Assignment | Profile single process | Administrators | This security setting determines which users can use performance monitoring tools to monitor the performance of non-system processes. |
-
-### Computer Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Network / Network Connections | Prohibit use of Internet Connection Sharing on your DNS domain network | Enabled | Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. |
-| Network / Network Provider | Hardened UNC Paths | Enabled: \\\\\*\\SYSVOL and \\\\\*\\NETLOGON RequireMutualAuthentication = 1, RequireIntegrity = 1 | This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. |
-| Network / Windows Connection Manager | Prohibit connection to non-domain networks when connected to domain authenticated network | Enabled | This policy setting prevents computers from connecting to both a domain-based network and a non-domain-based network at the same time. |
-| Network / WLAN Service / WLAN Settings | Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts and to hotspots offering paid services | Disabled | This policy setting determines whether users can enable the following WLAN settings: "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services". |
-| System / Credentials Delegation | Remote host allows delegation of non-exportable credentials | Enabled | When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode. |
-| System / Device Guard | Turn on Virtualization Based Security | Enabled: Virtualization-Based Protection of Code Integrity – Enabled with UEFI Lock | This setting enables virtualization-based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced, and the Code Integrity validation path is protected by the Virtualization Based Security feature. |
-| System / Internet Communication Management / Internet Communication | Turn off Internet download for Web publishing and online ordering wizards | Enabled | This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. |
-| System / Logon | Turn on convenience PIN sign-in | Disabled | This policy setting allows you to control whether a domain user can sign in using a convenience PIN. |
-| System / Remote Assistance | Configure Solicited Remote Assistance | Disabled | This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. |
-| Windows Components / File Explorer | Turn off Data Execution Prevention for Explorer | Disabled | Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. |
-| Windows Components / File Explorer | Turn off heap termination on corruption | Disabled | Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. |
-| Windows Components / Remote Desktop Services / Remote Desktop Connection Client | Do not allow passwords to be saved | Enabled | Controls whether passwords can be saved on this computer from Remote Desktop Connection. |
-| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Always prompt for password upon connection | Enabled | This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. |
-| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Require secure RPC communication | Enabled | Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. |
-| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Set client connection encryption level | Enabled: High Level | Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. |
-| Windows Components / Windows Security / App and browser protection | Prevent users from modifying settings | Enabled | Prevent users from making changes to the Exploit protection settings area in Windows Security. |
-| Windows Components / Windows Game Recording and Broadcasting | Enables or disables Windows Game Recording and Broadcasting | Disabled | This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording will not be allowed. |
-| Windows Components / Windows PowerShell | Turn on PowerShell Script Block Logging | Enabled | This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Disallow Digest authentication | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication. |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Disallow WinRM from storing RunAs credentials | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. |
-
-### Windows Defender Antivirus Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|-------------------------------------------------|-----------------------------------------------------------|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Windows Components / Windows Defender Antivirus | Configure Detection for Potentially Unwanted Applications | Enabled: Block | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. |
-
-### IE Computer Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. |
-| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. |
-| Windows Components / Internet Explorer | Specify use of ActiveX Installer Service for installation of ActiveX controls | Enabled | This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls. |
-| Windows Components / Internet Explorer / Internet Control Panel | Prevent ignoring certificate errors | Enabled | This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Allow software to run or install even if the signature is invalid | Disabled | This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for signatures on downloaded programs | Enabled | This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn off encryption support | Enabled: Use | This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Turn on certificate address mismatch warning | Enabled | This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Access data sources across domains | Enabled: Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow cut copy or paste operations from the clipboard via script | Enabled: Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Automatic prompting for file downloads | Enabled: Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download unsigned ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains across windows | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains within a window | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Launching applications and files in an IFRAME | Enabled: Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Logon options | Enabled: Prompt for user name and password | This policy setting allows you to manage settings for logon options. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components not signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Show security warning for potentially unsafe files | Enabled: Prompt | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Userdata persistence | Enabled: Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Intranet Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Local Machine Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Access data sources across domains | Enabled: Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow active scripting | Enabled: Disable | This policy setting allows you to manage whether script code on pages in the zone is run. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow binary and script behaviors | Enabled: Disable | This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow cut copy or paste operations from the clipboard via script | Enabled: Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow drag and drop or copy and paste files | Enabled: Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow file downloads | Enabled: Disable | This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow loading of XAML files | Enabled: Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow META REFRESH | Enabled: Disable | This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download signed ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use ActiveX controls without prompt | Enabled: Enable | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use the TDC ActiveX control | Enabled: Enable | This policy setting controls whether the user can run the TDC ActiveX control on websites. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scripting of Internet Explorer WebBrowser controls | Enabled: Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow script-initiated windows without size or position constraints | Enabled: Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scriptlets | Enabled: Disable | This policy setting allows you to manage whether the user can run scriptlets. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow updates to status bar via script | Enabled: Disable | This policy setting allows you to manage whether script can update the status bar within the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow VBScript to run in Internet Explorer | Enabled: Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Automatic prompting for file downloads | Enabled: Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download unsigned ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains across windows | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains within a window | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Include local path when user is uploading files to a server | Enabled: Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Launching applications and files in an IFRAME | Enabled: Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Logon options | Enabled: Anonymous logon | This policy setting allows you to manage settings for logon options. Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Navigate windows and frames across different domains | Enabled: Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components not signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run ActiveX controls and plugins | Enabled: Disable | This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Script ActiveX controls marked safe for scripting | Enabled: Disable | This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Scripting of Java applets | Enabled: Disable | This policy setting allows you to manage whether applets are exposed to scripts within the zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Show security warning for potentially unsafe files | Enabled: Disable | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). If you disable this policy setting, these files do not open. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Userdata persistence | Enabled: Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Web sites in less privileged Web content zones can navigate into this zone | Enabled: Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Java permissions | Enabled: High Safety | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. High Safety enables applets to run in their sandbox. |
-| Windows Components / Internet Explorer / Security Features / Add-on Management | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer | Enabled | This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer. |
-| Windows Components / Internet Explorer / Security Features / Add-on Management | Turn off blocking of outdated ActiveX controls for Internet Explorer | Disabled | This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. |
-| Windows Components / Internet Explorer / Security Features / Consistent Mime Handling | Internet Explorer Processes | Enabled | Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. |
-| Windows Components / Internet Explorer / Security Features / Mime Sniffing Safety Feature | Internet Explorer Processes | Enabled | This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. |
-| Windows Components / Internet Explorer / Security Features / MK Protocol Security Restriction | Internet Explorer Processes | Enabled | The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. |
-| Windows Components / Internet Explorer / Security Features / Notification Bar | Internet Explorer Processes | Enabled | This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes. |
-| Windows Components / Internet Explorer / Security Features / Protection from Zone Elevation | Internet Explorer Processes | Enabled | Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. |
-| Windows Components / Internet Explorer / Security Features / Restrict ActiveX Install | Internet Explorer Processes | Enabled | This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes. |
-| Windows Components / Internet Explorer / Security Features / Restrict File Download | Internet Explorer Processes | Enabled | This policy setting enables blocking of file download prompts that are not user initiated. If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. |
-| Windows Components / Internet Explorer / Security Features / Scripted Window Security Restrictions | Internet Explorer Processes | Enabled | Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. |
-
-### Custom Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|-------------------|---------------------------------|-------------------------|------------------------|
-| MS Security Guide | Configure SMB v1 server | Disabled | Disable or enable server-side processing of the SMBv1 protocol |
-| MS Security Guide | Configure SMB v1 client driver | Enabled: Disable driver | Configure the startup mode for the kernel mode driver that implements client-side SMBv1 processing (MrxSmb10). This setting includes a dropdown that is activated when the Enabled radio button is selected and that controls the “Start” registry value in HKLM\\SYSTEM\\CurrentControlSet\\Services\\MrxSmb10. |
-| MS Security Guide | Enabled Structured Exception Handling Overwrite Protection (SEHOP)| Enabled | This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems. |
-| MS Security Guide | WDigest Authentication | Disabled | When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. WDigest is disabled by default in Windows 10. This setting ensures this is enforced. |
-| MS Security Guide | Block Flash activation in Office documents | Enabled | Prevents the Adobe Flash ActiveX control from being loaded by Office applications. |
-| MSS (Legacy) | MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. |
-| MSS (Legacy) | MSS: (DisableIPSourceRouting) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. |
-| MSS (Legacy) | MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes | Disabled | Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first. |
-| MSS (Legacy) | MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | Enabled | Prevents a denial-of-service (DoS) attack against a WINS server. The DoS consists of sending a NetBIOS Name Release Request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability. |
-
-## Controls
-
-The controls enforced in level 4 implement more controls and a more sophisticated security
-configuration than level 5. While they may have a slightly higher impact to
-users or to applications, they enforce a level of security more commensurate
-with the risks facing users with access to sensitive information. Microsoft
-recommends using the Audit/Enforce methodology for controls with an Audit mode,
-and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do not, with a moderate timeline that
-is anticipated to be slightly longer than the process in level 5.
-
-| Feature Set | Feature | Description |
-|-------------------------------------------------------------|-------------------------------------------------------|----------------|
-| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls:
- Control flow guard (CFG)
- Data Execution Protection (DEP)
- Mandatory ASLR
- Bottom-Up ASLR
- High-entropy ASLR
- Validate Exception Chains (SEHOP)
- Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
-| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and enforce [Attack Surface Reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules)| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode |
-| [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) | Configure and enforce Network Protection | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. |
-
-## Behaviors
-
-The behaviors recommended in level 4 implement a more sophisticated security process. While they may require a more sophisticated organization, they enforce
-a level of security more commensurate with the risks facing users with access to
-sensitive information.
-
-| Feature Set| Feature | Description |
-|------------|----------|--------------|
-| Antivirus | Configure Protection Updates to failover to retrieval from Microsoft | Sources for Windows Defender Antivirus Protection Updates can be provided in an ordered list. If you are using internal distribution, such as SCCM or WSUS, configure Microsoft Update lower in the list as a failover. |
-| OS Security Updates | Deploy Windows Quality Updates within 4 days | As the time between release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, engineering a process that provides the ability to validate and deploy quality updates addressing known security vulnerabilities is a critical aspect of security hygiene.|
-| Helpdesk| 1:1 Administration| A simple and common model for helpdesk support is to add the Helpdesk group as a permanent member of the Local Administrators group of every device. If any device is compromised and helpdesk can connect to it, then these credentials can be used to obtain privilege on any / all other devices. Design and implement a strategy to provide helpdesk support without providing 1:all admin access – constraining the value of these Helpdesk credentials |
-
-
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-administrator-security.md
similarity index 60%
rename from windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md
rename to windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-administrator-security.md
index 7aa97de40d..8b9d1f63c3 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-administrator-security.md
@@ -1,5 +1,5 @@
---
-title: Level 1 enterprise administrator workstation security
+title: Level 5 enterprise administrator workstation security
description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 1 enterprise administrator security configuration.
keywords: virtualization, security, malware
ms.prod: w10
@@ -11,11 +11,11 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/05/2018
+ms.date: 06/11/2019
ms.reviewer:
---
-# Level 1 enterprise administrator workstation security configuration
+# Level 5 enterprise administrator workstation security configuration
**Applies to**
@@ -23,4 +23,4 @@ ms.reviewer:
Administrators (particularly of identity or security systems) present the highest risk to the organization−through data theft, data alteration, or service disruption.
-A level 1 configuration should include all the configurations from levels 5, 4, 3, and 2 and additional controls. We are planning recommendations for the additional controls now, so check back soon for level 1 enterprise administrator security configuration guidance!
+A level 5 configuration should include all the configurations from levels 4, 3, 2, and 1 and adds additional controls. We are planning recommendations for the additional controls now, so check back soon for level 5 enterprise administrator security configuration guidance!
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md
deleted file mode 100644
index e7792091b1..0000000000
--- a/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md
+++ /dev/null
@@ -1,245 +0,0 @@
----
-title: Level 5 enterprise security configuration
-description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 5 enterprise security configuration.
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/05/2018
-ms.reviewer:
----
-
-# Level 5 enterprise security configuration
-
-**Applies to**
-
-- Windows 10
-
-Level 5 is the minimum security configuration for an enterprise device.
-Microsoft recommends the following configuration for level 5 devices.
-
-## Policies
-
-The policies in level 5 enforce a reasonable security level while minimizing the impact to users or to applications.
-Microsoft recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and controls, noting that the timeline can generally be short given the limited potential impact of the security controls.
-
-### Security Template Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|-------------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Password Policy | Enforce password history | 24 | The number of unique new passwords that must be associated with a user account before an old password can be reused. |
-| Password Policy | Minimum password length | 14 | The least number of characters that a password for a user account may contain. |
-| Password Policy | Password must meet complexity requirements | Enabled | Determines whether passwords must meet complexity requirements:
1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
2) Contain characters from three of the following categories:
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
-Non-alphanumeric characters (special characters):
(~!@#$%^&*_-+=`\|\\(){}[]:;"'<>,.?/)
Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. |
-| Password Policy | Store passwords using reversible encryption | Disabled | Determines whether the operating system stores passwords using reversible encryption. |
-| Security Options | Accounts: Guest account status | Disabled | Determines if the Guest account is enabled or disabled. |
-| Security Options | Domain member: Disable machine account password changes | Disabled | Determines whether a domain member periodically changes its computer account password. |
-| Security Options | Domain member: Maximum machine account password age | 30 | Determines how often a domain member will attempt to change its computer account password |
-| Security Options | Domain member: require strong (Windows 2000 or later) session key | Enabled | Determines whether 128-bit key strength is required for encrypted secure channel data |
-| Security Options | Interactive logon: Machine inactivity limit | 900 | The number of seconds of inactivity before the session is locked |
-| Security Options | User Account Control: Admin approval mode for the built-in administrator | Enabled | The built-in Administrator account uses Admin Approval Mode - any operation that requires elevation of privilege will prompt to user to approve that operation |
-| Security Options | User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop | When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. |
-| Security Options | User Account Control: Detect application installations and prompt for elevation | Enabled | When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. |
-| Security Options | User Account Control: Run all Administrators in admin approval mode | Enabled | This policy must be enabled, and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. |
-| Security Options | User Account Control: Virtualize file and registry write failures to per-user locations | Enabled | This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. |
-| User Rights Assignments | Access Credential Manager as a trusted caller | No One (blank) | This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities. |
-| User Rights Assignments | Act as part of the operating system | No One (blank) | This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
-| User Rights Assignments | Allow log on locally | Administrators; Users | Determines which users can log on to the computer |
-| User Rights Assignments | Back up files and directories | Administrators | Determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system |
-| User Rights Assignments | Create a pagefile | Administrators | Determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file |
-| User Rights Assignments | Create a token object | No One (blank) | Determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. |
-| User Rights Assignments | Create global objects | Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE | This security setting determines whether users can create global objects that are available to all sessions. |
-| User Rights Assignments | Create permanent shared objects | No One (blank) | Determines which accounts can be used by processes to create a directory object using the object manager |
-| User Rights Assignments | Create symbolic links | Administrators | Determines if the user can create a symbolic link from the computer he is logged on to |
-| User Rights Assignments | Debug programs | Administrators | Determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. |
-| User Rights Assignments | Deny access to this computer from the network | Guests; NT AUTHORITY\\Local Account | Determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. |
-| User Rights Assignments | Deny log on locally | Guests | Determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies. |
-| User Rights Assignments | Deny log on through Remote Desktop Services | Guests; NT AUTHORITY\\Local Account | Determines which users and groups are prohibited from logging on as a Remote Desktop Services client |
-| User Rights Assignments | Force shutdown from a remote system | Administrators | Determines which users can shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. |
-| User Rights Assignments | Increase scheduling priority | Administrators | Determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
-| User Rights Assignments | Load and unload device drivers | Administrators | Determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
-| User Rights Assignments | Manage auditing and security log | Administrators | Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. |
-| User Rights Assignments | Modify firmware environment variables | Administrators | Determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. |
-| User Rights Assignments | Restore files and directories | Administrators | Determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object |
-| User Rights Assignments | Take ownership of files or other objects | Administrators | Determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads |
-
-### Advanced Audit Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|--------------------|---------------------------------------|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Account Logon | Audit Credential Validation | Success and Failure | Audit events generated by validation tests on user account logon credentials. Occurs only on the computer that is authoritative for those credentials. |
-| Account Management | Audit Security Group Management | Success | Audit events generated by changes to security groups, such as creating, changing or deleting security groups, adding or removing members, or changing group type. |
-| Account Management | Audit User Account Management | Success and Failure | Audit changes to user accounts. Events include creating, changing, deleting user accounts; renaming, disabling, enabling, locking out, or unlocking accounts; setting or changing a user account’s password; adding a security identifier (SID) to the SID History of a user account; configuring the Directory Services Restore Mode password; changing permissions on administrative user accounts; backing up or restoring Credential Manager credentials |
-| Detailed Tracking | Audit PNP Activity | Success | Audit when plug and play detects an external device |
-| Detailed Tracking | Audit Process Creation | Success | Audit events generated when a process is created or starts; the name of the application or user that created the process is also audited |
-| Logon/ Logoff | Audit Account Lockout | Failure | Audit events generated by a failed attempt to log on to an account that is locked out |
-| Logon/ Logoff | Audit Group Membership | Success | Audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. |
-| Logon/ Logoff | Audit Logon | Success and Failure | Audit events generated by user account logon attempts on the computer |
-| Logon/ Logoff | Audit Other Logon / Logoff Events | Success and Failure | Audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as Terminal Services session disconnections, new Terminal Services sessions locking and unlocking a workstation, invoking or dismissing a screen saver, detection of a Kerberos replay attack, or access to a wireless network granted to a user or computer account |
-| Logon/ Logoff | Audit Special Logon | Success | Audit events generated by special logons such as the use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level, or a logon by a member of a Special Group (Special Groups enable you to audit events generated when a member of a certain group has logged on to your network) |
-| Object Access | Audit Detailed File Share | Failure | Audit attempts to access files and folders on a shared folder; the Detailed File Share setting logs an event every time a file or folder is accessed |
-| Object Access | Audit File Share | Success and Failure | Audit attempts to access a shared folder; an audit event is generated when an attempt is made to access a shared folder |
-| Object Access | Audit Other Object Access Events | Success and Failure | Audit events generated by the management of task scheduler jobs or COM+ objects |
-| Object Access | Audit Removable Storage | Success and Failure | Audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. |
-| Policy Change | Audit Audit Policy Change | Success | Audit changes in the security audit policy settings |
-| Policy Change | Audit Authentication Policy Change | Success | Audit events generated by changes to the authentication policy |
-| Policy Change | Audit MPSSVC Rule-Level Policy Change | Success and Failure | Audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. |
-| Policy Change | Audit Other Policy Change Events | Failure | Audit events generated by other security policy changes that are not audited in the policy change category, such as Trusted Platform Module (TPM) configuration changes, kernel-mode cryptographic self tests, cryptographic provider operations, cryptographic context operations or modifications, applied Central Access Policies (CAPs) changes, or boot Configuration Data (BCD) modifications |
-| Privilege Use | Audit Sensitive Privilege Use | Success and Failure | Audit events generated when sensitive privileges (user rights) are used |
-| System | Audit Other System Events | Success and Failure | Audit any of the following events: Startup and shutdown of the Windows Firewall service and driver, security policy processing by the Windows Firewall Service, cryptography key file and migration operations. |
-| System | Audit Security State Change | Success | Audit events generated by changes in the security state of the computer such as startup and shutdown of the computer, change of system time, recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. |
-| System | Audit Security System Extension | Success | Audit events related to security system extensions or services |
-| System | Audit System Integrity | Success and Failure | Audit events that violate the integrity of the security subsystem |
-
-### Windows Defender Firewall Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|----------------------------|---------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a domain connection |
-| Domain Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a domain connection |
-| Domain Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a domain connection |
-| Domain Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the domain profile |
-| Domain Profile / State | Firewall State | On | Enables the firewall when connected to the domain profile |
-| Domain Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the domain profile |
-| Private Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a private connection |
-| Private Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a private connection |
-| Private Profile / Logging | Size limit | 16384 | Sets the firewall log file size for a private connection |
-| Private Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the private profile |
-| Private Profile / State | Firewall state | On | Enables the firewall when connected to the private profile |
-| Private Profile / State | Inbound connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the private profile |
-| Public Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a public connection |
-| Public Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a public connection |
-| Public Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a public connection |
-| Public Profile / Settings | Apply local connection security rules | No | Ensures local connection rules will not be merged with Group Policy settings in the domain |
-| Public Profile / Settings | Apply local firewall rules | No | Users cannot create new firewall rules |
-| Public Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the public profile |
-| Public Profile / State | Firewall state | On | Enables the firewall when connected to the public profile |
-| Public Profile / State | Inbound connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the public profile |
-
-### Computer Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Network / Lanman Workstation | Enable insecure guest logons | Disabled | Determines if the SMB client will allow insecure guest logons to an SMB server |
-| System / Device Guard | Turn on Virtualization Based Security | Enabled: SecureBoot and DMA Protection | Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices. |
-| System / Early Launch Antimalware | Boot-Start Driver Initialization Policy | Enabled: Good, Unknown and bad but critical | Allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. |
-| System / Power Management / Sleep Settings | Require a password when a computer wakes (on battery) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep |
-| System / Power Management / Sleep Settings | Require a password when a computer wakes (plugged in) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep |
-| System / Remote Procedure Call | Restrict Unauthenticated RPC clients | Enabled: Authenticated | Controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. |
-| Windows Components / App runtime | Allow Microsoft accounts to be optional | Enabled | Lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. |
-| Windows Components / AutoPlay Policies | Disallow Autoplay for non-volume devices | Enabled | Disallows AutoPlay for MTP devices like cameras or phones. |
-| Windows Components / AutoPlay Policies | Set the default behavior for AutoRun | Enabled: Do not execute any autorun commands | Sets the default behavior for Autorun commands. |
-| Windows Components / AutoPlay Policies | Turn off Autoplay | Enabled: All Drives | Allows you to turn off the Autoplay feature. |
-| Windows Components / Biometrics / Facial Features | Configure enhanced anti-spoofing | Enabled | Determines whether enhanced anti-spoofing is required for Windows Hello face authentication |
-| Windows Components / BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 10) | Enabled: XTA-AES-256 for operating system drives and fixed drives and AES-CBC-256 for removable drives | Allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. |
-| Windows Components / BitLocker Drive Encryption | Disable new DMA devices when this computer is locked | Enabled | Allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows |
-| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow enhanced PINs for startup | Enabled | Allows you to configure whether enhanced startup PINs are used with BitLocker |
-| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow Secure Boot for integrity validation | Enabled | Allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. |
-| Windows Components / Event Log Service / Application | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. |
-| Windows Components / Event Log Service / Security | Specify the maximum log file size (KB) | Enabled: 196608 | Specifies the maximum size of the log file in kilobytes. |
-| Windows Components / Event Log Service / System | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. |
-| Windows Components / Microsoft Edge | Configure Windows Defender SmartScreen | Enabled | Configure whether to turn on Windows Defender SmartScreen to provide warning messages to help protect your employees from potential phishing scams and malicious software |
-| Windows Components / Windows Defender SmartScreen / Explorer | Configure Windows Defender SmartScreen | Warn and prevent bypass | Allows you to turn Windows Defender SmartScreen on or off |
-| Windows Components / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for files | Enabled | This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. |
-| Windows Components / Windows Defender SmartScreen / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for sites | Enabled | Lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites |
-| Windows Components / Windows Installer | Allow user control over installs | Disabled | Permits users to change installation options that typically are available only to system administrators |
-| Windows Components / Windows Installer | Always install with elevated privileges | Disabled | Directs Windows Installer to use elevated permissions when it installs any program on the system |
-| Windows Components / Windows Logon Options | Sign-in last interactive user automatically after a system-initiated restart | Disabled | Controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network |
-| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. |
-
-### Windows Defender Antivirus Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|------------------------------------------------------------------------|-----------------------------------------------------------|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Windows Components / Windows Defender Antivirus | Turn off Windows Defender Antivirus | Disabled | Turns off Windows Defender Antivirus |
-| Windows Components / Windows Defender Antivirus | Configure detection for potentially unwanted applications | Enabled: Audit | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. |
-| Windows Components / Windows Defender Antivirus / MAPS | Join Microsoft MAPS | Enabled: Advanced MAPS | Allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. |
-| Windows Components / Windows Defender Antivirus / MAPS | Send file samples when further analysis is required | Enabled: Send safe samples | Configures behavior of samples submission when opt-in for MAPS telemetry is set |
-| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn off real-time protection | Disabled | Turns off real-time protection prompts for known malware detection |
-| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn on behavior monitoring | Enabled | Allows you to configure behavior monitoring. |
-| Windows Components / Windows Defender Antivirus / Scan | Scan removable drives | Enabled | Allows you to manage whether to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. |
-| Windows Components / Windows Defender Antivirus / Scan | Specify the interval to run quick scans per day | 24 | Allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). |
-| Windows Components / Windows Defender Antivirus / Scan | Turn on e-mail scanning | Enabled | Allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments |
-
-### User Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|----------------------------------------|-------------------------------------------------------------|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Start Menu and Taskbar / Notifications | Turn off toast notifications on the lock screen | Enabled | Turns off toast notifications on the lock screen. |
-| Windows Components / Cloud Content | Do not suggest third-party content in the Windows spotlight | Enabled | Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers |
-
-### IE Computer Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Windows Components / Internet Explorer | Prevent managing SmartScreen Filter | Enabled: On | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. |
-| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for server certificate revocation | Enabled | Allows you to manage whether Internet Explorer will check revocation status of servers' certificates |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Protected Mode | Enabled: Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Java permissions | Enabled: High Safety | Allows you to manage permissions for Java applets. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-down Internet Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Protected Mode | Enabled: Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone | Java permissions | Enabled: Enable | Allows you to configure policy settings according to the default for the selected security level, such Low, Medium, or High. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. |
-| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. |
-| Windows Components / Internet Explorer / Security Features | Allow fallback to SSL 3.0 (Internet Explorer) | Enabled: No sites | Allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails. |
-
-### LAPS
-
-Download and install the [Microsoft Local Admin Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899).
-
-| Feature | Policy Setting | Policy Value | Description |
-|---------|----------------------------------------|--------------|-------------------------------|
-| LAPS | Enable local admin password management | Enabled | Activates LAPS for the device |
-
-### Custom Policies
-
-| Feature | Policy Setting | Policy Value | Description |
-|-----------------------------------------------------------------------|-----------------------------------------------------------|--------------|---------------------------------------------------------------------------------------|
-| Computer Configuration / Administrative Templates / MS Security Guide | Apply UAC restrictions to local accounts on network logon | Enabled | Filters the user account token for built-in administrator accounts for network logons |
-
-### Services
-
-| Feature | Policy Setting | Policy Value | Description |
-|----------------|-----------------------------------|--------------|-----------------------------------------------------------------------------------|
-| Scheduled Task | XblGameSaveTask | Disabled | Syncs save data for Xbox Live save-enabled games |
-| Services | Xbox Accessory Management Service | Disabled | Manages connected Xbox accessories |
-| Services | Xbox Game Monitoring | Disabled | Monitors Xbox games currently being played |
-| Services | Xbox Live Auth Manager | Disabled | Provides authentication and authorization services for interactive with Xbox Live |
-| Services | Xbox Live Game Save | Disabled | Syncs save data for Xbox live save enabled games |
-| Services | Xbox Live Networking Service | Disabled | Supports the Windows.Networking.XboxLive API |
-
-## Controls
-
-The controls enabled in level 5 enforce a reasonable security level while minimizing the impact to users and applications.
-
-| Feature | Config | Description |
-|-----------------------------------|-------------------------------------|--------------------|
-| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. |
-| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
-| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
-| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). |
-
-## Behaviors
-
-The behaviors recommended in level 5 enforce a reasonable security level while minimizing the impact to users or to applications.
-
-| Feature | Config | Description |
-|---------|-------------------|-------------|
-| OS security updates | Deploy Windows Quality Updates within 7 days of release | As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities. |
-
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md
index c7db094d6f..fd0c3af5a7 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md
@@ -11,7 +11,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/05/2018
+ms.date: 06/11/2019
ms.reviewer:
---
@@ -21,45 +21,56 @@ ms.reviewer:
- Windows 10
-Security configuration is complex. With thousands of group policies available in Windows, choosing the “best” setting is difficult.
-It’s not always obvious which permutations of policies are required to implement a complete scenario, and there are often unintended consequences of some security lockdowns.
+Security configuration is complex. When hardening your deployment of Windows 10, how should you prioritize the hardware you buy, policies you enforce, controls you configure, and behavior your staff exhibit?
-Because of this, with each release of Windows, Microsoft publishes [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), an industry-standard configuration that is broadly known and well-tested.
-However, many organizations have discovered that this baseline sets a very high bar.
-While appropriate for organizations with very high security needs such as those persistently targeted by Advanced Persistent Threats, some organizations have found that the cost of navigating the potential compatibility impact of this configuration is prohibitively expensive given their risk appetite.
-They can’t justify the investment in that very high level of security with an ROI.
+Even when configuring policies, with thousands of policies available in Windows, choosing the “best” setting is difficult. It’s not always obvious which permutations of policies are required to implement a complete scenario, and there are often unintended consequences of security lockdowns. Because of this, with each release of Windows, Microsoft publishes [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), an industry-standard configuration that is broadly known and well-tested. However, many organizations have discovered that this baseline sets a very high bar for some scenarios.
-As such, Microsoft is introducing a new taxonomy for security configurations for Windows 10.
-This new security configuration framework, which we call the SECCON framework (remember "WarGames"?), organizes devices into one of 5 distinct security configurations.
+To help you prioritize your endpoint hardening work, Microsoft is introducing a new taxonomy for security configurations for Windows 10. In this initial preview, we are simply listing recommended hardware, policies, controls, and behaviors in order to gather feedback from more customers and security experts in order to refine the framework and prioritize opportunities to automate.
+
+This new security configuration framework, which we affectionately nickname the SecCon framework (remember "WarGames"?), organizes devices into one of 5 distinct security configurations.
-- [Level 5 Enterprise Security](level-5-enterprise-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this level are generally straightforward and are designed to be deployable within 30 days.
-- [Level 4 Enterprise High Security](level-4-enterprise-high-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
-- [Level 3 Enterprise VIP Security](level-3-enterprise-vip-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days.
-- [Level 2 DevOps Workstation](level-2-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. Level 2 guidance is coming soon!
-- [Level 1 Administrator Workstation](level-1-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. Level 1 guidance is coming soon!
+- [Level 1 enterprise basic security](level-1-enterprise-basic-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this level are generally straightforward and are designed to be deployable within 30 days.
+- [Level 2 enterprise enhanced security](level-2-enterprise-enhanced-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
+- [Level 3 enterprise high security](level-3-enterprise-high-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days.
+- [Level 4 DevOps workstation](level-4-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. Level 4 guidance is coming soon!
+- [Level 5 administrator workstation](level-5-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. Level 5 guidance is coming soon!
The security configuration framework divides configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices
-(Levels 5, 4, and 3).
+(Levels 1, 2, and 3).
Microsoft’s current guidance on [Privileged Access Workstations](http://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](http://aka.ms/privsec).
Microsoft recommends reviewing and categorizing your devices, and then configuring them using the prescriptive guidance for that level.
-Level 5 should be considered the minimum baseline for an enterprise device, and Microsoft recommends increasing the protection based on both threat environment and risk appetite.
+Level 1 should be considered the minimum baseline for an enterprise device, and Microsoft recommends increasing the protection based on both threat environment and risk appetite.
## Security control classification
-The recommendations are grouped into three categories.
-
-
+The recommendations are grouped into four categories.
+| Hardware | Policies | Controls | Behaviors |
+|----------|----------|----------|-----------|
+| Microsoft recommends acquiring hardware that supports the specified hardware features, in order to support Windows security features | Microsoft recommends enforcing the configuration of the specified policies in the manner described, to harden Windows to the designated level of security | Microsoft recommends enabling the security controls specified in the manner described, to provide protections appropriate to the designated level of security. | Microsoft recommends changing organizational behavior towards the endpoints in the manner described. |
## Security control deployment methodologies
The way Microsoft recommends implementing these controls depends on the
auditability of the control–there are two primary methodologies.
-
+### Rings
+Security controls which don't support an audit mode should be deployed gradually. A typical deployment methodology:
+1. Test ring - deploy to a lab to validate "must test" apps prior to enforcement of any configuration
+2. Pilot ring - deploy to a representative sample of 2-5% of the environment
+3. Fast ring - deploy to the next 25% of the environment
+4. Slow ring - deploy to the remainder of the organization
+
+### Audit / Enforce
+
+Security controls which support an audit mode can be deployed using the following methodology:
+
+1. Audit - enable the control in audit mode, and gather audit data in a centralized location
+2. Review - review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
+3. Enforce - deploy the configuration of any exemptions and convert the control to enforce mode
diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json
index 98413f9962..12bbd676fa 100644
--- a/windows/threat-protection/docfx.json
+++ b/windows/threat-protection/docfx.json
@@ -31,11 +31,9 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
- "uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "justinha",
"ms.date": "04/05/2017",
"_op_documentIdPathDepotMapping": {
"./": {
diff --git a/windows/threat-protection/index.md b/windows/threat-protection/index.md
deleted file mode 100644
index 1417ec0534..0000000000
--- a/windows/threat-protection/index.md
+++ /dev/null
@@ -1,3 +0,0 @@
----
-redirect_url: https://docs.microsoft.com/windows/security/threat-protection/
----
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index 1903ec7f9a..b86924bf53 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -31,11 +31,9 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
- "uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "trudyha",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
diff --git a/windows/whats-new/images/system-guard.png b/windows/whats-new/images/system-guard.png
new file mode 100644
index 0000000000..586f63d4da
Binary files /dev/null and b/windows/whats-new/images/system-guard.png differ
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index de2548056a..c89b8110a0 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -6,7 +6,6 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
-ms.date: 12/27/2018
ms.localizationpriority: low
ms.topic: article
---
@@ -42,9 +41,9 @@ With the LTSC servicing model, customers can delay receiving feature updates and
>[!IMPORTANT]
>The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).
-For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview.md).
+For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview).
## See Also
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
-[Windows 10 - Release information](https://docs.microsoft.com/en-us/windows/windows-10/release-information): Windows 10 current versions by servicing option.
\ No newline at end of file
+[Windows 10 - Release information](https://docs.microsoft.com/windows/windows-10/release-information): Windows 10 current versions by servicing option.
\ No newline at end of file
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
index c20bd31308..581fc39b20 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
@@ -1,14 +1,14 @@
---
title: What's new in Windows 10 Enterprise 2015 LTSC
ms.reviewer:
-manager: dansimp
-ms.author: macapara
+manager: laurawi
+ms.author: greglin
description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB).
keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"]
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: mjcaparas
+author: greg-lindsay
ms.localizationpriority: low
ms.topic: article
---
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index dfa92423f4..ebf6fb48d9 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -1,14 +1,14 @@
---
title: What's new in Windows 10 Enterprise 2016 LTSC
ms.reviewer:
-manager: dansimp
-ms.author: macapara
+manager: laurawi
+ms.author: greglin
description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB).
keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"]
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: mjcaparas
+author: greg-lindsay
ms.localizationpriority: low
ms.topic: article
---
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index c60b88f548..dad076a535 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -1,14 +1,14 @@
---
title: What's new in Windows 10 Enterprise 2019 LTSC
ms.reviewer:
-manager: dansimp
-ms.author: macapara
+manager: laurawi
+ms.author: greglin
description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB).
keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"]
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: mjcaparas
+author: greg-lindsay
ms.localizationpriority: low
ms.topic: article
---
@@ -36,8 +36,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use
## Microsoft Intune
->Microsoft Intune supports LTSC 2019 and later.
-
+>Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching.
## Security
@@ -279,33 +278,6 @@ To learn more about Autopilot self-deploying mode and to see step-by-step instru
IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
-## Sign-in
-
-### Faster sign-in to a Windows 10 shared pc
-
-If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash!
-
-**To enable fast sign-in:**
-1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC.
-2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
-3. Sign-in to a shared PC with your account. You'll notice the difference!
-
- 
-
-### Web sign-in to Windows 10
-
-Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
-
-**To try out web sign-in:**
-1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
-2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in.
-3. On the lock screen, select web sign-in under sign-in options.
-4. Click the “Sign in” button to continue.
-
-
-
-## Deployment
-
### MBR2GPT.EXE
MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
@@ -316,10 +288,6 @@ Additional security features of Windows 10 that are enabled when you boot in UEF
For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
-### Windows Autopilot
-
-Information about Windows Autopilot support for LTSC 2019 is pending.
-
### DISM
The following new DISM commands have been added to manage feature updates:
@@ -372,6 +340,31 @@ Portions of the work done during the offline phases of a Windows update have bee
SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
+## Sign-in
+
+### Faster sign-in to a Windows 10 shared pc
+
+If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash!
+
+**To enable fast sign-in:**
+1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC.
+2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
+3. Sign-in to a shared PC with your account. You'll notice the difference!
+
+ 
+
+### Web sign-in to Windows 10
+
+Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
+
+**To try out web sign-in:**
+1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
+2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in.
+3. On the lock screen, select web sign-in under sign-in options.
+4. Click the “Sign in” button to continue.
+
+
+
## Windows Analytics
### Upgrade Readiness
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 46e7f7bca5..0e1be04497 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -126,7 +126,7 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
-Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/en-au/windows/mt782787).
+Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/windows/mt782787).
### Windows Defender Antivirus
Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 1d839ac866..61b20e6870 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -36,7 +36,7 @@ This article lists new and updated features and content that are of interest to
Windows 10 Education support has been added to Windows 10 Subscription Activation.
-With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation).
+With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation).
### SetupDiag
@@ -51,7 +51,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update
## Servicing
- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon!
-- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
+- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
@@ -116,10 +116,18 @@ The draft release of the [security configuration baseline settings](https://blog
This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
- [Allow COM Object Registration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+#### System Guard
+
+[System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they will be coming out in the next few months.
+
+This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
+
+
+
### Identity Protection
- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
-- [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
+- [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
- [Remote Desktop with Biometrics](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
@@ -131,13 +139,11 @@ The draft release of the [security configuration baseline settings](https://blog
## Microsoft Edge
-Windows 10, version 1903 offers new Group Policies and [MDM policies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser) for managing Microsoft Edge. You can silently enable BitLocker for standard Azure Active Directory-joined users. You can also more easily manage the entire Microsoft 365 experience for users with the Microsoft 365 Admin Center.
-
Several new features are coming in the next version of Edge. See the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97) for more information.
## See Also
-[What's New in Windows Server, version 1903](https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
+[What's New in Windows Server, version 1903](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
[What's new in Windows 10](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
|
+ 
+ 
+ 
+ 
+ 
+ 
+ ++
+ ++
+ ++
+
+ 
+
+ 
+
+ 
-
+ 
When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images and drivers for every model of device being used. Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features.
@@ -61,5 +61,5 @@ Windows 10 version 1703 or higher is required to use Windows Autopilot. See [Win
## Related topics
-[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot)