Introductiondownload.microsoft.com/download/4/C/1/4C1F4EA4-2D66-4232... · Web viewMicrosoft may...
-
Upload
nguyentruc -
Category
Documents
-
view
220 -
download
0
Transcript of Introductiondownload.microsoft.com/download/4/C/1/4C1F4EA4-2D66-4232... · Web viewMicrosoft may...
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Microsoft Windows
Common Criteria EvaluationMicrosoft Windows 10 (Anniversary Update)
Windows 10 (Anniversary Update) Mobile Device Operational Guidance
Document InformationVersion Number 1.0Updated On 16 March, 2017
Microsoft © 2017 Page 1 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial
License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or
event is intended or should be inferred.
© 2017 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, the Windows logo, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Microsoft © 2017 Page 2 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
TABLE OF CONTENTS
1 INTRODUCTION ......................................................................................................................................................................................................................................................... 13
1.1 CONFIGURATION............................................................................................................................................................................................................................................................131.1.1 EVALUATED CONFIGURATION......................................................................................................................................................................................................................................................... 131.1.2 MOBILE DEVICE MANAGEMENT SOLUTIONS...................................................................................................................................................................................................................................... 14
2 MANAGEMENT FUNCTIONS ....................................................................................................................................................................................................................................... 14
3 MANAGING AUDITS ................................................................................................................................................................................................................................................... 17
3.1 WINDOWS 10...............................................................................................................................................................................................................................................................173.1.1 AUDIT EVENTS............................................................................................................................................................................................................................................................................. 173.2 MANAGING AUDIT POLICY...............................................................................................................................................................................................................................................363.2.1 WINDOWS 10............................................................................................................................................................................................................................................................................. 36
4 MANAGING WIPE ...................................................................................................................................................................................................................................................... 39
4.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................394.2 WINDOWS 10...............................................................................................................................................................................................................................................................394.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 394.3 WINDOWS 10 MOBILE...................................................................................................................................................................................................................................................394.3.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 39
5 MANAGING EAP-TLS .................................................................................................................................................................................................................................................. 39
5.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................40
Microsoft © 2017 Page 3 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
5.2 WINDOWS 10...............................................................................................................................................................................................................................................................405.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 405.3 USER GUIDANCE............................................................................................................................................................................................................................................................41
6 MANAGING TLS/DLTS ................................................................................................................................................................................................................................................ 41
6.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................416.2 WINDOWS 10...............................................................................................................................................................................................................................................................416.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 416.3 USER GUIDANCE............................................................................................................................................................................................................................................................43
7 MANAGING APPS ...................................................................................................................................................................................................................................................... 43
7.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................437.2 WINDOWS 10...............................................................................................................................................................................................................................................................437.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 43
8 MANAGING VOLUME ENCRYPTION ........................................................................................................................................................................................................................... 44
8.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................448.2 WINDOWS 10...............................................................................................................................................................................................................................................................448.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 448.2.2 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 458.3 WINDOWS 10 MOBILE...................................................................................................................................................................................................................................................468.3.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 46
9 MANAGING VPN ........................................................................................................................................................................................................................................................ 46
9.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................46
Microsoft © 2017 Page 4 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
9.2 WINDOWS 10...............................................................................................................................................................................................................................................................469.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 46
10 MANAGING ACCOUNTS ............................................................................................................................................................................................................................................. 47
10.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................4710.2 WINDOWS 10...............................................................................................................................................................................................................................................................4710.3 LOCAL ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................47
11 MANAGING BLUETOOTH ........................................................................................................................................................................................................................................... 48
11.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................4811.1.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 4811.2 WINDOWS 10 MOBILE...................................................................................................................................................................................................................................................4811.2.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 48
12 MANAGING PASSWORDS .......................................................................................................................................................................................................................................... 49
12.1 STRONG PASSWORDS......................................................................................................................................................................................................................................................4912.1.1 IT ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................................... 4912.1.2 WINDOWS 10............................................................................................................................................................................................................................................................................. 4912.2 PROTECTING PASSWORDS................................................................................................................................................................................................................................................5012.2.1 WINDOWS 10............................................................................................................................................................................................................................................................................. 5012.2.2 WINDOWS 10 MOBILE................................................................................................................................................................................................................................................................. 5012.3 LOGON/LOGOFF PASSWORD POLICY..................................................................................................................................................................................................................................5012.3.1 IT ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................................... 5112.3.2 WINDOWS 10............................................................................................................................................................................................................................................................................. 51
13 MANAGING NOTIFICATIONS IN THE LOCKED STATE ................................................................................................................................................................................................... 51
Microsoft © 2017 Page 5 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
13.1 WINDOWS 10...............................................................................................................................................................................................................................................................5213.1.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 5213.2 WINDOWS 10 MOBILE...................................................................................................................................................................................................................................................5213.2.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 52
14 MANAGING CERTIFICATES ......................................................................................................................................................................................................................................... 52
14.1 CERTIFICATE VALIDATION.................................................................................................................................................................................................................................................5314.1.1 WINDOWS 10............................................................................................................................................................................................................................................................................. 5314.2 DEVELOPER GUIDANCE....................................................................................................................................................................................................................................................5414.2.1 SHARED USER KEYS...................................................................................................................................................................................................................................................................... 5414.2.2 CUSTOM CERTIFICATE REQUESTS.................................................................................................................................................................................................................................................... 5414.3 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................5414.4 WINDOWS 10...............................................................................................................................................................................................................................................................5514.4.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 5514.4.2 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 5514.5 WINDOWS 10 MOBILE...................................................................................................................................................................................................................................................5514.5.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 55
15 MANAGING TIME ...................................................................................................................................................................................................................................................... 56
15.1 WINDOWS 10...............................................................................................................................................................................................................................................................5615.1.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 5615.2 WINDOWS 10 MOBILE...................................................................................................................................................................................................................................................5615.2.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 56
16 GETTING VERSION INFORMATION ............................................................................................................................................................................................................................. 57
16.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................57
Microsoft © 2017 Page 6 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
16.2 WINDOWS 10...............................................................................................................................................................................................................................................................5716.2.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 5716.3 WINDOWS 10 MOBILE...................................................................................................................................................................................................................................................5716.3.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 57
17 LOCKING A DEVICE .................................................................................................................................................................................................................................................... 58
17.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................5817.2 WINDOWS 10...............................................................................................................................................................................................................................................................5817.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 5817.2.2 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 5917.3 WINDOWS 10 MOBILE...................................................................................................................................................................................................................................................5917.3.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 5917.4 MANAGING NOTIFICATIONS PRIOR TO UNLOCKING A DEVICE...................................................................................................................................................................................................5917.4.1 IT ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................................... 5917.4.2 WINDOWS 10............................................................................................................................................................................................................................................................................. 60
18 MANAGING AIRPLANE MODE .................................................................................................................................................................................................................................... 60
18.1 WINDOWS 10...............................................................................................................................................................................................................................................................6018.1.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 6018.2 WINDOWS 10 MOBILE...................................................................................................................................................................................................................................................6018.2.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 60
19 MANAGING DEVICE ENROLLMENT ............................................................................................................................................................................................................................. 60
19.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................6119.2 WINDOWS 10...............................................................................................................................................................................................................................................................6119.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 61
Microsoft © 2017 Page 7 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
19.3 WINDOWS 10 MOBILE...................................................................................................................................................................................................................................................6219.3.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 62
20 MANAGING UPDATES ................................................................................................................................................................................................................................................ 62
20.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................6220.2 WINDOWS 10...............................................................................................................................................................................................................................................................6320.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 63
21 MANAGING COLLECTION DEVICES ............................................................................................................................................................................................................................. 63
21.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................6321.2 WINDOWS 10...............................................................................................................................................................................................................................................................6321.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 63
22 MANAGING USB ........................................................................................................................................................................................................................................................ 64
22.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................6422.2 WINDOWS 10...............................................................................................................................................................................................................................................................6422.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 64
23 MANAGING BACKUP ................................................................................................................................................................................................................................................. 64
23.1 WINDOWS 10...............................................................................................................................................................................................................................................................6423.1.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 6423.2 WINDOWS 10 AND WINDOWS 10 MOBILE.........................................................................................................................................................................................................................6523.2.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 65
Microsoft © 2017 Page 8 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
24 MANAGING ENTERPRISE APPS ................................................................................................................................................................................................................................... 65
24.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................6524.2 USER GUIDANCE............................................................................................................................................................................................................................................................65
25 MANAGING DEVELOPER MODE ................................................................................................................................................................................................................................. 65
25.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................6625.2 WINDOWS 10...............................................................................................................................................................................................................................................................6625.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 66
26 MANAGING CRYPTOGRAPHIC ALGORITHMS .............................................................................................................................................................................................................. 66
27 MANAGING GPS ........................................................................................................................................................................................................................................................ 67
27.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................67
28 MANAGING LOCATION SERVICES ............................................................................................................................................................................................................................... 67
28.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................6728.2 WINDOWS 10...............................................................................................................................................................................................................................................................6728.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 67
29 MANAGING WI-FI ...................................................................................................................................................................................................................................................... 67
29.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................67
30 MANAGING WIRELESS NETWORKS (SSIDS) ................................................................................................................................................................................................................ 68
Microsoft © 2017 Page 9 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
30.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................6830.2 WINDOWS 10...............................................................................................................................................................................................................................................................6830.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 68
31 MANAGING PERSONAL HOTSPOTS ............................................................................................................................................................................................................................ 68
31.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................6831.2 WINDOWS 10...............................................................................................................................................................................................................................................................6831.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 68
32 MANAGING MOBILE BROADBAND ............................................................................................................................................................................................................................. 69
32.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................69
33 MANAGING CELLULAR PROTOCOLS ........................................................................................................................................................................................................................... 69
33.1 WINDOWS 10 MOBILE...................................................................................................................................................................................................................................................6933.1.1 IT ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................................... 6933.2 WINDOWS 10...............................................................................................................................................................................................................................................................6933.2.1 LOCAL ADMINISTRATOR................................................................................................................................................................................................................................................................ 69
34 MANAGING HEALTH ATTESTATION ............................................................................................................................................................................................................................ 69
34.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................70
35 MANAGING SENSITIVE DATA ..................................................................................................................................................................................................................................... 70
35.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................70
Microsoft © 2017 Page 10 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
35.2 WINDOWS 10...............................................................................................................................................................................................................................................................7035.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 7035.3 WINDOWS 10 MOBILE...................................................................................................................................................................................................................................................70
36 MANAGING USB MASS STORAGE ............................................................................................................................................................................................................................... 71
36.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................71
37 NATIVELY INSTALLED APPLICATIONS ......................................................................................................................................................................................................................... 71
Microsoft © 2017 Page 11 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
1 IntroductionThis document provides operational guidance information for a Common Criteria evaluation describing only the security functionality which the administrator should use – any security functionality not described in this document is not part of the evaluation.
1.1 Configuration
1.1.1 Evaluated ConfigurationThe Common Criteria evaluation includes a specific configuration of Windows, the “evaluated configuration”. To run Windows deployments using the evaluated configuration follow the deployment steps and apply the security policies and security settings indicated below. The Security Target section 1.1 describes the Windows editions and security patches included in the evaluated configuration.
The operating system is pre-installed on the devices in the evaluated configuration. When the device is turned on for the first time the Out of Box Experience (OOBE) runs to complete the configuration.
The following security policies are applied after completing the OOBE:
Security Policy Policy SettingLocal Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithm EnabledAdministrative Template\Windows Components\Credentials User Interface\Do not display the password reveal button Enabled
The following security settings are applied to create the evaluated configuration:
Cipher suite selection is configured according to section 5 Managing TLS Volume encryption is enabled according to section 8 Managing Volume Encryption VPN connections route all traffic through the VPN tunnel as described section 9 Managing VPN Passwords use a minimum of six alphanumeric characters and symbols according to section 12.1 Strong Passwords RSA machine certificates are configured according to section 14 Managing Certificates to use a minimum 2048 bit key length Session locking is enabled according to section 16 Locking a Device Devices are enrolled for device management according to section 18 Device Enrollment Enrolled policy must have the Enterprise Data Protection settings enabled
Microsoft © 2017 Page 12 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Some of the links in this document may be written for Windows versions that are earlier than Windows 10 (Anniversary Update). The content in all these links apply to the Windows 10 (Anniversary Update) version.
1.1.2 Mobile Device Management SolutionsMany of the configurations described in this guide for the IT Administrator role are applied to the device through a Mobile Device Management (MDM) solution. The specific steps to perform a configuration through the MDM are solution-specific and are not described in this document. Examples of possible configuration option text may be provided in this document, but are not guaranteed to match any specific MDM solution. See the MDM solution documentation for detailed configuration actions.
2 Management FunctionsThe following table maps management functions to roles:
Management Function User Guidance Local Administrator Guidance IT Administrator Guidance
1Configure password policy Windows 10
Windows 10Windows 10 Mobile
2Configure session locking policy Windows 10
Windows 10Windows 10 Mobile
3Enable/disable the VPN protection Windows 10
Windows 10Windows 10 Mobile
4Enable/disable [GPS, Wi-Fi, mobile broadband radios, Bluetooth]
Windows 10Windows 10 Mobile
5Enable/disable [camera, microphone] Windows 10
Windows 10 MobileWindows 10 (Camera only)
6Specify wireless networks (SSIDs) to which the TSF may connect Windows 10
Windows 10Windows 10 Mobile
7Configure security policy for connecting to wireless networks Windows 10
Windows 10Windows 10 Mobile
8 Transition to the locked state Windows 10 Windows 10
Microsoft © 2017 Page 13 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Windows 10 Mobile
9TSF wipe of protected data Windows 10
Windows 10Windows 10 Mobile
10Configure application installation policy Windows 10
Windows 10Windows 10 Mobile
11Import keys/secrets into the secure key storage
Windows 10Windows 10
MobileWindows 10
12Destroy imported keys/secrets and any other keys/secrets in the secure key storage
Windows 10Windows 10
MobileWindows 10
13Import X.509v3 certificates into the Trust Anchor Database Windows 10
Windows 10Windows 10 Mobile
14 Remove imported X.509v3 certificates and any other X.509v3 certificates in the Trust Anchor Database
Windows 10 Mobile
Windows 10
15Enroll the TOE in management
Windows 10 Mobile
Windows 10
16Remove applications Windows 10
Windows 10Windows 10 Mobile
17Update system software Windows 10
Windows 10Windows 10 Mobile
18Install applications Windows 10
Windows 10Windows 10 Mobile
19Remove Enterprise applications Windows 10
Windows 10Windows 10 Mobile
Microsoft © 2017 Page 14 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
20 Configure the Bluetooth trusted channela. disable/enable the Discoverable mode (for BR/EDR)
Windows 10Windows 10 Mobile
b. change the Bluetooth device name Windows 10
Windows 10 Mobile
d. disable/enable Advertising (for LE),Windows 10
Windows 10 Mobile
21Enable/disable display notification in the locked state
Windows 10Windows 10 Mobile
22 Enable/disable all data signaling over [USB hardware ports] Windows 10 Windows 10 Mobile
23Enable/disable [none, Assign personal Hotspot connections] Windows 10
Windows 10Windows 10 Mobile
24Enable/disable developer modes Windows 10
Windows 10Windows 10 Mobile
25Enable data-at rest protection
Windows 10 Mobile
Windows 10
26 Enable removable media’s data at rest protection Windows 10 Windows 10
28Wipe Enterprise data Windows 10
Windows 10Windows 10 Mobile
30Configure whether to allow a trusted channel if certificate validation is not possible
Windows 10Windows 10
Mobile
Windows 10
31 Enable/disable the cellular protocols used to connect to cellular network base stations Windows 10 Windows 10 Mobile
32 Read audit logs kept by the TSF Windows 10
33Configure certificate used to validate digitally signed applications Windows 10
Windows 10Windows 10 Mobile
Microsoft © 2017 Page 15 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
34Approve exceptions for shared use of keys/secrets by multiple applications Windows 10
Windows 10Windows 10 Mobile
35Approve exceptions for destruction of keys/secrets by other applications
Windows 10Windows 10
MobileWindows 10
36Configure the unlock banner Windows 10
Windows 10Windows 10 Mobile
37 Configure the auditable items Windows 10
38Retrieve TSF-software integrity verification values
Windows 10Windows 10 Mobile
39 enable/disable [USB mass storage mode] Windows 10 Mobile
40Enable/disable backup to remote system
Windows 10Windows 10
Mobile Windows 10
44Enable/disable location services Windows 10
Windows 10Windows 10 Mobile
3 Managing AuditsThis section contains the following Common Criteria SFRs:
Audit Data Generation (FAU_GEN.1), Selective Audit (FAU_SEL.1) Extended: Audit Storage Protection (FAU_STG_EXT.1) Specifications of Management Functions (FMT_SMF_EXT.1)
Microsoft © 2017 Page 16 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
3.1 Windows 10
3.1.1 Audit EventsThe following required audits are described for FAU_GEN.1:
Description IdStart-up and shutdown of the audit functions Security: 4608, 1100All administrative actions <see first table below>Startup and shutdown of the OS and kernel Security: 4608, 1100Insertion or removal of removable media Microsoft- Windows-Kernel-PnP/Device
Configuration: 410
Establishment of a synchronizing connection System: 36880Microsoft-Windows-CAPI2/Operational: 11
Specifically defined auditable events from table 10 <see second table below>Audit records reaching [assignment: integer value less than 100] percentage of audit capacity, [assignment: other auditable events derived from this profile
Security: 1103
Table 1: FAU_GEN.1 audits (AGD1: FAU_GEN.1)The following table correlates the set of administrative operations described in this document with their associated audits. Section FMT_SMF_EXT.1 has test procedures to produce these audits.
Administrative Action Id1. configure password policy:
a. minimum password lengthb. minimum password complexityc. maximum password lifetime
IT Administrator:DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
Local Administrator:Security: 4739
2. configure session locking policy:a. screen-lock enabled/disabledb. screen lock timeoutc. number of authentication failures
IT Administrator:DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
Local Administrator:
Microsoft © 2017 Page 17 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Security: 47393. enable/disable the VPN protection:
a. across device [b. on a per-app basisc. no other method]
Security: Enable: 4651, 5451Disable: 4655
4. enable/disable [GPS, Wi-Fi, Bluetooth, mobile broadband] DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
5. enable/disable [camera, microphone]: a. across device [
b. on a per-app basisc. no other method]
Camera (IT Administrator): DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
Microphone (IT Administrator): DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
Microphone (Local Administrator): Microsoft-Windows-Audio: 65
6. specify wireless networks (SSIDs) to which the TSF may connect IT Administrator:DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
Local Administrator:Microsoft-Windows-WLAN-AutoConfig/Operational: 14001
7. configure security policy for each wireless network: a. [selection: specify the CA(s) from which the TSF will accept WLAN authentication server certificate(s), specify the FQDN(s) of
acceptable WLAN authentication server certificate(s)] b. security type c. authentication protocold. client credentials to be used for authentication
DeviceManagement-Enterprise-Diagnostics-Provider: 403
8. transition to the locked state Security: 48009. TSF wipe of protected data Success:
System: 12Failure:
Microsoft © 2017 Page 18 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Wipe Failure Screen Windows 10 - System: 1074
10. configure application installation policy by [selection: a. restricting the sources of applications,b. specifying a set of allowed applications based on [a digital signature or application name and version] (an application whitelist),c. denying installation of applications]
IT Administrator:Microsoft-Windows-AppXDeploymentServer/Operational: 400,404 for success/failure
Local Administrator:Microsoft-Windows-AppLocker/Packaged app-Execution: 8022
11. import keys/secrets into the secure key storage Security: 505812. destroy imported keys/secrets and [[any other keys/secrets]] in the secure key storage System: 1213. import X.509v3 certificates into the Trust Anchor Database Microsoft-Windows-CAPI2/Operational:
9014. remove imported X.509v3 certificates and [[any other X.509v3 certificates]] in the Trust Anchor Database Microsoft-Windows-
CertificateServicesClient-Lifecycle-System/Operational: 1004
15. enroll the TOE in management DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 72
16. remove applications Microsoft-Windows-AppXDeploymentServer/Operational: 472
17. update system software Setup: 2, 318. install applications Microsoft-Windows-
AppXDeploymentServer/Operational 40019. remove Enterprise applications Microsoft-Windows-
AppXDeploymentServer/Operational: 47220. configure the Bluetooth trusted channel:
a. disable/enable the Discoverable mode (for BR/EDR)b. change the Bluetooth device name [selection: d. disable/enable Advertising (for LE),i. no other Bluetooth configuration]
DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813, 814
Microsoft © 2017 Page 19 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
21. enable/disable display notification in the locked state of: [a. email notifications,b. calendar appointments,c. contact associated with phone call notification, d. text message notification,e. other application-based notifications,f. all notifications]
DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
22. enable/disable all data signaling over [USB hardware ports] Local Administrator:Windows-Kernel-PnP: 832, 801
23. enable/disable [none, Assign personal Hotspot connections] Microsoft-Windows-WLAN-AutoConfig/Operational: 8006
24. enable/disable developer modes IT Administrator:DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
Local Administrator:Microsoft-Windows-GroupPolicy/Operational: 1502
25. enable data-at rest protection System: 2466726. enable removable media’s data-at-rest protection System: 2466727. enable/disable bypass of local user authentication N/A28. wipe Enterprise data DeviceManagement-Enterprise-
Diagnostics-Provider/Admin: 4829. approve [import, removal] by applications of X.509v3 certificates in the Trust Anchor Database N/A30. configure whether to establish a trusted channel or disallow establishment if the TSF cannot establish a connection to determine the
validity of a certificateSecurity: 4950
31. enable/disable the cellular protocols used to connect to cellular network base stations Microsoft-Windows-WWAN-SVC-Events/Operational: 11004
32. read audit logs kept by the TSF Security: 467333. configure [certificate] used to validate digital signature on applications Same as 13. and 14.34. approve exceptions for shared use of keys/secrets by multiple applications Microsoft-Windows-
AppXDeploymentServer/Operational: 40035. approve exceptions for destruction of keys/secrets by applications that did not import the key/secret Microsoft-Windows-
AppXDeploymentServer/Operational: 400
Microsoft © 2017 Page 20 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
36. configure the unlock banner Security: 4657
37. configure the auditable items Security: 471938. retrieve TSF-software integrity verification values See audit for FPT_NOT_EXT.1 (ATTEST)39. enable/disable [selection:
a. USB mass storage mode,b. USB data transfer without user authentication,
USB data transfer without authentication of the connecting system]
N/A
40. enable/disable backup to [remote system] Security: 465741. enable/disable [
a. USB tethering authenticated by [pre-shared key, passcode, no authentication]]N/A
42. approve exceptions for sharing data between [selection: application processes, groups of application processes] N/A43. place applications into application process groups based on [assignment: application characteristics] N/A44. enable/disable location services:
a. across device [b. on a per-app basis
c. no other method]
DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
45. [none] N/ATable 2: Administrative Actions audits (AGD2: FAU_GEN.1) (AGD1: FAU_GEN.1)
Requirement Description Additional Record Contents Log: Event IdFAU_SEL.1 All modifications to the audit configuration that occur while the
audit collection functions are operating.No additional Information. Security: 4719, 4912
FCS_CKM_EXT.1 [generation of a REK] No additional Information. System: 1027
FCS_CKM_EXT.5 Success or failure of the wipe. No additional Information. System: Success: 12 Failure: 1074
FCS_CKM.1(ASYM KA) Failure of key generation activity for authentication keys. No additional Information. Microsoft-Windows-Crypto-NCrypt/Operational: 4
FCS_HTTPS_EXT.1 Failure of the certificate validity check. Issuer Name and Subject Name of certificate. [No additional information].
Microsoft-Windows-CAPI2/Operational: 11
FCS_RBG_EXT.1 Failure of the randomization process. No additional information. System: 20
Microsoft © 2017 Page 21 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Requirement Description Additional Record Contents Log: Event IdFCS_STG_EXT.1 Import or destruction of key. [No other events] Identity of key. Role and identity of requestor. Import: Security: 5058
Destruction: System: 12FCS_STG_EXT.3 Failure to verify integrity of stored key. Identity of key being verified. Microsoft-Windows-Crypto-NCrypt: 3
(Task Category: Open Key Failure)FCS_DTLS_EXT.1 Failure of the certificate validity check. Issuer Name and Subject Name of certificate. Microsoft-Windows-CAPI2/
Operational: 30FCS_TLSC_EXT.1 Failure to establish an EAP-TLS session. System : 36888
Microsoft-Windows-CAPI2/Operational: 11, 30
Establishment/termination of an EAP-TLS session. Establishment: System : 36880
Termination: Microsoft-Windows-SChannel-Events/Perf: 1793
FCS_TLSC_EXT.2 Failure to establish a TLS session. Reason for failure. System : 36888
Microsoft-Windows-CAPI2/Operational: 11, 30
Failure to verify presented identifier. Presented identifier and reference identifier. Microsoft-Windows-CAPI2/Operational: 11
Establishment/termination of a TLS session. Non-TOE endpoint of connection. Establisment: System: 36880 Microsoft-Windows-CAPI2/Operational: 11Termination:Microsoft-Windows-SChannel-Events/Perf: 1793
FDP_DAR_EXT.1 Failure to encrypt/decrypt data. No additional information. System: 24588FDP_DAR_EXT.2 Failure to encrypt/decrypt data. No additional information. Crypto-NCrypt/Operational: 6FDP_STG_EXT.1 Addition or removal of certificate from Trust Anchor Database. Subject name of certificate. Import:
Microsoft © 2017 Page 22 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Requirement Description Additional Record Contents Log: Event IdMicrosoft-Windows-CAPI2/Operational: 90
Removal: CertificateServicesClient-Lifecycle-System/Operational: 1004
FDP_UPC_EXT.1 Application initiation of trusted channel. Name of application. Trusted channel protocol. Non-TOE endpoint of connection.
HTTPS/TLS: System: 36880Microsoft-Windows-CAPI2/Operational: 11
Bluetooth: System: 9
FIA_AFL_EXT.1 Excess of authentication failure limit. No additional information. Exceeding failure limit: Security: 4740 FIA_BLT_EXT.1 User authorization of Bluetooth device.
User authorization for local Bluetooth service.User authorization decision. Bluetooth address and name of device.Bluetooth profile.Identity of local service.
System: 9System: 20001
FIA_BLT_EXT.2 Initiation of Bluetooth connection. Bluetooth address and name of device. System: 8
Failure of Bluetooth connection. Reason for failure. System: 16
FIA_UAU_EXT.2 Action performed before authentication. No additional information. N/A (no selection in Security Target)FIA_UAU_EXT.3 User changes Password Authentication Factor. No additional information. Security: 4723FIA_X509_EXT.1 Failure to validate X.509v3 certificate. Reason for failure of validation. Microsoft-Windows-CAPI2/
Operational: 11FIA_X509_EXT.2 Failure to establish connection to determine revocation status. No additional information. Microsoft-Windows-CAPI2/
Operational: 11FMT_SMF_EXT.1 Change of settings. Role of user that changed setting. Value of
new setting.See Table 2: Administrative Actions audits
Success or failure of function. Role of user that performed function. Function performed.Reason for failure
Microsoft © 2017 Page 23 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Requirement Description Additional Record Contents Log: Event IdInitiation of software update. Version of update. System: 19Initiation of application installation or update. Name and version of application. Microsoft-Windows-
AppXDeploymentServer/Operational: 400
FMT_SMF_EXT.2 Unenrollment. Identity of administrator. Remediation action performed.
DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 48
FPT_AEX_EXT.4 Blocked attempt to modify TSF data. Identity of subject. Identity of TSF data. Security: 4656FPT_NOT_EXT.1 (AUDIT) [Measurement of TSF software]. [Integrity verification value]. System: 20FPT_NOT_EXT.1 (ATTEST) [Measurement of TSF software]. [Integrity verification value]. Attestation log file
<See section “Managing Health Attestation” for more information>
FPT_TST_EXT.1 Initiation of self-test. Failure of self-test. System: 20FPT_TST_EXT.2 Start-up of TOE. Boot Mode. System: 12
[Detected integrity violations]. [The TSF code that caused the integrity violation].
Automatic Repair
FPT_TUD_EXT.2 Success or failure of signature verification for software updates. Setup: 2, 3Success or failure of signature verification for applications. Microsoft-Windows-
AppXDeploymentServer/Operational: 400/404 for success/failure
FTA_TAB.1 Change in banner setting. No additional information. Security: 4657FTA_WSE_EXT.1 All attempts to connect to access points. Identity of access point. Microsoft-Windows-WLAN-
AutoConfig/Operational log event: 8001, 8003
FTP_ITC_EXT.1 Initiation and termination of trusted channel. Trusted channel protocol. Non-TOE endpoint of connection.
IPSec: Security: 4650, 4651, 5451, 4655
HTTP/TLS: System: 36880Microsoft-Windows-CAPI2/Operational: 11Microsoft-Windows-SChannel-Events/Perf: 1793
Microsoft © 2017 Page 24 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Requirement Description Additional Record Contents Log: Event IdEAP-TLS/802.1x/802.11-2012: Microsoft-Windows-WLAN-AutoConfig/Operational: 8001, 8003
Table 3: Audits for SFRs (AGD1: FAU_GEN.1)
Id Log location Message Fields2 Setup Package was successfully changed to the
Installed stateLogged: <Date and time of event>PackageIdentifier: <KB package Id>ErrorCode: <success outcome indicated by 0x0>
3 Setup Windows update could not be installed because … “The data is invalid”
Logged: <Date and time of event>Commandline: <KB package Id>ErrorCode: <value>
3 Microsoft-Windows-Crypto-NCrypt Open key operation failed Logged: <Date and time of event>Provider Name: <Key storage provider name>Key Name: <Unique name for key>
4 Microsoft-Windows-Crypto-NCrypt/Operational
Create key operation failed Logged: <Date and time of event>Provider Name: <Key storage provider name>Key Name: <Unique name for key>Algorithm Name: <Key algorithm name>
6 Microsoft-Windows-Crypto-NCrypt/Operatonal
Unprotect Key operation failed Logged: <Date and time of event>KeyId: <Unique Id for key>
8 SystemSource: BTHUSB
The remote adapter < remote bluetooth radio address> was successfully paired with the local adapter.
Logged: <Date and time of event>EventData: <remote bluetooth radio address>
9 SystemSource: BTHUSB
The remote adapter < remote bluetooth radio address> was added to the list of personal devices.
Logged: <Date and time of event>EventData: <remote bluetooth radio address>
11 Microsoft-Windows-CAPI2/Operational
Build Chain System/TimeCreated/SystemTime: <Date and time of event>Subject name of the leaf certificate is the first instance of the following path:
Microsoft © 2017 Page 25 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
UserData/CertGetCertificateChain/CertificateChain/Certificate subjectName: <subject name in client certificate>Subject name of the issuing certificate is the second instance of the following path:UserData/CertGetCertificateChain/CertificateChain/ChainElement/Certificate <issuer of leaf certificate as subject name in chained certificate>TrustStatus -> ErrorStatus: <Error code1>
12 SystemSource: Kernel-General
The operating system started at system time <time>.
Logged: <Date and time of OS startup>
This event along with no other earlier events indicates a wipe has occurred.16 System
Source: BTHUSBThe mutual authentication between the local Bluetooth adapter and a device with Bluetooth adapter address <device address> failed.
Logged: <Date and time of event>Data: <remote device address>
19 SystemSource: WindowsUpdateClient
Installation Successful: Windows successfully installed the following update: <app/update name>
Logged: <Date and time of event>Security ID: <SID of user account that installed the app>updateTitle: <app/update name>updateGuid: <app/update Guid>serviceGuid: <app/service GUID>updateRevisionNumber: <app version>
20 SystemSource: Kernel-Boot
The last boot’s success was <LastBootGood event data>.
Logged: <Date and time of event>LastBootGood: <Outcome as true or false indicating if the kernel-mode cryptographic self-tests and RNG initialization succeeded or failed>
21 SystemSource: Kernel-Boot
The OS loader advanced options menu was displayed and the user selected option <boot mode>
Logged: <Date and time of event>OptionSelected: <auxililiary boot mode>Note: this event is recorded if the operating system was started in an auxiliary boot mode whereas its absence indicates the operating system started in normal boot mode.
30 Microsoft-Windows-CAPI2/Operational
Verify Chain Policy System -> TimeCreated -> SystemTime: <Date and time of event>UserData -> CertVerifyCertificateChainPolicy -> Certificate -> subjectName: <certificate subject name>UserData -> CertVerifyCertificateChainPolicy -> Result -> value : <error code>
48 Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
MDM Unenroll: Unenroll event sent to server
Logged: <Date and time of event>Security UserID: <SID of user account that initiated enrolling TOE >
1 Error 20 indicates an untrusted root in the certificate chain.
Microsoft © 2017 Page 26 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
65 Microsoft-Windows-Audio/Operational
MMDevAPI: Audio device state changed Logged: <Date and time of event>OpCode: <operational code>
72 Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
MDM Enroll: Succeeded Logged: <Date and time of event>Security UserID: <SID of user account that initiated enrolling TOE >
90 Microsoft-Windows-CAPI2/Operational
<un-named> Logged: <Date and time of event>Security UserID: <SID of user account that imported the certificate/secrets>Subject: <Certificate subject name, CN, etc.>
400 Microsoft-Windows-AppXDeployment-Server-Microsoft-Windows-AppXDeployment-Server/Operational
Deployment Add operation on Package <package Id> from: (<.appx pathname> ) finished successfully
Logged: <Date and time of event><package Id>
403 Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
MDM ConfigurationManager: CSP Allow check.
Logged: <Date and time of event>URI: <indicates policy change – WiFi or Lock Screen Wallpaper>Allowed: <enable = 0x1, disable = 0x0>
404 Microsoft-Windows-AppXDeployment-Server-Microsoft-Windows-AppXDeployment-Server/Operational
AppX Deployment operation failed for package <app package identity> with error <error code>. The specific error text for this failure is: <failure text>.
Logged: <Date and time of event><package Id>
410 Microsoft-Windows-Kernel-PnP/Device Configuration
Device < DeviceInstanceId> was started Logged: <Date and time of event> User: <user identity>DeviceInstanceId: <Device path and volume GUID of inserted removable media>
472 Microsoft-Windows-AppXDeployment-Server-Microsoft-Windows-AppXDeployment-Server /Operational
Moving package folder <%program files location%\<package Id> to <%deleted program files location%\<package Id>. Result: <status code>
Logged: <Date and time of event>Security ID: <SID of user account that installed the app>SourceFolderPath: <%program files location%\<package Id>DestinationFolderPath: <%deleted program files location%\<package Id>
801 Microsoft-Windows-Kernel-PnP/Device Configuration
Processing device <device>. TimeCreated: <Date and time of event>
813 Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
MDM PolicyManager Logged: <Date and time of event>Policy: <policy applied>
814 Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
MDM PolicyManager Logged: <Date and time of event>Policy: <policy applied>
Microsoft © 2017 Page 27 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
832 Microsoft-Windows-Kernel-PnP/Device Configuration
End removal of <device>. TimeCreated: <Date and time of event>
1004 Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
A certificate has been deleted Logged: <Date and time of event>UserID: <SID of user account that deleted the certificate/secrets>SubjectNames: <Deleted certificate subject name>Thumbprint: <Deleted certificate thumbprint>NotValidAfter: :<Deleted certificate expiration date>
1006 Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
A new certificate has been installed. Logged: <Date and time of event>Subject: <Certificate subject name, CN, etc.>Thumbprint: <Certificate thumbprint>
1015 Applications and Services Logs-Microsoft-Windows-Wcmsvc-Operational
Interface token applied Logged: <Date and time of event>Security ID: <SID of user account that deleted the certificate/secrets>Media type: <indication of broadband (Wwan) or WiFi (Wlan)>AutoProfiles: <indication of added or removed action (blank if removed, else name of Wwan or Wlan profile)>
1027 SystemSource: TPM-WMI
The Ownership of the Trusted Platform Module (TPM) hardware on this computer was successfully taken (TPM TakeOwnership command) by the system
Logged: <Date and time of event>Keywords: <Outcome as Success>
1074 SystemSource: User32
The process <system32 path>\systemreset.exe has initiated the restart of computer <computer name> on behalf of user <user name> for the following reason: No title for this reason could be foundReason Code: 0x20001
Logged: <Date and time of event>User: <SID of user that started the reset>
1100 SecuritySubcategory: Security State Change
The event logging service has shut down Logged: <Date and time of event>Keywords: <Outcome as Success>
1103 Security The security audit log is now <the configured value > percent full.
Logged: <Date and time of event>Keywords: <Outcome as Success>
1104 System The security audit log is full. Logged: <Date and time of event>Keywords: <Outcome as Success>
1502 Microsoft-Windows-GroupPolicy/Operational
The Group Policy settings for the computer were processed successfully.
Logged: <Date and time of event>
Microsoft © 2017 Page 28 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
New settings from 1 Group Policy objects were detected and applied.
1793 Microsoft-Windows-SChannel-Events/Perf
<This event indicates that the TLS connection was terminated>
Logged: <Date and time of event>
4502 SystemSource: ResetEng
Attempt to restore the system to original condition has failed. Changes to the system have been undone.
Logged: <Date and time of event>Keywords: <Outcome as Success or Failure>
4608 SecuritySubcategory: Security State Change
Startup of audit functions Logged: <Date and time of event>Task category: <type of event>Keywords: <Outcome as Success or Failure>
4624 SecuritySubcategory: Logon
An account was successfully logged on. Logged: <Date and time of event>Security ID: <SID of enabled user account>Account Name: <name of enabled account>Account Domain: <domain of enabled account if applicable, otherwise computer>Workstation Name: <name of computer user logged on>Logon Type: <type of logon (e.g. interactive)>LogonID: <unique logon identification>Source Network Address: <IP address of computer logged on>
4650 Security Subcategory: IPsec Main Mode
IPsec main mode security association was established. Certificate authentication was not used.
Logged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address>Remote Endpoint: <Subject identity as IP address of non-TOE endpoint of connection >Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>Local Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>Remote Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id and cryptographic parameters established in the SA>Keywords: <Outcome as Success>
4651 Security Subcategory: IPsec Main Mode
IPsec main mode security association was established. A certificate was used for authentication.
Logged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address>Remote Endpoint: <Subject identity as IP address of non-TOE endpoint of connection >
Microsoft © 2017 Page 29 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>Local Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>Remote Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id and cryptographic parameters established in the SA>Keywords: <Outcome as Success>
4655 Security Subcategory: IPsec Main Mode
IPsec main mode security association ended
Logged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address/port >Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection/channel >Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>Keywords: <Outcome as Success>
4656 Security Subcategory: Handle Manipulation
A handle to an object was requested. Logged: <Date and time of event>Security ID: <SID of locked account>Object Name: <Pathname of the object changed>Access Mask: <Access requested>Accesses: <Access granted (for success event) or denied (for failure event)>Keywords: <Outcome as Success or Failure>
4657 SecuritySubcategory: Registry
Registry entry change Logged: <Date and time of event>Task category: <type of event>Security ID: <user identity>Object name: <key path>Change Information: <old and new registry values>Keywords: <Outcome as Success or Failure>
4673 SecuritySubcategory: Sensitive Privilege Use / Non Sensitive Privilege Use
A privileged service was called. Logged: <Date and time of event>Security ID: <SID of user account that viewed the log>Account Name: <user account name that viewed the log>Account Domain: <domain of user accout that viewed the log>Keywords: <Outcome as Success>
4719 SecuritySubcategory: Audit Policy Change
System audit policy was changed Logged: <Date and time of event>Security ID: <Subject user identity>
Microsoft © 2017 Page 30 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Account Name: <Subject account name>Account Domain: <Subject account domain>Login ID: <Subject login Id>Task category: <category of audit>Task Subcategory: <subcategory of audit>Subcategory GUID: <subcategory GUID name>Changes: <Changes>Keywords: <Outcome as Success or Failure>
4723 SecuritySubcategory: User Account Management
An attempt was made to change an account's password.
Logged: <Date and time of event>Security ID: <user identity>Keywords: <Outcome as Success or Failure>
4739 SecuritySubcategory: Authentication Policy Change
Domain Policy was changed. Logged: <Date and time of event>Security ID: <SID of user account making audit policy change>Account Name: <name of user account making audit policy change >Account Domain: <domain of user account making audit policy change if applicable, otherwise computer>Task Category: <Audit subcategory that was changed.>Changed Attributes: <Change to audit policy.>
4740 SecuritySubcategory: User Account Management
A user account was locked out Logged: <Date and time of event>Security ID: <SID of locked account>Account Name: <name of locked account>Account Domain: <domain of locked account>
4800 Security Subcategory: Logoff
The workstation was locked. Logged: <Date and time of event>Security UserID: <SID of logon user>Account Name: <name of logon account>Account Domain: <domain of logon account>
4801 SecuritySubcategory: Logon
The workstation was unlocked. Logged: <Date and time of event>Security ID: <SID of logon user>Account Name: <name of logon account>Account Domain: <domain of logon account>
4912 Security Per-user Audit Policy was changed Logged: <Date and time of event>
Microsoft © 2017 Page 31 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Subcategory: Audit Policy Change Security ID: <Subject user identity>Account Name: <Subject account name>Account Domain: <Subject account domain>Login ID: <Subject login Id>Policy Change Details: <Changes>Policy For Account: <SID of user account for policy change>Keywords: <Outcome as Success or Failure>
4950 SecuritySubcategory: MPSSVC Rule-Level Policy Change
A Windows Firewall setting has changed. Logged: <Date and time of event>Value: <new configuration setting value>
5058 SecuritySubcategory: System Integrity
Key file operation Logged: <Date and time of event>Task category: <type of event>Subject: <Security ID, Account Name/Domain>Cryptographic Parameters: <Key Name/Type>Key file operation information: <Filepath, operation, return code>
5447 SecuritySubcategory: Other Policy Change Events
Windows Filtering Platform filter has been changed
Logged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Filter ID: <Filter Id as GUID>Filter Name: <Filter identifier as text-based name> Layer ID: <Layer Id as GUID>Layer Name: <Layer identifier as text-based name>Additional Information: <Filter conditions>
5450 SecuritySubcategory: Filtering Platform Policy Change
Windows Filtering Platform sub-layer has been changed
Logged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Sub-layer ID: <Sub-layer Id as GUID>Sub-layer Name: <Sub-layer identifier as text-based name>
5451 Security Subcategory: IPsec Quick Mode
IPsec quick mode security association was established
Logged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address/port>Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection >Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>
Microsoft © 2017 Page 32 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id, QM SA Id, Inbound SPI, Outbound SPI and cryptographic parameters established in the SA >Keywords: <Outcome as Success>
5038 SecuritySubcategory: System Integrity
Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
Logged: <Date and time of event>Task category: <type of event>File Name: < file failing integrity check>
5446 SecuritySubcategory: Filtering Platform Policy Change
Windows Filtering Platform callout has been changed
Logged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Callout ID: <Callout identifier as GUID>Callout Name: <Callout identifier as text-based name>Layer ID: <Layer identifier as GUID>Layer Name: <Layer identifier as text-based name>Keywords: <Outcome as Success or Failure>
5447 SecuritySubcategory: Other Policy Change Events
Windows Filtering Platform filter has been changed
Logged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Filter ID: <Filter Id as GUID>Filter Name: <Filter identifier as text-based name> Layer ID: <Layer Id as GUID>Layer Name: <Layer identifier as text-based name>Additional Information: <Filter conditions>
5450 SecuritySubcategory: Filtering Platform Policy Change
Windows Filtering Platform sub-layer has been changed
Logged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Sub-layer ID: <Sub-layer Id as GUID>Sub-layer Name: <Sub-layer identifier as text-based name>
8000 Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service started a connection to a wireless network
Logged: <Date and time of event>Network Adapter: <adapter device name>
8001 Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service has successfully connected to a wireless network
Logged: <Date and time of event>SSID: <Wireless network name> (non-TOE endpoint of connection)Authentication: WPA2-Enterprise (protocol)
Microsoft © 2017 Page 33 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
8002 Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service failed to connect to a wireless network
Logged: <Date and time of event>SSID: < Wireless network name> (non-TOE endpoint of connection)
8003 Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service has successfully disconnectd from a wireless network
Logged: <Date and time of event>Interface GUID: < network adapter identification>SSID: <SSID name>
8006 Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service has finished starting the hosted network.
Logged: <Date and time of event>Interface GUID: <network adapter identification> SSID: <SSID name>
8022 Microsoft-Windows-AppLocker/Packaged app-Execution
<appl> was prevented from running. Logged: <Date and time of event>
11001 Microsoft-Windows-WLAN-AutoConfig/Operational
Wireless network association succeeded Logged: <Date and time of event>Network Adapter: <adapter device name>Local MAC address: <Wi-Fi address>
11004 Microsoft-Windows-WWAN-SVC-Events/Operational
Received ContextState Logged: <Date and time of event>Action: <WwanRadioOff or WwanRadioOn>
11004 Microsoft-Windows-WLAN-AutoConfig/Operational
Wireless security stopped Logged: <Date and time of event>Network Adapter: <adapter device name>Local MAC address: <Wi-Fi address>
11010 Microsoft-Windows-WLAN-AutoConfig/Operational
Wireless Security Started Logged: <Date and time of event>Network Adapter: <enabled adapter name>Local MAC Address: <enabled adapter MAC address>
14001 Microsoft-Windows-WLAN-AutoConfig/Operational
New Wireless Network Policy Logged: <Date and time of event>Applied Settings: <WiFi configuration settings >
20001 SystemSource: UserPnP
Driver Manager concluded the process to install driver <driver name> for Device Instance ID <ID value include device address>
Logged: <Date and time of event>Security UserID: <SID of user>DeviceInstanceID: <instance ID (including remote device address)>SetupClass: <Bluetooth service/profile GUID>
24579 SystemSource: Bitlocker-Driver
Encryption of volume <drive letter>: completed
Logged: <Date and time of event>Security UserID: <SID of user account that installed the app>Volume: <encrypted volume letter>
24588 SystemSource: Bitlocker-Driver
The conversion operation on volume <drive letter> encountered a bad sector error.
Logged: <Date and time of event>Volume: <encrypted volume letter>
Microsoft © 2017 Page 34 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
24667 SystemSource: BitLocker-Driver
BitLocker finalization sweep completed for volume <drive letter>.
Logged: <Date and time of event>Volume: <encrypted volume letter>
36880 SystemSource: Schannel
An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.
Logged: <Date and time of event>Protocol: <TLS protocol>CipherSuite: <cypher suite>
36888 SystemSource: Schannel
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is %1.
Logged: <Date and time of event>Reason for failureProtocol: <TLS protocol error code>
The following are the possible error codes:Description Error Code ValueUnexpected message 10Bad record MAC 20Record overflow 22Decompression fail 30Handshake failure 40Illegal parameter 47Unknown CA 48Access denied 49Decode error 50Decrypt error 51Protocol version 70Insufficient security 71Internal error 80Unsupported extension 110
Automatic Repair
%windir%\system32\logfiles\srt\strtrail.txt
Startup Repair diagnosis and repair log Logged: <Date and time of file>Boot critical file: <name of critical boot file indicated as corrupted>
Wipe Failure Screen
Display There was a problem resetting your PC. No changes were made.
On logon a message is displayed to the user indicating that the recovery operation of the system failed.
Bitlocker recovery
Display Bitlocker recovery On startup a message is displayed requesting the Bitlocker recovery key
Table 4: Audit (AGD1: FAU_GEN.1) (AGD3: FAU_GEN.1)
Microsoft © 2017 Page 35 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
3.2 Managing Audit Policy(AGD1: FAU_SEL.1) (AGD2: FAU_SEL.1)
3.2.1 Windows 10
3.2.1.1 Local Administrator GuidanceThe following log locations are always enabled (AGD3: FAU_SEL.1):
System Setup Security (for startup and shutdown of the audit functions and of the OS and kernel, and clearing the audit log)
The following TechNet topic describes the categories of audits in the Security log:
Advanced Audit Policy Configuration: http://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx
The following TechNet topic describes how to select audit policies by category, user and audit success or failure in the Security log:
Auditpol set: https://technet.microsoft.com/en-us/library/cc755264.aspx
For example, to enable all audits in the given subcategories of the Security log run the following commands at an elevated command prompt:
Logon operations: auditpol /set /subcategory:”Logon” /success:enable /failure:enable
audit policy changes: auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
IPsec operations:auditpol /set /subcategory:”IPsec Main Mode” /success:enable /failure:enable auditpol /set /subcategory: “IPsec Quick Mode” /success:enable /failure:enable
Configuring IKEv1 and IKEv2 connection properties:
Microsoft © 2017 Page 36 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
auditpol /set /subcategory:" Filtering Platform Policy Change" /success:enable /failure:enableauditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enable
registry changes (modifying TLS Cipher Suite priority):auditpol /set /subcategory:"Registry" /success:enable /failure:enable
In addition to enabling audit policy as noted above, each registry key to be audited must also have its auditing permissions enabled. This is done as follows:
1. Start the registry editor tool by executing the command regedit.exe as an administrator2. Navigate to the registry path for the key that should be audited, right-click the key’s node and select Permissions… on the key’s context menu to open the Permissions dialog3. Click the Advanced button to open the Advanced Security Settings dialog, click on the Auditing tab and click the Add button to open the Auditing Entry dialog4. Click the Select a principal to open the Select User or Group dialog to select a user (e.g. Administrator) and click the OK button.5. Choose the desired audits using the Type, Applies to and Basic Permissions attributes and click OK6. Click OK on the Advanced Security Settings dialog7. Click OK on the Permissions dialog
The following is the list of registry keys that must be audited:
HKEY_LOCAL_MACHINE/Software/Microsoft/PolicyManager HKEY_LOCAL_MACHINE /Software/Policies/Microsoft/Windows/DeviceInstall/Restrictions HKEY_LOCAL_MACHINE /Software/Policies/Microsoft/Windows/SettingSync/DisableSettingSync HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System
To enable/disable TLS and DTLS event logging in the System Event Log, browse to the following link and see How to enable Schannel event logging:
https://technet.microsoft.com/en-us/library/Dn786445.aspx
To enable/disable event logging in the Application and Services Logs, see the following link describing how to enumerate the log names 2 and set their security descriptor and enabled state:
Wevtutil: http://technet.microsoft.com/en-us/library/cc732848.aspx
To view audit logs, see the following links (AGD1: FMT_SMF_EXT.1(32)):
2 “Log Location” log names shown in the table above correlate with the names enumerated by Wevtutil utility (which requires a quoted name using hyphens rather than spaces).
Microsoft © 2017 Page 37 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Get-EventLog: http://technet.microsoft.com/en-us/library/hh849834.aspx Get-WinEvent: https://technet.microsoft.com/en-us/library/hh849682.aspx?f=255&MSPPError=-2147217396
4 Managing Wipe(AGD2: FCS_CKM.5) (AGD1: FMT_SMF_EXT.1(9))
This section contains the following Common Criteria SFRs:
Extended: TSF Wipe (FCS_CKM_EXT.5) Specifications of Management Functions (FMT_SMF_EXT.1)
Wipe of the TOE accomplishes removal of protected data and destruction of keys/secret.
4.1 IT Administrator GuidanceWindows 10 (Anniversary Update) devices can be managed to wipe after exceeding a maximum number of consecutive authentication failures using a MDM. See the MDM solution documentation for detailed configuration actions.
4.2 Windows 10
4.2.1 Local Administrator GuidanceThe following Windows help topic describes how to reset Windows 10 (Anniversary Update) devices with removal of all user data (the “Fully clean the drive” option wipes all protected data):
How to refresh, reset, or restore your PC: http://windows.microsoft.com/en-us/windows-10/windows-10-recovery-options
4.3 Windows 10 Mobile
4.3.1 User GuidanceThe following support topic describes how to reset a Windows 10 Mobile device:
Reset my phone: https://support.microsoft.com/en-us/help/10666/windows-phone-reset-my-phone
Microsoft © 2017 Page 38 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
5 Managing EAP-TLS(AGD2: FCS_CKM.1) (AGD1: FCS_CKM.2) (AGD2: FDP_IFC_EXT.1) (AGD1: FMT_SMF_EXT.1(6)) (AGD1: FMT_SMF_EXT.1(7)) (AGD1: FTP.ITC_EXT.1)
This section contains the following Common Criteria SFRs:
Extended: Trusted Channel Communication (FTP_ITC_EXT.1) Extended: PAE Authentication (FIA_PAE_EXT.1) Extended: Trusted Channel Communication (FTP_ITC_EXT.1) Extended: Wireless Network Access (FTA_WSE_EXT.1) Specifications of Management Functions (FMT_SMF_EXT.1)
5.1 IT Administrator GuidanceWi-Fi policies on Windows 10 (Anniversary Update) devices, including certificate validation options, can be managed using a MDM. See the MDM solution documentation for detailed configuration actions.
Steps 1 – 4 in the following link describe how to configure the IT infrastructure for EAP-TLS using WPA2-Enterprise (based on 802.1x authentication and 802.11-2012 encryption standards):
Creating a secure 802.1x wireless infrastructure using Microsoft Windows: http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx
Group policy can be used to specify the wireless networks (SSIDs) that a user may connect to.
Configure Network Permissions and Connection Preferences : https://msdn.microsoft.com/en-us/library/dd759204.aspx
5.2 Windows 10
5.2.1 Local Administrator GuidanceThe following topics describe how to configure EAP-TLS on Windows 10 (Anniversary Update):
Extensible Authentication Protocol (EAP) Settings for Network Access: http://technet.microsoft.com/en-us/library/hh945104.aspx 3
The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:
3 This topic also applies to Windows 10 Anniversary Update
Microsoft © 2017 Page 39 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx
5.3 User GuidanceThe user views the list of available networks (including networks associated with a configured Wi-Fi profile) in Settings -> Network & Internet -> Wi-Fi. Tapping a given Wi-Fi network presents the option to Connect to the network.
6 Managing TLS/DLTS(AGD1: FCS_CKM.2) (AGD1: FCS_TLSC_EXT.1) (AGD1: FCS_TLSC_EXT.2) (AGD1: FCS_DTLS_EXT.1) (AGD1: FDP_UPC_EXT.1)
The name in the certificate is automatically compared to the expected name and does not require additional configuration of the expected name for the connection.
The TOE comes preloaded with root certificates for various Certificate Authorities. Additional Certificate Authorities may be managed on the Windows 10 (Anniversary Update) device using workplace enrollment and a MDM.
There is no configuration necessary to use client authentication on the device once a device has client authentication certificates. See the Managing Certificates section for information on configuring a device to enroll for client certificates.
All TLS settings such as cipher suites also apply to DTLS.
6.1 IT Administrator GuidanceThe cipher suite selection and priority may be managed on Windows 10 (Anniversary Update) devices using a MDM. Cipher suite selection is made according to the default order as described in the previous section for Windows 10 (Anniversary Update). See the MDM solution documentation for detailed configuration actions.
6.2 Windows 10
6.2.1 Local Administrator GuidanceThe mandatory and optional cipher suites listed in the Security Target correlate with those available in the TOE as follows:
Cipher Suites (per Security Target) Cipher Suite Requirement
Available Cipher Suites in TOE4
TLS_RSA_WITH_AES_128_CBC_SHA Mandatory TLS_RSA_WITH_AES_128_CBC_SHA
4 See: Cipher Suites in Schannel: http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx
Microsoft © 2017 Page 40 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
TLS_RSA_WITH_AES_256_CBC_SHA Optional TLS_RSA_WITH_AES_256_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246 OptionalTLS_DHE_RSA_WITH_AES_256_CBC_SHA as defined in RFC 5246 OptionalTLS_ECDHE_RSA_WITH_AES_128_CBC_SHA as defined in RFC 4492 Optional TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as defined in RFC 4492 Optional TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA as defined in RFC 4492 Optional TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA as defined in RFC 4492 Optional TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 Optional TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246 Optional TLS_RSA_WITH_AES_256_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 OptionalTLS_DHE_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246 OptionalTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289
Optional TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289
Optional TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289 Optional TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289 Optional TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Table 5: Selected TLS Cipher Suites (AGD1: FCS_TLSC_EXT.2) (AGD3: FCS_TLSC_EXT.2)
The following MSDN article describes how the administrator modifies the set of TLS cipher suites for priority and availability:
Prioritizing Schannel Cipher Suites: http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll: http://support.microsoft.com/kb/245030
The name in the certificate is automatically compared to the expected name and does not require additional configuration of the expected name for the connection.
The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships (AGD2: FCS_TLSC_EXT.1) (AGD3: FCS_TLSC_EXT.1) (AGD4: FCS_TLSC_EXT.2) (AGD1: FCS_HTTPS_EXT.1):
Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx
Microsoft © 2017 Page 41 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Hashes in the TLS protocol are configured in association with cipher suite selection. The administrator configures the cipher suites used on a machine by following the configuration instructions at the following link: http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx
The elliptic curves are configured independentally of the cipher suite configuration. (AGD6: FCS_TLSC_EXT.1)
The reference identifier in Windows 10 (Anniversary Update) for TLS is the URL of the server. There is no configuration of the reference identifier. (AGD2: FCS_TLSC_EXT.2)
The signature algorithm is not configurable in Windows 10 (Anniversary Update) for TLS. (AGD7: FCS_TLSC_EXT.1) (AGD6: FCS_TLSC_EXT.2)
6.3 User GuidanceUsers may choose to use TLS with HTTPS by using https in the URL typed into the browser.
The reference identifier for TLS is the URL of the server. There is no configuration of the reference identifier.
7 Managing Apps(AGD1: FMT_SMF_EXT.1(10)) (AGD1: FMT_SMF_EXT.1(16)) (AGD1: FMT_SMF_EXT.1(18))
Administrators must exercise discretion when installing apps based upon examining app metadata describing claimed capabilities. (AGD1: FDP_ACF_EXT.1) For example:
Installing apps that declare the shareduserCertificates app capability allows the app to approve exceptions for shared use or destruction of keys/secrets that were imported by another app. (AGD1: FMT_SMF_EXT.1(35))
7.1 IT Administrator GuidanceMDM solutions are capable of installing, removing and restricting the ability for applications to run on the TOE. See the MDM solution documentation for detailed configuration actions.
7.2 Windows 10
7.2.1 Local Administrator GuidanceThe ability for users to run the Store app may be removed using a registry value:
1. Start the registry editor tool by executing the command regedit.exe as an administrator2. Navigate to the registry path HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore. Note that the WindowsStore registry key may need to be created.3. Create a DWORD (32 bit) registry value with the name RemoveWindowsStore under the WindowsStore registry key. Set the registry value to 1.
Microsoft © 2017 Page 42 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Local administrators can also restrict the ability of users to install applications using AppLocker as described in this TechNet topic:
AppLocker Overview: https://technet.microsoft.com/en-us/library/hh831440.aspx.
The following Windows help topic describes how to remove an app installed from the Store, or in the case of enrolled devices, from their Company Portal or installed automatically by their IT administrator, and any information the app contained:
Uninstall, change or repair a program: http://windows.microsoft.com/en-us/windows-10/repair-or-remove-programs#v1h=tab01
8 Managing Volume Encryption(AGD1: FCS_CKM.5) (AGD1: FDP_DAR_EXT.1) (AGD3: FDP_DAR_EXT.1) (AGD1: FIA_UAU_EXT.1) (AGD2: FIA_UAU_EXT.1) (AGD1: FMT_SMF_EXT.1(25))
This section contains the following Common Criteria SFRs:
Extended: Data at Rest Encrytion (FDP_DAR_EXT.1) Extended: Authentication for Cryptographic Operation (FIA_UAU_EXT.1) Specifications of Management Functions (FMT_SMF_EXT.1)
The following TechNet topic describes the BitLocker feature, including its use to encrypt the entire operation system volume or removable volumes (AGD1: FDP_DAR_EXT.1):
BitLocker Overview: http://technet.microsoft.com/en-US/library/hh831713.aspx
8.1 IT Administrator GuidanceIf volume encryption is enabled on the TOE, then the MDM solution can configure AES-256 as the default encryption to be used when a device is BitLockered. See the MDM solution documentation for detailed configuration actions.
8.2 Windows 10
8.2.1 Local Administrator GuidanceThe following TechNet topic describes the manage-bde command that should be executed in a command shell while running as an administrator to configure DAR protection:
Manage-bde: http://technet.microsoft.com/en-us/library/ff829849(v=ws.10).aspx
Microsoft © 2017 Page 43 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
By default AES128 encrypion is used by the manage-bde command when enabling BitLocker for Windows 10 (Anniversary Update) – the AES256 algorithm should be used instead. In addition, the TPM and PIN authorization factor must be used in the evaluated configuration. The Enhanced PIN capabilities must be used in the evaluated configuration.
To enable the TPM and Enhanced PIN authorization factors execute the following command:
Manage-bde –on <operating system disk volume letter>: -tpmandpin -encryptionMethod aes256
A USB keyboard is necessary to enter the Enhanced PIN to unlock the drive at boot on some devices.
The following is a link to BitLocker Policy settings:
https://technet.microsoft.com/en-us/library/jj679890.aspx
Administrators must create an Enhanced PIN value with a minimum of four and a maximum of 20 numeric characters, but can also include uppercase and lowercase English letters, symbols on an EN-US keyboard, numbers, and spaces. To enable the Enhanced PIN capabilities start the gpedit.msc MMC snap-in as an administrator and enable the following local or group policy:
Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup
Other BitLocker policies that must be enabled to use the TPM and Enhanced PIN authenticator are:
Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Enable use of BitLocker authentication requiring preboot keyboard input on slates Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Require additional authentication at startup
8.2.2 User Guidance(AGD1:FMT_SMF_EXT.1(26))
Users may use BitLocker To Go in order to encrypt removable drives. The following details how to do this:
1. Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.2. On the BitLocker Drive Encryption page, follow the instructions in the Removable data drives – BitLocker To Go section.
8.3 Windows 10 Mobile
8.3.1 User GuidanceTo enable/disable Volume Encryption:
Microsoft © 2017 Page 44 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Go to Settings -> System -> Device Encryption Tap On/Off
9 Managing VPN(AGD1: FDP_IFC_EXT.1) (AGD3: FDP_IFC_EXT.1) (AGD1: FMT_SMF_EXT.1(3)) (AGD1: FTP.ITC_EXT.1)
9.1 IT Administrator GuidanceMDM solutions can be used to manage VPN profiles, including lockdown VPN profiles that implement the policy that all network traffic other than the traffic necessary to establish the VPN connection go through the VPN tunnel, on the TOE. See the MDM solution documentation for detailed configuration actions.
9.2 Windows 10
9.2.1 Local Administrator GuidanceThe Windows Firewall/Windows Filtering Platform may be used on Windows 10 to prevent traffic other than VPN traffic to and from the device.
The Windows Filtering Platform can be configured to use Inbound and Outbound rules that PROTECT, BYPASS, DISCARD and ALLOW traffic specified by the Inbound and Outbound rules.
Overview of Windows Firewall with Advanced Security: https://technet.microsoft.com/en-us/library/dd448535(v=ws.10).aspx
The following TechNet topic explains the priority for applying firewall rules:
Understanding the Firewall: http://technet.microsoft.com/en-us/library/dd421709(v=ws.10).aspx
The following TechNet topic describes how the Windows Firewall is managed using PowerShell cmdlets:
Network Security Cmdlets in Windows PowerShell: https://technet.microsoft.com/en-us/library/jj554906(v=wps.630).aspx
10 Managing AccountsThis section contains the following Common Criteria SFRs:
Authentication Failure Handling (FIA_AFL_EXT.1)
Microsoft © 2017 Page 45 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
10.1 IT Administrator GuidanceThe maximum number of unsuccessful authentication attempts and associated remediation action is a Mobile Device Management (MDM) configuration policy setting that may only be managed by a Mobile Device Management system and cannot be directly configured by users on their device. If this device configuration policy setting is configured, then the remediation action wipes the device and restores factory default settings. See the MDM solution documentation for detailed configuration actions.
10.2 Windows 10
10.3 Local Administrator Guidance(AGD1: FIA_PMG_EXT.1) (AGD1: FMT_SMF_EXT.1(1)) (AGD1: FMT_SMF_EXT.1(2))
The following TechNet topic explains the net accounts command line utility for standalone computers for managing password length and lifetime:
Net Accounts: http://technet.microsoft.com/en-us/library/bb490698.aspx
In addition to the parameters given in the referenced article the following are also valid options for managing account lockout policy:
/lockoutthreshold: number : Sets the number of times a bad password may be entered until the account is locked out. If set to 0 then the account is never locked out. (AGD1: FIA_AFL_EXT.1)
/lockoutwindow: minutes : Sets the number of minutes of the lockout window.
/lockoutduration: minutes : Sets the number of minutes the account will be locked out for.
Password complexity is configured by the administrator via Windows security policy. The relevant security policy is “Security Settings/Account Policies/Password Policy/Password must meet complexity requirements”. The following Technet topic include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy:
Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx
Exceeding the authentication failure limit is audited by Security log Id 4740. However, this information is lost when an enrolled device exceeds the authentication failure limit configured by the IT administrator as described in section “Managing Wipe”.
Microsoft © 2017 Page 46 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
When the organizational user attempts to logon repeatedly with a bad password, they will eventually be prompted that the account is about to be locked out and that they will need a BitLocker recovery key to unlock. In certain configurations of the system, including the evaluated configuration, there will not be a Bitlocker recovery key to use once the maximum logon attempt threshold is passed. In such a situation the device is considered to be “wiped” as recovery of the data on the Bitlocker encrypted volumes is not possible. This is true even if the system prompts the user explicitly for a Bitlocker recovery key, as this prompt occurs even if no Bitlocker recovery key was ever configured.
11 Managing BluetoothBluetooth pairing uses a protected communication channel by default so there is no configuration necessary. (AGD1: FDP_UPC_EXT.1)
11.1 IT Administrator Guidance(AGD1: FMT_SMF_EXT.1(4)), (AGD1: FMT_SMF_EXT.1(20))
The MDM solution can enable/disable Bluetooth devices on the TOE. The MDM solution can a) disable/enable the Discoverable mode (for BR/EDR), b) change the Bluetooth device name, d) disable/enable Advertising (for LE). See the MDM solution documentation for detailed configuration actions.
11.1.1 User Guidance(AGD1: FIA_BLT_EXT.1)
The following topic describes how to initiate and complete pairing with a Bluetooth device:
Add a Bluetooth device: https://www.microsoft.com/surface/en-us/support/hardware-and-drivers/add-a-bluetooth-device?os=windows-10
11.2 Windows 10 Mobile
11.2.1 User Guidance(AGD1: FIA_BLT_EXT.1)
Users authorize Bluetooth pairing by doing the following:
Go to Settings -> Devices -> Bluetooth to manage the Bluetooth devices Tap the desired Bluetooth device in the list of discovered devices indicated as Tap to pair to conduct the pairing operation
Microsoft © 2017 Page 47 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
12 Managing Passwords
12.1 Strong Passwords(AGD1: FIA_PMG_EXT.1) (AGD1: FMT_SMF_EXT.1(1)) (AGD1: FMT_SMF_EXT.1(2))
This section contains the following Common Criteria SFRs:
Extended: Password Management (FIA_PMG_EXT.1) Specifications of Management Functions (FMT_SMF_EXT.1)
12.1.1 IT Administrator GuidanceThe composition of strong passwords and minimum password length policy settings may only be managed by a Mobile Device Management (MDM) system and cannot be directly configured by users on their device. See the MDM solution documentation for detailed configuration actions.
The following TechNet topics describe the characteristics for passwords that are available, instructions for setting the enforcement mechanism and a discussion of strong passwords and recommended minimum settings:
Strong Password: http://technet.microsoft.com/en-us/library/cc756109(v=ws.10).aspx Password Best practices: http://technet.microsoft.com/en-us/library/cc784090(v=ws.10).aspx
12.1.2 Windows 10
12.1.2.1 Local Administrator GuidanceThe following TechNet topics describe the characteristics for passwords that are available, instructions for setting the enforcement mechanism and a discussion of strong passwords and recommended minimum settings:
Enforcing Strong Password Usage Throughout Your Organization: https://technet.microsoft.com/en-us/library/hh994562(v=ws.10).aspx Strong Password: http://technet.microsoft.com/en-us/library/cc756109(v=ws.10).aspx Password Best practices: http://technet.microsoft.com/en-us/library/cc784090(v=ws.10).aspx
12.2 Protecting PasswordsThis section contains the following Common Criteria SFRs:
Microsoft © 2017 Page 48 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Protected Authorization Feedback (FIA_UAU.7)
12.2.1 Windows 10
12.2.1.1 User GuidanceTo conduct initial logon authentication type CTRL-ALT-DEL to open the logon screen and then enter the user name and password. If no keyboard is available then swipe up to open the logon screen.
Windows 10 (Anniversary Update) does not require any configuration to ensure the password is obscured by default. The following best practices should be observed (AGD1: FIA_UAU.7):
As with all forms of authentication, when entering your password, avoid allowing other people to watch you as you sign in.
Keep your device in a secure location where unauthorized people do not have physical access to it. As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen.
12.2.2 Windows 10 Mobile
12.2.2.1 User GuidanceWindows 10 Mobile does not require any configuration to ensure the password is obscured by default. The following best practices should be observed:
As with all forms of authentication, when entering your password, avoid allowing other people to watch you as you sign in. Keep your device in a secure location where unauthorized people do not have physical access to it. As with any password entry, be aware of line of sight and potential recording devices
that intrude on your screen.
12.3 Logon/Logoff Password PolicyThis section contains the following Common Criteria SFRs:
Extended: Authentication for Cryptographic Operation (FIA_UAU_EXT.1) Extended: Timing of Authentication (FIA_UAU_EXT.2) Extended: Re-Authorizing (FIA_UAU_EXT.3) Extended: TSF and User initiated Locked State (FTA_SSL_EXT.1) Specifications of Management Functions (FMT_SMF_EXT.1)
Microsoft © 2017 Page 49 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
12.3.1 IT Administrator GuidancePassword policies may be configured by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.
12.3.2 Windows 10
12.3.2.1 Local Administrator GuidanceThe out of box experience requires that when user accounts are created a password is assigned to the account. (AGD3: FIA_UAU_EXT.3)
To change an account password do either of the following (AGD4: FIA_UAU_EXT.3):
Tap the Start menu, tap the account picture, tap Change account settings, tap Sign-in options, tap Change under Password. Type the secure attention sequence: CTRL-ALT-DEL and select Change a password
The inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality” (AGD5: FIA_UAU_EXT.3):
Security Policy Settings Overview: http://technet.microsoft.com/en-us/library/2fdcbb11-8037-45b1-9015-665393268e36
The following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy:
Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx
13 Managing Notifications in the Locked State(AGD1: FMT_SMF_EXT.1(21))
This section contains the following Common Criteria SFRs:
Specifications of Management Functions (FMT_SMF_EXT.1)
Microsoft © 2017 Page 50 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
13.1 Windows 10
13.1.1 User GuidanceTo manage notifications on the lock screen:
Go to Settings -> System -> Notifications & actions
13.2 Windows 10 Mobile
13.2.1 User GuidanceTo enable or disable showing detailed status for applications on the lock screen:
Go to Settings -> Personalization Tap Lock screen Then Choose an app to show detailed status and choose none from the list to receive disable receiving detailed status information, or choose an application to show its detailed status
on the lock screen
To disable showing quick status for applications on the lock screen:
Go to Settings -> Personalization Tap Lock screen Then tap each of the boxes under Choose apps to show quick status and then choose none in the CHOOSE AN APP screen to receive no quick status information on the lock screen, or
tap a box and choose a desired application in the CHOOSE AN APP screen to receive quick status for that application on the lock screen
To disable receiving email, calendar or text message notifications in action center:
Go to Settings -> system Tap Notifications+Actions Uncheck Show notifications in action center when my phone is locked
14 Managing Certificates(AGD1: FIA_X509_EXT.2) (AGD1: FMT_SMF_EXT.1(13)) (AGD1: FMT_SMF_EXT.1(14))
Microsoft © 2017 Page 51 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
This section contains the following Common Criteria SFRs:
Extended: Validation of Certificates (FIA_X509_EXT.1) Extended: Certificate Authentication (FIA_X509_EXT.2) Extended: Cryptographic Key Storage (FCS_STG_EXT.1) Specifications of Management Functions (FMT_SMF_EXT.1)
14.1 Certificate Validation(AGD2: FIA_X509_EXT.2) (AGD1: FMT_SMF_EXT.1(30))
When validating a certificate with modern Windows applications the connection to a configured revocation server must be available or the validation will fail. This configuration cannot be changed.
The administrator cannot configure certificate validation for code signing purposes.
Key lengths of keys used with certificates are configured in the certificate templates on the Certificate Authority used during enrollment and are not configured by the user or local administrator.
Once a certificate suitable for client authentication is configured on the TOE, no additional configuration is necessary to use it.
14.1.1 Windows 10The administrator configures certificate validation using the Set-NetFirewallSetting PowerShell cmdlet as described in the following TechNet topic:
Set-NetFirewallSetting: http://technet.microsoft.com/en-us/library/jj554878.aspx
The administrator configures certificate validation for network connections based on EAP-TLS using the “Set Up a Connection or Network” wizard in the “Smart Card or Other Certificate Properties” and “Configure Certificate Selection” screens as described in the following TechNet topic
Extensible Authentication Protocol (EAP) Settings for Network Access (see Smart Card or other Certificate Properties configuration items): https://technet.microsoft.com/en-us/library/hh945104.aspx
The administrator configures certificate validation for HTTPS using the Security options checkboxes in the Advanced tab on the Internet Properties dialog for Control Panel. The “Warn about certificate address mismatch” setting configures whether the Web address must match the certificate subject field and warns the user of a mismatch. The following MSDN Blog describes the “Check for server certificate revocation” setting:
Microsoft © 2017 Page 52 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Understanding Certificate Revocation Checks: http://blogs.msdn.com/b/ieinternals/archive/2011/04/07/enabling-certificate-revocation-check-failure-warnings-in-internet-explorer.aspx
14.2 Developer GuidanceApplication developers import and use keys and secrets with the Windows.Security.Cryptography.Certificates namespace as described by the following MSDN topic:
Windows.Security.Cryptography.Certificates namespace: https://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.aspx?f=255&MSPPError=-2147217396
Developers have a choice when enrolling for a certificate to use either CertificateEnrollmentManager base class or the derived class UserCertificateEnrollmentManager. When using UserCertificateEnrollmentManager the keys are secured by the user account credentials and user account ACLs. When using the CertificateEnrollmentManager base class the keys are only available to the application that imported or created the keys.
14.2.1 Shared User KeysThe following MSDN topic describes the sharedUserCertificates special capability that must be declared by Windows 10 or Windows 10 Mobile applications so that applications may share keys:
App capability declarations: https://msdn.microsoft.com/en-us/library/windows/apps/hh464936.aspx
14.2.2 Custom Certificate Requests(AGD3: FIA_X509_EXT.2)
Certificate requests with specific fields such as "Common Name", "Organization", "Organizational Unit", and/or "Country" can be generated by apps using the Certificates.CertificateEnrollmentManager.CreateRequestAsync API. The following link provides the documentation for the API:
CertificateEnrollmentManager.CreateRequestAsync | createRequestAsync method: https://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.certificateenrollmentmanager.createrequestasync.aspx
14.3 IT Administrator GuidanceRoot certificates can be added to Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions.
Windows 10 (Anniversary Update) devices can be managed to enroll for client certificates using a MDM. See the MDM solution documentation for detailed configuration actions.
Keys are deleted using device wipe as described in the Managing Wipe section of this document.
Microsoft © 2017 Page 53 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
14.4 Windows 10
14.4.1 Local Administrator GuidanceThe following TechNet topic describes managing certificates (including the “Obtain a Certificate” sub-topic) (AGD5: FCS_TLSC_EXT.1) (AGD5: FCS_TLSC_EXT.2):
Manage Certificates : http://technet.microsoft.com/en-us/library/cc771377.aspx Certutil: http://technet.microsoft.com/library/cc732443.aspx
The operational guidance for setting up a trusted channel to communicate with a CA is described in the operational guidance for FTP_ITC.1 (OS)).
The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships (AGD4: FCS_TLSC_EXT.1) (AGD4: FCS_TLSC_EXT.2) (AGD1: FCS_HTTPS_EXT.1):
Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx
The following TechNet topic describes how to delete a certificate:
Delete a Certificate: http://technet.microsoft.com/en-us/library/cc772354.aspx
Keys are deleted using device wipe as described in the Managing Wipe section of this document.
14.4.2 User GuidanceWhen using HTTPS in a browsing scenario the user may choose to ignore a failed certificate validation and continue the connection .
14.5 Windows 10 Mobile
14.5.1 User GuidanceWhen using HTTPS in a browsing scenario the user may choose to ignore a failed certificate validation and continue the connection .
Certificates may be deleted from the Trusted Root Store using device wipe as described in the Managing Wipe section of this document.
15 Managing Time(AGD1: FPT_STM.1)
Microsoft © 2017 Page 54 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
This section contains the following Common Criteria SFRs:
Reliable Time Stamps (FPT_STM.1)
15.1 Windows 10
15.1.1 Local Administrator GuidanceThe administrator sets the time using the Set-Date PowerShell cmdlet that is documented here:
http://technet.microsoft.com/en-us/library/7f44d9e2-6956-4e55-baeb-df7a649fdca1
The administrator configures the time service to synchronize time from a time server using the W32tm command that is documented here (see Windows Time Service Tools):
http://technet.microsoft.com/en-us/library/cc773263(v=WS.10).aspx
The administrator ensures the communication path between the TOE client and the time service provider is protected from attacks that could compromise the integrity of the time by establishing an IPsec policy using the “Windows 10 (Anniversary Update) and Windows Server 2016 AU IPsec VPN Client Operational Guidance”, where section 4 provides detailed instructions that can be used to configure the TOE client and the time service provider.
The administrator ensures the NTP server is authenticated by verifying the IP address provided by the IT administrator for the NTP Server in the main mode and quick mode security associations according to the audit trail for the FTP_ITC.1 requirement outlined in section “4.1 Audit Policy for IPsec Operations” of the IPsec VPN Client guidance. In particular, audits are provided when a trusted channel is established that includes the IP address of the channel’s local and remote endpoints.
15.2 Windows 10 Mobile
15.2.1 User GuidanceTo set the time on Windows 10 Mobile :
Go to Settings -> Time & Language -> Date & Time Then enable Set date and time automatically or set the time manually.
Windows 10 Mobile also supports automatically setting the date and time by the mobile operator via Network Identity and Time Zone (NITZ). Otherwise if the mobile operator does not support NITZ, then the user can only configure the date and time manually.
Windows 10 Mobile devices do not support NTP.
Microsoft © 2017 Page 55 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
16 Getting Version Information(AGD1: FPT_TUD_EXT.1)
This section contains the following Common Criteria SFRs:
Extended: Trusted Update: TSF Version Query (FPT_TUD_EXT.1) Specifications of Management Functions (FMT_SMF_EXT.1)
16.1 IT Administrator GuidanceApp installation and version checking can be managed on Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions.
16.2 Windows 10
16.2.1 User GuidanceTo determine the hardware model and operating system version:
Go to Settings -> System -> About
The following TechNet topic describes how to enumerate all installed applications and their version:
Get-AppxPackage: https://technet.microsoft.com/en-us/library/hh856044.aspx
16.3 Windows 10 Mobile
16.3.1 User GuidanceTo determine the hardware model and operating system version :
Go to Settings -> System -> About The hardware model and operating system version will be displayed on this page.
The following steps describe how to determine the version of apps on the device:
1. Open the app2. Tap More… , then tap Settings.
Microsoft © 2017 Page 56 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
3. The version of the app will be displayed on this page.
17 Locking a Device(AGD1: FMT_SMF_EXT.1(8)) (AGD1: FTA_SSL_EXT.1) (AGD1: FMT_SMF_EXT.1(2))
This section contains the following Common Criteria SFRs:
Extended: TSF and User initiated Locked State (FTA_SSL_EXT.1) Specifications of Management Functions (FMT_SMF_EXT.1)
17.1 IT Administrator GuidanceDevice locking policies can be managed on Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions.
17.2 Windows 10
17.2.1 Local Administrator GuidanceThe following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy for standalone or domain-joined machines:
Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx Group Policy Management Console: http://technet.microsoft.com/en-us/library/dn265969.aspx
The inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality”:
Security Policy Settings Overview: http://technet.microsoft.com/en-us/library/2fdcbb11-8037-45b1-9015-665393268e36
17.2.2 User GuidanceTo configure screen lock timeout (AGD5: FIA_UAU_EXT.3) (AGD1: FTA_SSL_EXT.1):
Go to Settings -> System -> Power & sleep -> Additional power settings -> Change when the computer sleeps
To initiate a session lock (AGD6: FIA_UAU_EXT.3):
Microsoft © 2017 Page 57 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Tap the Start menu, tap the account picture, click Lock.
17.3 Windows 10 Mobile(AGD5: FIA_UAU_EXT.3) (AGD1: FTA_SSL_EXT.1)
17.3.1 User GuidanceThe following help topic describes how to configure the TSF to use (set or change) a Password Authentication Factor:
- How do I set or change a password on my phone?: http://www.windowsphone.com/en-us/how-to/wp8/settings-and-personalization/lock-screen-faq
Additionally, the Require a password after setting must be configured with the value each time.
The device may be commanded to transition to the locked state by configuring the inactivity interval as above and then pressing the button to power off the device such that the lock screen will be presented and the password will be required when the button is pressed to turn the device back on.
To manage notifications in the locked state go to Settings -> System -> Lock Screen, Choose an app to show detailed status and Choose apps to show quick status.
17.4 Managing Notifications Prior to Unlocking a Device(AGD1: FMT_SMF_EXT.1(36)) (AGD1: FTA_TAB.1)
This section contains the following Common Criteria SFRs:
Default TOE Access Banners (FTA_TAB.1) Specifications of Management Functions (FMT_SMF_EXT.1)
17.4.1 IT Administrator GuidanceThe following MSDN topic describes the LockscreenWallpaper policy the IT administrator may use to manage notifications prior to unlocking enrolled devices:
EnterpriseAssignedAccess CSP: https://msdn.microsoft.com/en-us/library/mt157024(v=vs.85).aspx
17.4.2 Windows 10
17.4.2.1 Local Administrator GuidanceThe following TechNet topics describe how to configure notifications prior to unlocking devices:
Microsoft © 2017 Page 58 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Interactive logon: Message title for users attempting to log on: http://technet.microsoft.com/en-us/library/cc778393(v=ws.10).aspx Interactive logon: Message text for users attempting to log on: http://technet.microsoft.com/en-us/library/cc779661(v=WS.10).aspx
18 Managing Airplane Mode(AGD1: FMT_SMF_EXT.1(4))
This section contains the following Common Criteria SFRs:
Specifications of Management Functions (FMT_SMF_EXT.1)
When airplane mode is on wireless connections, cellular voice, cellular protocols, and messaging functionality will not work on the device.
18.1 Windows 10
18.1.1 User GuidanceTo enable/disable airplane mode go to Settings -> Network & Internet -> Airplane Mode.
18.2 Windows 10 Mobile
18.2.1 User GuidanceTo enable/disable airplane mode go to Settings -> Network & Wireless -> Airplane Mode.
19 Managing Device Enrollment(AGD1: FMT_SMF_EXT.1(15)), (AGD1: FMT_SMF_EXT.1(28))
This section contains the following Common Criteria SFRs:
Specifications of Management Functions (FMT_SMF_EXT.1) Extended: Specification of Remediation Actions (FMT_SMF_EXT.2)
Unenrollment from the MDM solution performs the remediation actions of:
Microsoft © 2017 Page 59 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
alert the administrator remove Enterprise applications
19.1 IT Administrator GuidanceRemote unenrollment can be accomplished on Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions.
19.2 Windows 10
19.2.1 Local Administrator GuidanceTo enroll for management do the following
Go to Settings -> Accounts -> Access work or school Tap the Connect button Fill in the user account credentials provided by your IT administrator
To unenroll from device management do the following:
Go to Settings > Account -> Access work or school Tap the Remove button that is displayed when the enrollment setting is selected, and then confirm the Remove operation
The user determines if the device is enrolled or not enrolled by looking at the Access work or school page of the Accounts settings. On the Access work or school access page of the Accounts settings if the device device is enrolled then the enrollment setting is indicated by the name as established by your IT administrator and your account name provided by your IT administrator that was used to enroll the device – tapping the enrollment setting reveals the Info and Remove buttons that may be used to synchronize device management settings, inspect Access work or school enrollment settings or remove the device from enrollment.
19.3 Windows 10 Mobile
19.3.1 User GuidanceTo enroll for management do the following
Go to Settings -> Accounts -> Access work or school Tap the Connect button Fill in the user account credentials provided by your IT administrator
Microsoft © 2017 Page 60 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
To unenroll from device management do the following:
Go to Settings > Account -> Access work or school Tap the Remove button that is displayed when the enrollment setting is selected, and then confirm the Remove operation
The user determines if the device is enrolled or not enrolled by looking at the Access work or school page of the Accounts settings. On the Access work or school access page of the Accounts settings if the device device is enrolled then the enrollment setting is indicated by the name as established by your IT administrator and your account name provided by your IT administrator that was used to enroll the device – tapping the enrollment setting reveals the Info and Remove buttons that may be used to synchronize device management settings, inspect Access work or school enrollment settings or remove the device from enrollment.
20 Managing Updates(AGD1: FMT_SMF_EXT.1(17)) (AGD1: FPT_TUD_EXT.1)
Windows 10 (Anniversary Update) applications include metadata that is installed with the application by the Windows Installer and the Store App installer. The application metadata includes version information that prevents the Windows Installer and the Store App installer from updating an installed application with an older version.
Update packages downloaded by Windows Update for Windows 10 (Anniversary Update) are signed with the Microsoft Root Certificate Authority to prove their authenticity and integrity. This signature is checked on the mobile device before installing any of the product updates contained in a given package in order to verify the updates have not been altered since they where digitally signed. If the signature is incorrect, then the update operation will fail. Otherwise, if the signature is correct then the update operation will proceed.
20.1 IT Administrator GuidanceWindows update policies can be managed on Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions.
20.2 Windows 10
20.2.1 Local Administrator GuidanceThe local admistrator manages System Updates using the following settings interface:
Go to Settings -> Update & security -> Windows Update
Microsoft © 2017 Page 61 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
21 Managing Collection Devices(AGD1: FMT_SMF_EXT.1(5))
This section contains the following Common Criteria SFRs:
Specifications of Management Functions (FMT_SMF_EXT.1)
21.1 IT Administrator GuidanceThe camera may be enabled/disabled on the TOE by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.
The microphone may be enabled/disabled on Windows 10 Mobile by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.
21.2 Windows 10
21.2.1 Local Administrator GuidanceThe local administrator disables/enables the camera for all users by disabling all subnodes under the “Imaging devices” node in the Device Manager.
To start the Device Manager, type “Device Manager” in the taskbar searchbox and click on the Device Manager icon.
The local administrator disables/enables the microphone for all users by the following procedures:
1. On the desktop right click on the Start button and click the Control Panel menu item.2. Type “Sound” and choose “Manage audio devices” from the list to open the Sound window3. In the Sound window click the “Recording” tab4. On the Recording tab right the Microphone item(s) and select the “Disable” menu item
Note: to reverse this step the “Show Disabled Devices” menu item should be selected.
22 Managing USB(AGD1: FMT_SMF_EXT.1(22))
This section contains the following Common Criteria SFRs:
Microsoft © 2017 Page 62 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Specifications of Management Functions (FMT_SMF_EXT.1)
22.1 IT Administrator GuidanceMDM solutions are capable of managing USB connectivity on Windows 10 Mobile devices. See the MDM solution documentation for detailed configuration actions.
22.2 Windows 10
22.2.1 Local Administrator GuidanceThe local administrator may also disable the USB in the Device Manager application by right-clicking the USB Root Hub child node in the Universal Serial Bus controllers node and selecting the Properties menu item to open the USB Root Hub Properties window. the local administrator then clicks the Driver tab In the USB Root Hub Properties window and clicks he Disable button.
23 Managing Backup(AGD1: FMT_SMF_EXT.1(40))
This section contains the following Common Criteria SFRs:
Specifications of Management Functions (FMT_SMF_EXT.1)
23.1 Windows 10
23.1.1 Local Administrator GuidanceThe following policy setting in the Group Policy Editor can be used to disable Sync your settings:
“Do not sync” policy located at Computer Configuration\Administrative Templates\Windows Components\Sync your settingsIn addition to enabling the policy, ensure the “Allow user to turn syncing on” option is unchecked
23.2 Windows 10 and Windows 10 Mobile
23.2.1 User GuidanceTo configure OneDrive to sync settings: Settings -> Accounts -> Sync your settings.
Microsoft © 2017 Page 63 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
24 Managing Enterprise Apps(AGD1: FMT_SMF_EXT.1(19)) (AGD1: FPT_TUD_EXT.2)
This section contains the following Common Criteria SFRs:
Specifications of Management Functions (FMT_SMF_EXT.1(19)) Extended: Trusted Update Verification (FPT_TUD_EXT.2)
Enterprise organizations may deploy line-of-business applications on devices configured for enterprise apps. In addition to configuring the enterprise apps policy the organization must deploy the digital signature certificate associated with their LOB apps as a trusted root certificate for enrolled devices as described in section 14 Managing Certificates. (AGD1: FPT_TUD_EXT.2)
24.1 IT Administrator GuidanceApp policies can be managed on Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions.
24.2 User GuidanceThe following TechNet topic describes how to configure Enterprise apps:
Sideload LOB apps in Windows 10 : https://technet.microsoft.com/en-us/itpro/windows/deploy/sideload-apps-in-windows-10
25 Managing Developer Mode(AGD1: FMT_SMF_EXT.1(24))
This section contains the following Common Criteria SFRs:
Specifications of Management Functions (FMT_SMF_EXT.1) Extended: Trusted Update Verification (FPT_TUD_EXT.2)
Developer Mode allows installation of test-signed applications. When developer mode is enabled the TOE trusts valid, app digital signatures. (FMT_SMF_EXT.1(33)) (AGD1: FPT_TUD_EXT.2)
25.1 IT Administrator GuidanceDeveloper mode policies can be managed on Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions.
Microsoft © 2017 Page 64 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
25.2 Windows 10
25.2.1 Local Administrator GuidanceDeveloper mode is configured by the administrator via Windows security policy.
Enable your device for development: https://msdn.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development
26 Managing Cryptographic Algorithms(AGD1: FCS_CKM.1) (AGD1: FCS_STG_EXT.1) (AGD2: FCS_STG_EXT.1) (AGD3: FCS_STG_EXT.1) (AGD1: FMT_SMF_EXT.1(11)) (AGD1: FMT_SMF_EXT.1(12))
This guidance applies to both Windows 10 and Windows 10 Mobile.
No configuration is required to use the random number generator algorithms. (AGD1: FCS_RGB.1)
There is no global configuration for hashing algorithms. The use of required hash sizes is supported and global configuration is not needed.
There is no global configuration for key generation schemes. The use of required key generation schemes is supported and global configuration is not needed.
There is no global configuration for key establishment schemes. The use of required key establishment schemes is supported and global configuration is not needed.
Keys may be imported by apps using the Certificates.CertificateEnrollmentManager.ImportPfxDataAsync API. The following link provides the documentation for the API:
https://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.certificateenrollmentmanager.importpfxdataasync.aspx
Keys are destroyed by wiping the device, see the Managing Wipe of this document.
Cryptographic Algorithm Validation Program (CAVP) testing was performed on the Windows 10 (Anniversary Update) system cryptographic engine. Other cryptographic engines may have been separately evaluated but were not part of this CC evaluation.
27 Managing GPS(AGD1: FMT_SMF_EXT.1(4))
Microsoft © 2017 Page 65 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
27.1 IT Administrator GuidanceGPS may be enabled/disabled on the TOE by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.
28 Managing Location Services(AGD1: FMT_SMF_EXT.1(44))
28.1 IT Administrator GuidanceLocation Services may be enabled/disabled on the TOE by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.
28.2 Windows 10
28.2.1 Local Administrator GuidanceThe location service is configured by the administrator via Windows security policy. The relevant security policy is “Local Computer Policy\Administrative Templates\Windows Components\Location and Sensors\Turn off location”. The following Technet topic include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy:
Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx
29 Managing Wi-Fi
29.1 IT Administrator Guidance(AGD1: FMT_SMF_EXT.1(4))
Wi-Fi may be enabled/disabled on TOE by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.
30 Managing Wireless Networks (SSIDs)
30.1 IT Administrator Guidance(AGD1: FMT_SMF_EXT.1(6))
Microsoft © 2017 Page 66 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
Wi-Fi SSIDs may be configured on the TOE by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.
30.2 Windows 10
30.2.1 Local Administrator Guidance Wireless networks (SSIDs) may be enabled/disabled by the Local Administrator by using the following TechNet topic describes to disable the Wi-Fi network adapter:
Disable-NetAdapter: https://technet.microsoft.com/en-us/library/jj130903.aspx
31 Managing Personal Hotspots
31.1 IT Administrator Guidance(AGD1: FMT_SMF_EXT.1(23))
Sharing a personal hotspot may be enabled/disabled on TOE by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.
31.2 Windows 10
31.2.1 Local Administrator Guidance Personal hotspots may be enabled/disabled by the Local Administrator by using the following TechNet topic describes to disable the Wi-Fi network adapter:
Disable-NetAdapter: https://technet.microsoft.com/en-us/library/jj130903.aspx
32 Managing Mobile Broadband
32.1 IT Administrator Guidance(AGD1: FMT_SMF_EXT.1(4))
Mobile broadband may be enabled/disabled by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.
Microsoft © 2017 Page 67 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
33 Managing Cellular Protocols(AGD1: FMT_SMF_EXT.1(31))
33.1 Windows 10 Mobile
33.1.1 IT Administrator GuidanceCellular protocols may be enabled/disabled on Windows 10 Mobile by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.
33.2 Windows 10
33.2.1 Local AdministratorThe local administrator disables/enables cellular protocols for all users by disabling all cellular subnodes under the “Network adapters” node in the Device Manager.
To start the Device Manager, type “Device Manager” in the taskbar searchbox and click on the Device Manager icon.
34 Managing Health Attestation(AGD1: FPT_NOT_EXT.1) (AGD2: FPT_NOT_EXT.1)
This section contains the following Common Criteria SFRs:
Extended: Self-Test Event Notification by Attestation (FPT_NOT_EXT.1(ATTEST))
34.1 IT Administrator GuidanceHealth attestation policies can be managed to determine the health of enrolled Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions.
The device will create a Helath Attestation log every time the system boots. The Health Attestation logs are found in the following directory:
%windir%\Logs\MeasuredBoot
The contents of the Health Attestation logs may be viewed on or off the TOE using the “TPM Platform Crypto-Provider Toolkit” that can be downloaded from the following link:
Microsoft © 2017 Page 68 of 69
Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance
TPM Platform Crypto-Provider Toolkit : http://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92d5d/
35 Managing Sensitive Data
35.1 IT Administrator GuidanceEnterprise Data Protection policies can be managed to help protect against accidental data leakage from enrolled employee-owned Windows 10 (Anniversary Update) devices by using a MDM. See the MDM solution documentation for detailed configuration actions.
35.2 Windows 10
35.2.1 Local Administrator GuidanceEnterprise Data Protection policies are applied on enrolled devices – see section “Managing Device Enrollment” for more information about enrolling devices with an MDM.
35.3 Windows 10 Mobile
35.3.1.1 User GuidanceEnterprise Data Protection policies are applied on enrolled devices – see section “Managing Device Enrollment” for more information about enrolling devices with an MDM.
36 Managing USB Mass Storage
36.1 IT Administrator GuidanceUSB Mass Storage may be enabled/disabled on the TOE by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.
37 Natively Installed ApplicationsThe set of applications and system files included in the TOE are version 10.0.14393. The following embedded Excel file has the lists of files:
Microsoft © 2017 Page 69 of 69