Windows Security
Windows Security
Windows security
Zero Trust and Windows
Hardware security
Overview
Trusted Platform Module
Trusted Platform Module Overview
TPM fundamentals
How Windows uses the TPM
TPM Group Policy settings
Back up the TPM recovery information to AD DS
View status, clear, or troubleshoot the TPM
Understanding PCR banks on TPM 2.0 devices
TPM recommendations
Hardware-based root of trust
System Guard Secure Launch and SMM protection
Enable virtualization-based protection of code integrity
Kernel DMA Protection
Windows secured-core devices
Operating system security
Overview
System security
Secure the Windows boot process
Trusted Boot
Cryptography and certificate management
The Windows Security app
Virus & threat protection
Account protection
Firewall & network protection
App & browser control
Device security
Device performance & health
Family options
Security policy settings
Security auditing
Encryption and data protection
Encrypted Hard Drive
BitLocker
Overview of BitLocker Device Encryption in Windows
BitLocker frequently asked questions (FAQ)
Overview and requirements
Upgrading
Deployment and administration
Key management
BitLocker To Go
Active Directory Domain Services
Security
BitLocker Network Unlock
General
Prepare your organization for BitLocker: Planning and policies
BitLocker deployment comparison
BitLocker basic deployment
Deploy BitLocker on Windows Server 2012 and later
BitLocker management for enterprises
Enable Network Unlock with BitLocker
Use BitLocker Drive Encryption Tools to manage BitLocker
Use BitLocker Recovery Password Viewer
BitLocker Group Policy settings
BCD settings and BitLocker
BitLocker Recovery Guide
BitLocker Countermeasures
Protecting cluster shared volumes and storage area networks with BitLocker
Troubleshoot BitLocker
Troubleshoot BitLocker
BitLocker cannot encrypt a drive: known issues
Enforcing BitLocker policies by using Intune: known issues
BitLocker Network Unlock: known issues
BitLocker recovery: known issues
BitLocker configuration: known issues
Troubleshoot BitLocker and TPM issues
BitLocker cannot encrypt a drive: known TPM issues
BitLocker and TPM: other known issues
Decode Measured Boot logs to track PCR changes
Configure S/MIME for Windows
Network security
VPN technical guide
VPN connection types
VPN routing decisions
VPN authentication options
VPN and conditional access
VPN name resolution
VPN auto-triggered profile options
VPN security features
VPN profile options
How to configure Diffie Hellman protocol over IKEv2 VPN connections
How to use single sign-on (SSO) over VPN and Wi-Fi connections
Optimizing Office 365 traffic with the Windows VPN client
Windows Defender Firewall
Windows security baselines
Security Compliance Toolkit
Get support
Virus & threat protection
Overview
Microsoft Defender Antivirus
Attack surface reduction rules
Tamper protection
Network protection
Controlled folder access
Exploit protection
Microsoft Defender for Endpoint
Security intelligence
Understand malware & other threats
Prevent malware infection
Malware names
Coin miners
Exploits and exploit kits
Fileless threats
Macro malware
Phishing
Ransomware
Rootkits
Supply chain attacks
Tech support scams
Trojans
Unwanted software
Worms
How Microsoft identifies malware and PUA
Submit files for analysis
Safety Scanner download
Industry collaboration programs
Virus information alliance
Microsoft virus initiative
Coordinated malware eradication
Information for developers
Software developer FAQ
Software developer resources
More Windows security
Override Process Mitigation Options to help enforce app-related security policies
Use Windows Event Forwarding to help with intrusion detection
Block untrusted fonts in an enterprise
Windows Information Protection (WIP)
Create a WIP policy using Microsoft Intune
Create a WIP policy with MDM using the Azure portal for Microsoft Intune
Deploy your WIP policy using the Azure portal for Microsoft Intune
Associate and deploy a VPN policy for WIP using the Azure portal for
Microsoft Intune
Create and verify an EFS Data Recovery Agent (DRA) certificate
Determine the Enterprise Context of an app running in WIP
Create a WIP policy using Microsoft Endpoint Configuration Manager
Create and deploy a WIP policy using Microsoft Endpoint Configuration
Manager
Create and verify an EFS Data Recovery Agent (DRA) certificate
Determine the Enterprise Context of an app running in WIP
Mandatory tasks and settings required to turn on WIP
Testing scenarios for WIP
Limitations while using WIP
How to collect WIP audit event logs
General guidance and best practices for WIP
Enlightened apps for use with WIP
Unenlightened and enlightened app behavior while using WIP
Recommended Enterprise Cloud Resources and Neutral Resources network
settings with WIP
Using Outlook Web Access with WIP
Fine-tune WIP Learning
Application security
Overview
Windows Defender Application Control and virtualization-based protection of code
integrity
Windows Defender Application Control
Microsoft Defender Application Guard
Windows Sandbox
Windows Sandbox architecture
Windows Sandbox configuration
Microsoft Defender SmartScreen overview
Configure S/MIME for Windows
Windows Credential Theft Mitigation Guide Abstract
User security and secured identity
Overview
Windows Hello for Business
Windows credential theft mitigation guide
Enterprise Certificate Pinning
Protect derived domain credentials with Credential Guard
How Credential Guard works
Credential Guard Requirements
Manage Credential Guard
Hardware readiness tool
Credential Guard protection limits
Considerations when using Credential Guard
Credential Guard: Additional mitigations
Credential Guard: Known issues
Protect Remote Desktop credentials with Remote Credential Guard
Technical support policy for lost or forgotten passwords
Access Control Overview
Dynamic Access Control Overview
Security identifiers
Security Principals
Local Accounts
Active Directory Accounts
Microsoft Accounts
Service Accounts
Active Directory Security Groups
Special Identities
User Account Control
How User Account Control works
User Account Control security policy settings
User Account Control Group Policy and registry key settings
Smart Cards
How Smart Card Sign-in Works in Windows
Smart Card Architecture
Certificate Requirements and Enumeration
Smart Card and Remote Desktop Services
Smart Cards for Windows Service
Certificate Propagation Service
Smart Card Removal Policy Service
Smart Card Tools and Settings
Smart Cards Debugging Information
Smart Card Group Policy and Registry Settings
Smart Card Events
Virtual Smart Cards
Understanding and Evaluating Virtual Smart Cards
Get Started with Virtual Smart Cards: Walkthrough Guide
Use Virtual Smart Cards
Deploy Virtual Smart Cards
Evaluate Virtual Smart Card Security
Tpmvscmgr
Cloud services
Overview
Mobile device management
Windows 365 Cloud PCs
Azure Virtual Desktop
Security foundations
Overview
Microsoft Security Development Lifecycle
Microsoft Bug Bounty Program
FIPS 140-2 Validation
Common Criteria Certifications
Windows Privacy
Zero Trust and Windows device health
3/3/2022 • 4 minutes to read • Edit Online
Organizations need a security model that more effectively adapts to the complexity of the modern work
environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data
wherever they’re located. Implementing a Zero Trust model for security helps addresses today's complex
environments.
The Zero Trust principles are:
Verify explicitly . Always authenticate and authorize based on all available data points, including user
identity, location, device health, service or workload, data classification, and monitor anomalies.
Use least-privileged access . Limit user access with just-in-time and just-enough-access, risk-based
adaptive policies, and data protection to help secure data and maintain productivity.
Assume breach . Prevent attackers from obtaining access to minimize potential damage to data and
systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive
threat detection to improve defenses.
The Zero Trust concept of verify explicitly applies to the risks introduced by both devices and users. Windows
enables device health attestation and conditional access capabilities, which are used to grant access to
corporate resources.
Conditional access evaluates identity signals to confirm that users are who they say they are before they are
granted access to corporate resources.
Windows 11 supports device health attestation, helping to confirm that devices are in a good state and have not
been tampered with. This capability helps users access corporate resources whether they’re in the office, at
home, or when they’re traveling.
Attestation helps verify the identity and status of essential components and that the device, firmware, and boot
process have not been altered. Information about the firmware, boot process, and software, is used to validate
the security state of the device. This information is cryptographically stored in the security co-processor Trusted
Platform Module (TPM). Once the device is attested, it can be granted access to resources.
Other Resources
Learn more about Microsoft Zero Trust solutions in the Zero Trust Guidance Center.
Windows hardware security
3/3/2022 • 3 minutes to read • Edit Online
Modern threats require modern security with a strong alignment between hardware security and software
security techniques to keep users, data, and devices protected. The operating system alone cannot protect from
the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon.
Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing
important data to capturing email addresses and other sensitive pieces of information. These new threats call
for computing hardware that is secure down to the very core, including hardware chips and processors.
Microsoft and our partners, including chip and device manufacturers, have worked together to integrate
powerful security capabilities across software, firmware, and hardware.
Trusted Platform Module (TPM) A Trusted Platform Module (TPM) is designed to provide
hardware-based security-related functions and help prevent
unwanted tampering. TPMs provide security and privacy
benefits for system hardware, platform owners, and users.
A TPM chip is a secure crypto-processor that helps with
actions such as generating, storing, and limiting the use of
cryptographic keys. Many TPMs include multiple physical
security mechanisms to make it tamper resistant and
prevent malicious software from tampering with the security
functions of the TPM.
Hardware-based root of trust with Windows Defender To protect critical resources such as Windows authentication,
System Guard single sign-on tokens, Windows Hello, and the Virtual
Trusted Platform Module, a system's firmware and hardware
must be trustworthy.
Windows Defender System Guard helps protect and
maintain the integrity of the system as it starts up and
validate that system integrity has truly been maintained
through local and remote attestation.
Kernel Direct Memory Access (DMA) Protection PCIe hot plug devices such as Thunderbolt, USB4, and
CFexpress allow users to attach new classes of external
peripherals, including graphics cards or other PCI devices, to
their PCs with an experience identical to USB. Because PCI
hot plug ports are external and easily accessible, PCs are
susceptible to drive-by Direct Memory Access (DMA)
attacks. Memory access protection (also known as Kernel
DMA Protection) protects PCs against drive-by DMA attacks
that use PCIe hot plug devices by limiting these external
peripherals from being able to directly copy memory when
the user has locked their PC.
Secured-core PCs Microsoft is working closely with OEM partners and silicon
vendors to build Secured-core PCs that feature deeply
integrated hardware, firmware, and software to ensure
enhanced security for devices, identities, and data.
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A
TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the
use of cryptographic keys. The following topics provide details.
TO P IC DESC RIP T IO N
Trusted Platform Module Overview Provides an overview of the Trusted Platform Module (TPM)
and how Windows uses it for access control and
authentication.
TPM fundamentals Provides background about how a TPM can work with
cryptographic keys. Also describes technologies that work
with the TPM, such as TPM-based virtual smart cards.
TPM Group Policy settings Describes TPM services that can be controlled centrally by
using Group Policy settings.
Back up the TPM recovery information to AD DS For Windows 10, version 1511 and Windows 10, version
1507 only, describes how to back up a computer’s TPM
information to Active Directory Domain Services.
Troubleshoot the TPM Describes actions you can take through the TPM snap-in,
TPM.msc: view TPM status, troubleshoot TPM initialization,
and clear keys from the TPM. Also, for TPM 1.2 and
Windows 10, version 1507 or 1511, or Windows 11,
describes how to turn the TPM on or off.
Understanding PCR banks on TPM 2.0 devices Provides background about what happens when you switch
PCR banks on TPM 2.0 devices.
Applies to
Windows 11
Windows 10
Windows Server 2016
Windows Server 2019
This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for
access control and authentication.
Feature description
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A
TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes
multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper
with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
Generate, store, and limit the use of cryptographic keys.
Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is
burned into it.
Help ensure platform integrity by taking and storing security measurements.
The most common TPM functions are used for system integrity measurements and for key creation and use.
During the boot process of a system, the boot code that is loaded (including firmware and the operating system
components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence
for how a system started and to make sure that a TPM-based key was used only when the correct software was
used to boot the system.
TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable
outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and
used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If
too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent
further authorization value guesses.
Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more
information, consult the TCG Web site.
Automatic initialization of the TPM with Windows
Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership
of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM
management console, TPM.msc . There are a few exceptions, mostly related to resetting or performing a clean
installation on a PC. For more information, see Clear all the keys from the TPM. We're no longer actively
developing the TPM management console beginning with Windows Server 2019 and Windows 10, version
1809.
In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be
used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across
operating system installations, this TPM information is stored in a location in Active Directory that is separate
from computer objects.
Practical applications
Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned,
the RSA private key for a certificate is bound to the TPM and cannot be exported. The TPM can also be used as a
replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards.
Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM
management can determine if TPM provisioning actions require physical presence of a service technician to
approve TPM state change requests during the boot process.
Antimalware software can use the boot measurements of the operating system start state to prove the integrity
of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the
launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With
BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for
PIN entry.
The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info,
see TPM Group Policy Settings.
NOTE
Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM
2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A
computer with legacy BIOS and TPM 2.0 won't work as expected.
Applies to
Windows 10
Windows 11
Windows Server 2016 and later
This article for the IT professional provides a description of the components of the Trusted Platform Module
(TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.
A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily
involving encryption keys. The TPM is installed on the motherboard of a computer, and it communicates with
the rest of the system by using a hardware bus.
Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be
decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from
disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM
itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to
any other component, software, process, or user.
You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that
they can be migrated, the public and private portions of the key can be exposed to other components, software,
processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is
never exposed outside the TPM.
Computers that incorporate a TPM can also create a key that is wrapped and tied to certain platform
measurements. This type of key can be unwrapped only when those platform measurements have the same
values that they had when the key was created. This process is referred to as “sealing the key to the TPM.”
Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM.
With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware
or software conditions are met.
With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating
system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that
define the trustworthiness of a system) can be made before the keys are unsealed and released for use. The TPM
uses its own internal firmware and logic circuits to process instructions. Hence, it doesn't rely on the operating
system and it isn't exposed to vulnerabilities that might exist in the operating system or application software.
For info about which versions of Windows support which versions of the TPM, see Trusted Platform Module
technology overview. The features that are available in the versions are defined in specifications by the Trusted
Computing Group (TCG). For more info, see the Trusted Platform Module page on the Trusted Computing Group
website: Trusted Platform Module.
The following sections provide an overview of the technologies that support the TPM:
Measured Boot with support for attestation
TPM-based Virtual Smart Card
TPM-based certificate storage
TPM Cmdlets
Physical presence interface
TPM 1.2 states and initialization
Endorsement keys
TPM Key Attestation
Anti-hammering
The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings:
TPM Group Policy Settings.
TPM Cmdlets
You can manage the TPM using Windows PowerShell. For details, see TPM Cmdlets in Windows PowerShell.
Endorsement keys
A trusted application can use TPM only if the TPM contains an endorsement key, which is an RSA key pair. The
private half of the key pair is held inside the TPM and it is never revealed or accessible outside the TPM.
Key attestation
TPM key attestation allows a certification authority to verify that a private key is protected by a TPM and that the
TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user
identity to a device. The user certificate with a TPM attested key provides higher security assurance backed up
by the non-exportability, anti-hammering, and isolation of keys provided by a TPM.
Anti-hammering
When a TPM processes a command, it does so in a protected environment, for example, a dedicated
microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM is used to
create a cryptographic key that is not disclosed outside the TPM. It is used in the TPM after the correct
authorization value is provided.
TPMs have anti-hammering protection that is designed to prevent brute force attacks, or more complex
dictionary attacks, that attempt to determine authorization values for using a key. The basic approach is for the
TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and
locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout
when too many authorization failures occur.
Because many entities can use the TPM, a single authorization success cannot reset the TPM’s anti-hammering
protection. This prevents an attacker from creating a key with a known authorization value and then using it to
reset the TPM’s protection. TPMs are designed to forget about authorization failures after a period of time so the
TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout
logic.
TPM 2.0 anti-hammering
TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering
protection was implemented by the manufacturer and the logic varied widely throughout the industry.
For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to
forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key
with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization
value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
Attempts to use a key with an authorization value for the next 10 minutes would not return success or failure;
instead the response indicates that the TPM is locked. After 10 minutes, one authorization failure is forgotten
and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked
state and returns to normal operation. With the correct authorization value, keys could be used normally if no
authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization
failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.
Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the
system is fully powered off or when the system has hibernated. Windows does require that authorization
failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than
off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10
minutes.
The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command
to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and
stores the TPM owner password for use by system administrators.
In some enterprise situations, the TPM owner authorization value is configured to be stored centrally in Active
Directory, and it is not stored on the local system. An administrator can launch the TPM MMC and choose to
reset the TPM lockout time. If the TPM owner password is stored locally, it is used to reset the lockout time. If the
TPM owner password is not available on the local system, the administrator needs to provide it. If an
administrator attempts to reset the TPM lockout state with the wrong TPM owner password, the TPM does not
allow another attempt to reset the lockout state for 24 hours.
TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be
used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key
in the TPM to start Windows, even when the TPM is locked.
Rationale behind the defaults
Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for logon, which
can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack
Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is
used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example
could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours.
This totals a maximum of about 4415 guesses per year. If the PIN is 4 digits, all 9999 possible PIN combinations
could be attempted in a little over two years.
Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6
characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration
between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining
a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be
used, make sure that GPO is enabled and configure the system to use legacy Dictionary Attack Prevention
Parameters setting for TPM 2.0.
TPM -based smart cards
The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the
system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization
value. The following list shows the advantages of virtual smart cards:
Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the
lockout after the correct PIN is entered. With a virtual smart card, the TPM’s anti-hammering protection is
not reset after a successful authentication. The allowed number of authorization failures before the TPM
enters lockout includes many factors.
Hardware manufacturers and software developers have the option to use the security features of the TPM
to meet their requirements.
The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when
learning to type new passwords or if they frequently lock and unlock their computers). If users lock the
TPM, they must to wait 10 minutes or use some other credential to sign in, such as a user name and
password.
Related topics
Trusted Platform Module (list of topics)
TPM Cmdlets in Windows PowerShell
TPM WMI providers
Prepare your organization for BitLocker: Planning and Policies - TPM configurations
How Windows uses the Trusted Platform Module
3/3/2022 • 22 minutes to read • Edit Online
The Windows operating system improves most existing security features in the operating system and adds
groundbreaking new security features such as Device Guard and Windows Hello for Business. It places
hardware-based security deeper inside the operating system than previous Windows versions had done,
maximizing platform security while increasing usability. To achieve many of these security enhancements,
Windows makes extensive use of the Trusted Platform Module (TPM). This article offers a brief overview of the
TPM, describes how it works, and discusses the benefits that TPM brings to Windows and the cumulative
security impact of running Windows on a PC that contains a TPM.
See also:
Windows 11 Specifications
Windows 10 Specifications
TPM Fundamentals
TPM Recommendations
TPM Overview
The TPM is a cryptographic module that enhances computer security and privacy. Protecting data through
encryption and decryption, protecting authentication credentials, and proving which software is running on a
system are basic functionalities associated with computer security. The TPM helps with all these scenarios and
more.
Historically, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow
the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest
of the system. Although discrete TPM implementations are still common, they can be problematic for integrated
devices that are small or have low power consumption. Some newer TPM implementations integrate TPM
functionality into the same chipset as other platform components while still providing logical separation similar
to discrete TPM chips.
TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM
must carefully integrate system hardware and firmware with the TPM to send it commands and react to its
responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and
users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can
be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the
user reinstalls the operating system, user may need to tell the operating system to explicitly provision the TPM
again before it can use all the TPM’s features.
The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM
specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that
support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes
the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification
Submission Process that the Joint Technical Committee 1 defines between the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC).
OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone.
Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot
achieve. For example, software alone cannot reliably report whether malware is present during the system
startup process. The close integration between TPM and platform increases the transparency of the startup
process and supports evaluating device health by enabling reliable measuring and reporting of the software
that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware
root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that
disallow exporting the key, that key truly cannot leave the TPM.
The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of
different customer segments. There are variations in the security properties of different TPM implementations
just as there are variations in customer and regulatory requirements for different sectors. In public-sector
procurement, for example, some governments have clearly defined security requirements for TPMs, whereas
others do not.
Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation
increases. Although having a TPM is clearly better than not having a TPM, Microsoft’s best advice is to determine
your organization’s security needs and research any regulatory requirements associated with procurement for
your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
TPM in Windows
The security features of Windows combined with the benefits of a TPM offer practical security and privacy
benefits. The following sections start with major TPM-related security features in Windows and go on to
describe how key technologies use the TPM to enable or increase security.
Measured Boot
Windows 8 introduced Measured Boot as a way for the operating system to record the chain of measurements
of software components and configuration information in the TPM through the initialization of the Windows
operating system. In previous Windows versions, the measurement chain stopped at the Windows Boot
Manager component itself, and the measurements in the TPM were not helpful for understanding the starting
state of Windows.
The Windows boot process happens in stages and often involves third-party drivers to communicate with
vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records
measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For
configuration settings, Measured Boot records security-relevant information such as signature data that
antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on
or off).
Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and
configuration settings. If security settings and other protections are set up correctly, they can be trusted to
maintain the security of the running operating system thereafter. Other scenarios can use the operating system’s
starting state to determine whether the running operating system should be trusted.
TPM measurements are designed to avoid recording any privacy-sensitive information as a measurement. As an
additional privacy protection, Measured Boot stops the measurement chain at the initial starting state of
Windows. Therefore, the set of measurements does not include details about which applications are in use or
how Windows is being used. Measurement information can be shared with external entities to show that the
device is enforcing adequate security policies and did not start with malware.
The TPM provides the following way for scenarios to use the measurements recorded in the TPM during boot:
Remote Attestation . Using an attestation identity key, the TPM can generate and cryptographically sign a
statement (orquote) of the current measurements in the TPM. Windows can create unique attestation identity
keys for various scenarios to prevent separate evaluators from collaborating to track the same device.
Additional information in the quote is cryptographically scrambled to limit information sharing and better
protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration
settings were used to boot the device and initialize the operating system. An attestation identity key
certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the
process of recording measurements in the TPM, generating a quote, and sending the quote information to
another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this
process.
When new security features are added to Windows, Measured Boot adds security-relevant configuration
information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios
that reflect the system firmware and the Windows initialization state.
Figure 2: Process used to create evidence of boot software and configuration using a TPM
Health Attestation
Some Windows improvements help security solutions implement remote attestation scenarios. Microsoft
provides a Health Attestation service, which can create attestation identity key certificates for TPMs from
different manufacturers as well as parse measured boot information to extract simple security assertions, such
as whether BitLocker is on or off. The simple security assertions can be used to evaluate device health.
Mobile device management (MDM) solutions can receive simple security assertions from the Microsoft Health
Attestation service for a client without having to deal with the complexity of the quote or the detailed TPM
measurements. MDM solutions can act on the security information by quarantining unhealthy devices or
blocking access to cloud services such as Microsoft Office 365.
Credential Guard
Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have
deployed AD DS. Historically, a user’s credentials (e.g., logon password) were hashed to generate an
authorization token. The user employed the token to access resources that he or she was permitted to use. One
weakness of the token model is that malware that had access to the operating system kernel could look through
the computer’s memory and harvest all the access tokens currently in use. The attacker could then use
harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a “pass
the hash” attack, a malware technique that infects one machine to infect many machines across an organization.
Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential
Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating
system kernel cannot access. This isolated memory area is initialized and protected during the boot process so
that components in the larger operating system environment cannot tamper with it. Credential Guard uses the
TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when
the separate region is initialized; they are not available for the normal operating system kernel. The local security
authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and
receiving single-use authorization tokens in return.
The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it
cannot access the secrets inside the isolated memory area that actually generates authorization tokens. The
solution does not solve the problem of key loggers because the passwords such loggers capture actually pass
through the normal Windows kernel, but when combined with other solutions, such as smart cards for
authentication, Credential Guard greatly enhances the protection of credentials in Windows.
Conclusion
The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM,
Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the
TPM’s major features.
Although some of the aforementioned features have additional hardware requirements (e.g., virtualization
support), the TPM is a cornerstone of Windows security. Microsoft and other industry stakeholders continue to
improve the global standards associated with TPM and find more and more applications that use it to provide
tangible benefits to customers. Microsoft has included support for most TPM features in its version of Windows
for the Internet of Things (IoT) called Windows IoT Core. IoT devices that might be deployed in insecure physical
locations and connected to cloud services like Azure IoT Hub for management can use the TPM in innovative
ways to address their emerging security requirements.
TPM Group Policy settings
3/3/2022 • 8 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group
Policy settings.
The Group Policy settings for TPM services are located at:
Computer Configuration\Administrative Templates\System\Trusted Platform Module Ser vices\
The following Group Policy settings were introduced in Windows.
This policy setting configured which TPM authorization values are stored in the registry of the local computer.
Certain authorization values are required in order to allow Windows to perform certain actions.
There are three TPM owner authentication settings that are managed by the Windows operating system. You can
choose a value of Full , Delegate , or None .
Full This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and
the TPM user delegation blob in the local registry. With this setting, you can use the TPM without
requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for
scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner
authorization value. Some TPM-based applications may require that this setting is changed before
features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2
is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
Delegated This setting stores only the TPM administrative delegation blob and the TPM user delegation
blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on
the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
None This setting provides compatibility with previous operating systems and applications. You can
also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might
cause issues with some TPM-based applications.
NOTE
If the operating system managed TPM authentication setting is changed from Full to Delegated , the full TPM owner
authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be
invalid.
Registr y information
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM
DWORD: OSManagedAuthLevel
The following table shows the TPM owner authorization values in the registry.
VA L UE DATA SET T IN G
0 None
2 Delegated
4 Full
If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the
registry of the local computer according to the TPM authentication setting you choose.
On Windows 10 prior to version 1607, if you disable or do not configure this policy setting, and the Turn on
TPM backup to Active Director y Domain Ser vices policy setting is also disabled or not configured, the
default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not
configured, and the Turn on TPM backup to Active Director y Domain Ser vices policy setting is enabled,
only the administrative delegation and the user delegation blobs are stored in the local registry.
IMPORTANT
Setting this policy will take effect only if:
The TPM was originally prepared using a version of Windows after Windows 10 Version 1607
The system has a TPM 2.0.
NOTE
Enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system
restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have
no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters,
regardless of the value of this group policy. The only ways for the disabled setting of this policy to take effect on a system
where it was once enabled are to either:
Disable it from group policy
Clear the TPM on the system
Related topics
Trusted Platform Module
TPM Cmdlets in Windows PowerShell
Prepare your organization for BitLocker: Planning and Policies - TPM configurations
Back up the TPM recovery information to AD DS
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
Does not apply to
Windows 10, version 1607 or later
With Windows 10, versions 1511 and 1507, or Windows 11, you can back up a computer’s Trusted Platform
Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to
administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more
information, see Backup the TPM Recovery Information to AD DS.
Related topics
Trusted Platform Module (list of topics)
TPM Group Policy settings
Troubleshoot the TPM
3/3/2022 • 7 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
This article provides information for the IT professional to troubleshoot the Trusted Platform Module (TPM):
Troubleshoot TPM initialization
Clear all the keys from the TPM
With TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, you can also take the following actions:
Turn on or turn off the TPM
For information about the TPM cmdlets, see TPM Cmdlets in Windows PowerShell.
WARNING
Clearing the TPM can result in data loss. For more information, see the next section, “Precautions to take before clearing
the TPM.”
Turn on or turn off the TPM (available only with TPM 1.2 with
Windows 10, version 1507 and higher)
Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the
TPM on or off. However, if necessary you can do so by using the TPM MMC.
Turn on the TPM
If you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM.
To turn on the TPM (TPM 1.2 with Windows 10, version 1507 and higher)
1. Open the TPM MMC (tpm.msc).
2. In the Action pane, select Turn TPM On to display the Turn on the TPM Security Hardware page.
Read the instructions on this page.
3. Select Shutdown (or Restar t ), and then follow the UEFI screen prompts.
After the computer restarts, but before you sign in to Windows, you will be prompted to accept the
reconfiguration of the TPM. This ensures that the user has physical access to the computer and that
malicious software is not attempting to make changes to the TPM.
Turn off the TPM
If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the
TPM.
To turn off the TPM (TPM 1.2 with Windows 10, version 1507 and higher)
1. Open the TPM MMC (tpm.msc).
2. In the Action pane, select Turn TPM Off to display the Turn off the TPM security hardware page.
3. In the Turn off the TPM security hardware dialog box, select a method to enter your owner password
and turning off the TPM:
If you saved your TPM owner password on a removable storage device, insert it, and then select I
have the owner password file . In the Select backup file with the TPM owner password
dialog box, select Browse to locate the .tpm file that is saved on your removable storage device,
select Open , and then select Turn TPM Off .
If you do not have the removable storage device with your saved TPM owner password, select I
want to enter the password . In the Type your TPM owner password dialog box, type your
password (including hyphens), and then select Turn TPM Off .
If you did not save your TPM owner password or no longer know it, select I do not have the
TPM owner password , and follow the instructions that are provided in the dialog box and
subsequent UEFI screens to turn off the TPM without entering the password.
Related articles
Trusted Platform Module (list of articles)
Understanding PCR banks on TPM 2.0 devices
3/3/2022 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI
vendor. This topic provides background about what happens when you switch PCR banks on TPM 2.0 devices.
A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. The
size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated
hashing algorithm. A SHA-1 PCR can store 20 bytes – the size of a SHA-1 digest. Multiple PCRs associated with
the same hashing algorithm are referred to as a PCR bank.
To store a new value in a PCR, the existing value is extended with a new value as follows: PCR[N] = HASHalg(
PCR[N] || ArgumentOfExtend )
The existing value is concatenated with the argument of the TPM Extend operation. The resulting concatenation
is then used as input to the associated hashing algorithm, which computes a digest of the input. This computed
digest becomes the new value of the PCR.
The TCG PC Client Platform TPM Profile Specification defines the inclusion of at least one PCR bank with 24
registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps ensure that the
value of those PCRs can only be modified via the TPM Extend operation.
Some TPM PCRs are used as checksums of log events. The log events are extended in the TPM as the events
occur. Later, an auditor can validate the logs by computing the expected PCR values from the log and comparing
them to the PCR values of the TPM. Since the first 16 TPM PCRs cannot be modified arbitrarily, a match between
an expected PCR value in that range and the actual TPM PCR value provides assurance of an unmodified log.
Related topics
Trusted Platform Module (list of topics)
TPM recommendations
3/3/2022 • 8 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
For a basic feature description of TPM, see the Trusted Platform Module Technology Overview.
NOTE
TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode
configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For
added security Enable the Secure Boot feature.
Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed
to UEFI. Use the tool MBR2GPT before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
Related topics
Trusted Platform Module (list of topics)
Windows Defender System Guard: How a
hardware-based root of trust helps protect Windows
10
3/3/2022 • 5 minutes to read • Edit Online
To protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello
biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be
trustworthy.
Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one
roof and sets up the next set of investments in Windows security. It's designed to make these security
guarantees:
Protect and maintain the integrity of the system as it starts up
Validate that system integrity has truly been maintained through local and remote attestation
Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a
specific hardware configuration. This means the number of valid code measurements is small, and future
updates can be deployed more widely and quickly.
System Management Mode (SMM ) protection
System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power
management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful.
Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime,
which executes SMM code installed by the BIOS. SMM code executes in the highest privilege level and is
invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure
Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
To defend against this, two techniques are used:
Paging protection to prevent inappropriate access to code and data
SMM hardware supervision and attestation
Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. This
prevents access to any memory that hasn't been assigned.
A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make
sure it doesn't access any part of the address space that it isn't supposed to.
SMM protection is built on top of the Secure Launch technology and requires it to function. In the future,
Windows 10 will also measure this SMI Handler’s behavior and attest that no OS-owned memory has been
tampered with.
After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM.
Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire
them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the
management system can take a series of actions, such as denying the device access to resources.
System Guard Secure Launch and SMM protection
3/3/2022 • 4 minutes to read • Edit Online
Applies to:
Windows 11
Windows 10
This topic explains how to configure System Guard Secure Launch and System Management Mode (SMM)
protection to improve the startup security of Windows 10 and Windows 11 devices. The information below is
presented from a client perspective.
Registry
1. Open Registry editor.
2. Click HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > DeviceGuard >
Scenarios .
3. Right-click Scenarios > New > Key and name the new key SystemGuard .
4. Right-click SystemGuard > New > DWORD (32-bit) Value and name the new DWORD Enabled .
5. Double-click Enabled , change the value to 1 , and click OK .
How to verify System Guard Secure Launch is configured and running
To verify that Secure Launch is running, use System Information (MSInfo32). Click Star t , search for System
Information , and look under Vir tualization-based Security Ser vices Running and Vir tualization-based
Security Ser vices Configured .
NOTE
To enable System Guard Secure launch, the platform must meet all the baseline requirements for Device Guard, Credential
Guard, and Virtualization Based Security.
Trusted Platform Module (TPM) 2.0 Platforms must support a discrete TPM 2.0.
Integrated/firmware TPMs aren't supported, except Intel
chips that support Platform Trust Technology (PTT), which is
a type of integrated hardware TPM that meets the TPM 2.0
spec.
Windows DMA Protection Platforms must meet the Windows DMA Protection
Specification (all external DMA ports must be off by default
until the OS explicitly powers them).
TPM AUX Index Platform must set up a AUX index with index, attributes, and
policy that exactly corresponds to the AUX index specified in
the TXT DG with a data size of exactly 104 bytes (for
SHA256 AUX data). (NameAlg = SHA256)
Platforms must set up a PS (Platform Supplier) index with:
Exactly the "TXT PS2" style Attributes on creation as
follows:
AuthWrite
PolicyDelete
WriteLocked
WriteDefine
AuthRead
WriteDefine
NoDa
Written
PlatformCreate
A policy of exactly PolicyCommandCode(CC =
TPM2_CC_UndefineSpaceSpecial) (SHA256 NameAlg
and Policy)
Size of exactly 70 bytes
NameAlg = SHA256
Also, it must have been initialized and locked
(TPMA_NV_WRITTEN = 1, TPMA_NV_WRITELOCKED
= 1) at time of OS launch.
PS index data DataRevocationCounters, SINITMinVersion,
and PolicyControl must all be 0x00
TPM NV Index Platform firmware must set up a TPM NV index for use by
the OS with:
Handle: 0x01C101C0
Attributes:
TPMA_NV_POLICYWRITE
TPMA_NV_PPREAD
TPMA_NV_OWNERREAD
TPMA_NV_AUTHREAD
TPMA_NV_POLICYREAD
TPMA_NV_NO_DA
TPMA_NV_PLATFORMCREATE
TPMA_NV_POLICY_DELETE
A policy of:
A=
TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB
_SigningKey)
B=
TPM2_PolicyCommandCode(TPM_CC_NV_Undefi
neSpaceSpecial)
authPolicy = {A} OR {{A} AND {B}}
Digest value of 0xcb, 0x45, 0xc8, 0x1f, 0xf3, 0x4b,
0xcf, 0x0a, 0xfb, 0x9e, 0x1a, 0x80, 0x29, 0xfa,
0x23, 0x1c, 0x87, 0x27, 0x30, 0x3c, 0x09, 0x22,
0xdc, 0xce, 0x68, 0x4b, 0xe3, 0xdb, 0x81, 0x7c,
0x20, 0xe1
Platform firmware Platform firmware must carry all code required to execute an
Intel® Trusted Execution Technology secure launch:
Intel® SINIT ACM must be carried in the OEM BIOS
Platforms must ship with a production ACM signed
by the correct production Intel® ACM signer for the
platform
F O R Q UA L C O M M ® P RO C ESSO RS W IT H SD850 O R L AT ER
C H IP SET S DESC RIP T IO N
Monitor Mode Page Tables All Monitor Mode page tables must:
NOT contain any mappings to
EfiConventionalMemory (for example no OS/VMM
owned memory)
They must NOT have execute and write permissions
for the same page
Platforms must only allow Monitor Mode pages
marked as executable
The memory map must report Monitor Mode as
EfiReservedMemoryType
Platforms must provide mechanism to protect the
Monitor Mode page tables from modification
Platform firmware Platform firmware must carry all code required to launch.
NOTE
For more information around AMD processors, see Microsoft Security Blog: Force firmware code to be measured and
attested by Secure Launch on Windows 10.
Enable virtualization-based protection of code
integrity
3/3/2022 • 9 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10 and
Windows 11. Some applications, including device drivers, may be incompatible with HVCI. This can cause
devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after
HVCI has been turned on or during the enablement process itself. If this happens, see Troubleshooting for
remediation steps.
NOTE
Because it makes use of Mode Based Execution Control, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and
newer. Processors without MBEC will rely on an emulation of this feature, called Restricted User Mode, which has a bigger
impact on performance.
HVCI Features
HVCI protects modification of the Control Flow Guard (CFG) bitmap.
HVCI also ensures that your other trusted processes, like Credential Guard, have got a valid certificate.
Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.
For Windows 10 version 1607 and later and for Windows 11 version 21H2
Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
If you want to customize the preceding recommended settings, use the following settings.
To enable VBS
To enable vir tualization-based protection of Code Integrity policies without UEFI lock (value 0)
To enable vir tualization-based protection of Code Integrity policies with UEFI lock (value 1)
If you want to customize the preceding recommended settings, use the following settings.
To enable VBS (it is always locked to UEFI)
To enable vir tualization-based protection of Code Integrity policies (with the default, UEFI lock)
Validate enabled Windows Defender Device Guard hardware -based security features
Windows 10, Windows 11, and Windows Server 2016 have a WMI class for related properties and features:
Win32_DeviceGuard. This class can be queried from an elevated Windows PowerShell session by using the
following command:
NOTE
The Win32_DeviceGuard WMI class is only available on the Enterprise edition of Windows 10 and Windows 11.
NOTE
Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and
Windows 11 version 21H2.
The output of this command provides details of the available hardware-based security features as well as those
features that are currently enabled.
AvailableSecurityProperties
This field helps to enumerate and report state on the relevant security properties for Windows Defender Device
Guard.
VA L UE DESC RIP T IO N
InstanceIdentifier
A string that is unique to a particular device. Valid values are determined by WMI.
RequiredSecurityProperties
This field describes the required security properties to enable virtualization-based security.
VA L UE DESC RIP T IO N
0. Nothing is required.
SecurityServicesConfigured
This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.
VA L UE DESC RIP T IO N
0. No services configured.
SecurityServicesRunning
This field indicates whether the Windows Defender Credential Guard or HVCI service is running.
VA L UE DESC RIP T IO N
0. No services running.
Version
This field lists the version of this WMI class. The only valid value now is 1.0 .
VirtualizationBasedSecurityStatus
This field indicates whether VBS is enabled and running.
VA L UE DESC RIP T IO N
PSComputerName
This field lists the computer name. All valid values for computer name.
Another method to determine the available and enabled Windows Defender Device Guard features is to run
msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device
Guard properties are displayed at the bottom of the System Summar y section.
Troubleshooting
A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using Device
Manager .
B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are
able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from
<OS Volume>\Windows\System32\CodeIntegrity\ and then restart your device.
C. If you experience a critical error during boot or your system is unstable after using the above procedure to
turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows
RE, see Windows RE Technical Reference. After logging in to Windows RE, you can turn off HVCI by renaming or
deleting the SIPolicy.p7b file from <OS Volume>\Windows\System32\CodeIntegrity\ and then restart your device.
Applies to
Windows 10
Windows 11
In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs
against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally
accessible PCIe ports (for example, Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903,
Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots)
Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of
malware that allows attackers to bypass the lock screen or control PCs remotely.
This feature doesn't protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.
Background
PCI devices are DMA-capable, which allows them to read and write to system memory at will, without having to
engage the system processor in these operations. The DMA capability is what makes PCI devices the highest
performing devices available today. These devices have historically existed only inside the PC chassis, either
connected as a card or soldered on the motherboard. Access to these devices required the user to turn off power
to the system and disassemble the chassis.
Today, this is no longer the case with hot plug PCIe ports (for example, Thunderbolt™ and CFexpress).
Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that wasn't
available before for PCs. It allows users to attach new classes of external peripherals, such as graphics cards or
other PCI devices, to their PCs with a hot plug experience identical to USB. Having PCI hot plug ports externally
and easily accessible makes PCs susceptible to drive-by DMA attacks.
Drive-by DMA attacks are attacks that occur while the owner of the system is not present and usually take less
than 10 minutes, with simple to moderate attacking tools (affordable, off-the-shelf hardware and software) that
do not require the disassembly of the PC. A simple example would be a PC owner leaves the PC for a quick
coffee break, and within the break, an attacker steps in, plugs in a USB-like device and walks away with all the
secrets on the machine, or injects a malware that allows them to have full control over the PC remotely.
User experience
By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and
started. Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral
was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the
peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system
is rebooted, or the peripheral is unplugged. The peripheral will continue to function normally if the user locks
the screen or logs out of the system.
System compatibility
Kernel DMA Protection requires new UEFI firmware support. This support is anticipated only on newly
introduced, Intel-based systems shipping with Windows 10 version 1803 (not all systems). Virtualization-based
Security (VBS) is not required.
To see if a system supports Kernel DMA Protection, check the System Information desktop app (MSINFO32).
Systems released prior to Windows 10 version 1803 do not support Kernel DMA Protection, but they can
leverage other DMA attack mitigations as described in BitLocker countermeasures.
NOTE
Kernel DMA Protection is not compatible with other BitLocker DMA attacks countermeasures. It is recommended to
disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection. Kernel DMA
Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining
usability of external peripherals.
3. If the current state of Kernel DMA Protection is OFF and Hyper-V - Vir tualization Enabled in
Firmware is NO:
Reboot into BIOS settings
Turn on Intel Virtualization Technology.
Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is
supported. Other platforms can use DMA attack mitigations described in BitLocker countermeasures.
Reboot system into Windows.
NOTE
Hyper-V - Vir tualization Enabled in Firmware is not available when A hyper visor has been detected.
Features required for Hyper-V will not be displayed. is displayed. This means that Hyper-V -
Vir tualization Enabled in Firmware is set to Yes and the Hyper-V Windows feature is enabled. Enabling
Hyper-V virtualization in Firmware (IOMMU) is required to enable Kernel DMA Protection , even when the
firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in Kernel DMA Protection (Memory
Access Protection) for OEMs.
4. If the state of Kernel DMA Protection remains Off, then the system does not support this feature.
For systems that do not support Kernel DMA Protection, please refer to the BitLocker countermeasures or
Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system for other means of DMA
protection.
When the drivers for PCI or Thunderbolt™ 3 peripherals do not support DMA -remapping?
If the peripherals do have class drivers provided by Windows, use these drivers on your systems. If there are no
class drivers provided by Windows for your peripherals, contact your peripheral vendor/driver vendor to update
the driver to support DMA Remapping.
My system's Kernel DMA Protection is off. Can DMA -remapping for a specific device be turned on?
Yes. DMA remapping for a specific device can be turned on independent from Kernel DMA Protection. For
example, if the driver opts in and VT-d (Virtualization Technology for Directed I/O) is turned on, then DMA
remapping will be enabled for the devices driver even if Kernel DMA Protection is turned off.
Kernel DMA Protection is a policy that allows or blocks devices to perform DMA, based on their remapping state
and capabilities.
Do Microsoft drivers support DMA -remapping?
In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA
Controllers, and Storage NVMe Controllers support DMA Remapping.
Do drivers for non-PCI devices need to be compatible with DMA -remapping?
No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to
be compatible with DMA Remapping.
How can an enterprise enable the External device enumeration policy?
The External device enumeration policy controls whether to enumerate external peripherals that are not
compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always
enumerated. Peripherals that aren't, can be blocked, allowed, or allowed only after the user signs in (default).
The policy can be enabled by using:
Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external
devices incompatible with Kernel DMA Protection
Mobile Device Management (MDM): DmaGuard policies
Related topics
BitLocker countermeasures
DmaGuard MDM policies
Windows operating system security
3/3/2022 • 6 minutes to read • Edit Online
Security and privacy depend on an operating system that guards your system and information from the
moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows
yet with extensive security measures designed to help keep you safe. These measures include built-in advanced
encryption and data protection, robust network and system security, and intelligent safeguards against ever-
evolving threats.
Watch the latest Microsoft Mechanics Windows 11 security video that shows off some of the latest Windows 11
security technology.
Use the links in the following table to learn more about the operating system security features and capabilities
in Windows 11.
Secure Boot and Trusted Boot Secure Boot and Trusted Boot help prevent malware and
corrupted components from loading when a Windows device
is starting. Secure Boot starts with initial boot-up protection,
and then Trusted Boot picks up the process. Together, Secure
Boot and Trusted Boot help to ensure your Windows system
boots up safely and securely.
Cryptography and certificate management Cryptography uses code to convert data so that only a
specific recipient can read it by using a key. Cryptography
enforces privacy to prevent anyone except the intended
recipient from reading data, integrity to ensure data is free
of tampering, and authentication that verifies identity to
ensure that communication is secure.
Windows Security app The Windows built-in security application found in settings
provides an at-a-glance view of the security status and
health of your device. These insights help you identify issues
and take action to make sure you’re protected. You can
quickly see the status of your virus and threat protection,
firewall and network security, device security controls, and
more.
Encryption and data protection Wherever confidential data is stored, it must be protected
against unauthorized access, whether through physical
device theft or from malicious applications. Windows
provides strong at-rest data-protection solutions that guard
against nefarious attackers.
Encrypted Hard Drive Encrypted Hard Drive uses the rapid encryption that is
provided by BitLocker Drive Encryption to enhance data
security and management.
By offloading the cryptographic operations to hardware,
Encrypted Hard Drives increase BitLocker performance and
reduce CPU usage and power consumption. Because
Encrypted Hard Drives encrypt data quickly, enterprise
devices can expand BitLocker deployment with minimal
impact on productivity.
Windows Defender Firewall Windows Defender Firewall is a stateful host firewall that
helps secure the device by allowing you to create rules that
determine which network traffic is permitted to enter the
device from the network and which network traffic the
device is allowed to send to the network. Windows Defender
Firewall also supports Internet Protocol security (IPsec),
which you can use to require authentication from any device
that is attempting to communicate with your device.
Antivirus & antimalware protection Microsoft Defender Antivirus is included in all versions of
Windows 10, Windows Server 2016 and later, and Windows
11. If you have another antivirus app installed and turned
on, Microsoft Defender Antivirus will turn off automatically. If
you uninstall the other app, Microsoft Defender Antivirus will
turn back on.
Attack surface reduction rules Your attack surfaces are the places and ways you are
vulnerable to a cyber attack. Attack surface reduction rules
are built into Windows and Windows Server to prevent and
block certain behaviors that are often abused to
compromise your device or network. Such behaviors can
include launching scripts or executables that attempt to
download or run other files, running suspicious scripts, or
performing other behaviors that apps don't typically initiate
during normal work. You can configure your attack surface
reduction rules to protect against these risky behaviors.
Anti-tampering protection During cyber attacks (like ransomware attempts), bad actors
attempt to disable security features, such as antivirus
protection on targeted devices. Bad actors like to disable
security features to get easier access to user’s data, to install
malware, or to otherwise exploit user’s data, identity, and
devices without fear of being blocked. Tamper protection
helps prevent these kinds of activities.
Controlled folder access With controlled folder access, you can protect your valuable
information in specific folders by managing apps’ access to
specific folders. Only trusted apps can access protected
folders, which are specified when controlled folder access is
configured. Typically, commonly used folders, such as those
used for documents, pictures, downloads, are included in the
list of controlled folders. Controlled folder access helps
protect valuable data from malicious apps and threats, such
as ransomware.
Microsoft Defender for Endpoint Windows E5 customers benefit from Microsoft Defender for
Endpoint, an enterprise endpoint detection and response
capability that helps enterprise security teams detect,
investigate, and respond to advanced threats. With rich
event data and attack insights, Defender for Endpoint
enables your security team to investigate incidents and take
remediation actions effectively and efficiently.
Applies to:
Windows 11
Windows 10
Windows 8.1
The Windows operating system has many features to help protect you from malware, and it does an amazingly
good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series
of requirements to be certified and included in the Microsoft Store. This certification process examines several
criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store.
Even if a malicious app does get through, the Windows 10 operating system includes a series of security
features that can mitigate the impact. For instance, Microsoft Store apps are sandboxed and lack the privileges
necessary to access user data or change system settings.
Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses
cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows
Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as
malware. Before an app can change system settings, the user would have to grant the app administrative
privileges by using User Account Control.
Those are just some of the ways that Windows protects you from malware. However, those security features
protect you only after Windows starts. Modern malware—and bootkits specifically—are capable of starting
before Windows, completely bypassing operating system security, and remaining completely hidden.
When you run Windows 10 or Windows 11 on a PC or any PC that supports Unified Extensible Firmware
Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until
your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted
Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs
without UEFI, Windows provides even better startup security than previous versions of Windows.
First, let’s examine what rootkits are and how they work. Then, we’ll show you how Windows can protect you.
The countermeasures
Windows supports four features to help prevent rootkits and bootkits from loading during the startup process:
Secure Boot. PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only
trusted operating system bootloaders.
Trusted Boot. Windows checks the integrity of every component of the startup process before loading it.
Early Launch Anti-Malware (EL AM). ELAM tests all drivers before they load and prevents unapproved
drivers from loading.
Measured Boot. The PC’s firmware logs the boot process, and Windows can send it to a trusted server that
can objectively assess the PC’s health.
Figure 1 shows the Windows startup process.
Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at ever y stage
Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all
Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have
these components, and many PCs designed for earlier versions of Windows have them as well.
The sections that follow describe Secure Boot, Trusted Boot, ELAM, and Measured Boot.
Secure Boot
When a PC starts, it first finds the operating system bootloader. PCs without Secure Boot simply run whatever
bootloader is on the PC’s hard drive. There’s no way for the PC to tell whether it’s a trusted operating system or
a rootkit.
When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk
of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader’s digital signature to verify
that it hasn’t been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the
following conditions is true:
The bootloader was signed using a trusted cer tificate. In the case of PCs certified for Windows, the
Microsoft® certificate is trusted.
The user has manually approved the bootloader ’s digital signature. This allows the user to load
non-Microsoft operating systems.
All x86-based Certified For Windows PCs must meet several requirements related to Secure Boot:
They must have Secure Boot enabled by default.
They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed).
They must allow the user to configure Secure Boot to trust other bootloaders.
They must allow the user to completely disable Secure Boot.
These requirements help protect you from rootkits while allowing you to run any operating system you want.
You have three options for running non-Microsoft operating systems:
Use an operating system with a cer tified bootloader. Because all Certified For Windows PCs must
trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so
that it will be trusted by all Certified For Windows PCs. In fact, an open source bootloader capable of loading
Linux is already available. To begin the process of obtaining a certificate, go to
https://partner.microsoft.com/dashboard.
Configure UEFI to trust your custom bootloader. All Certified For Windows PCs allow you to trust a
non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating
system, including homemade operating systems.
Turn off Secure Boot. All Certified For Windows PCs allow you to turn off Secure Boot so that you can run
any software. This does not help protect you from bootkits, however.
To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a
non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings.
Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT
device, are designed to run only Windows 8.1. Therefore, Secure Boot cannot be turned off, and you cannot load
a different operating system. Fortunately, there is a large market of ARM devices designed to run other
operating systems.
Trusted Boot
Trusted Boot takes over where Secure Boot leaves off. The bootloader verifies the digital signature of the
Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the
Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the
bootloader detects the problem and refuses to load the corrupted component. Often, Windows can
automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start
normally.
Early Launch Anti-Malware
Because Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next
opportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional anti-malware apps don’t
start until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
Early Launch Anti-Malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-
Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and
Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as
possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted
drivers. If it’s not trusted, Windows won’t load it.
An ELAM driver isn’t a full-featured anti-malware solution; that loads later in the boot process. Windows
Defender (included with Windows) supports ELAM, as does Microsoft System Center 2012 Endpoint Protection
and several non-Microsoft anti-malware apps.
Measured Boot
If a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise anti-
malware apps can report malware infections to the IT department, but that doesn’t work with rootkits that hide
their presence. In other words, you can’t trust the client to tell you whether it’s healthy.
As a result, PCs infected with rootkits appear to be healthy, even with anti-malware running. Infected PCs
continue to connect to the enterprise network, giving the rootkit access to vast amounts of confidential data and
potentially allowing the rootkit to spread across the internal network.
Working with the TPM and non-Microsoft software, Measured Boot in Windows allows a trusted server on the
network to verify the integrity of the Windows startup process. Measured Boot uses the following process:
1. The PC’s UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything
that will be loaded before the anti-malware app.
2. At the end of the startup process, Windows starts the non-Microsoft remote attestation client. The trusted
attestation server sends the client a unique key.
3. The TPM uses the unique key to digitally sign the log recorded by the UEFI.
4. The client sends the log to the server, possibly with other security information.
Depending on the implementation and configuration, the server can now determine whether the client is
healthy and grant the client access to either a limited quarantine network or to the full network.
Figure 2 illustrates the Measured Boot and remote attestation process.
Figure 2. Measured Boot proves the PC’s health to a remote ser ver
Windows includes the application programming interfaces to support Measured Boot, but you’ll need non-
Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it.
For an example of such a tool, download the TPM Platform Crypto-Provider Toolkit from Microsoft Research or
Microsoft Enterprise Security MVP Dan Griffin’s Measured Boot Tool.
Measured Boot uses the power of UEFI, TPM, and Windows to give you a way to confidently assess the
trustworthiness of a client PC across the network.
Summary
Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits
and rootkits. In Windows, these features have the potential to eliminate kernel-level malware from your
network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and
bounds ahead of everything else. With Windows, you can truly trust the integrity of your operating system.
Additional resources
Windows Enterprise Evaluation
Secure Boot and Trusted Boot
3/3/2022 • 2 minutes to read • Edit Online
This article describes Secure Boot and Trusted Boot, security measures built into Windows 11.
Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows
11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the
process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and
securely.
Secure Boot
The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and
firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted
path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence.
Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes
throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of
firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS
bootloader’s digital signature to ensure that it is trusted by the Secure Boot policy and hasn’t been tampered
with.
Trusted Boot
Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital
signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component
of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-
launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and
refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are
blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application
environments.
Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and
allowing the Windows 11 device to start normally.
See also
Secure the Windows boot process
Cryptography and Certificate Management
3/3/2022 • 2 minutes to read • Edit Online
Cryptography
Cryptography uses code to convert data so that only a specific recipient can read it by using a key.
Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to
ensure data is free of tampering, and authentication that verifies identity to ensure that communication is
secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications,
and services protect system and user secrets.
Cryptography in Windows is Federal Information Processing Standards (FIPS) 140 certified. FIPS 140
certification ensures that US government approved algorithms are being used (RSA for signing, ECDH with NIST
curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove
that no tampering has occurred and proves the randomness for entropy sources.
Windows cryptographic modules provide low-level primitives such as:
Random number generators (RNG)
Symmetric and asymmetric encryption (support for AES 128/256 and RSA 512 to 16384, in 64-bit
increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521)
Hashing (support for SHA-256, SHA-384, and SHA-512)
Signing and verification (padding support for OAEP, PSS, PKCS1)
Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521,
and HKDF)
These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next
Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt.
Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage
operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
Certificate management
Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key
infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are
electronic documents used to claim ownership of a public key. Public keys are used to prove server and client
identity, validate code integrity, and used in secure emails. Windows offers users the ability to auto-enroll and
renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate
expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that
downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for
trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the
CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an
untrusted certificate in the CTL causing it to be revoked globally across user devices immediately.
Windows also offers enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users
to protect their internal domain names from chaining to unwanted certificates. A web application's server
authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web
application triggering a name mismatch will start event logging and prevent user access from Edge or Internet
Explorer.
The Windows Security app
3/3/2022 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
This library describes the Windows Security app, and provides information on configuring certain features,
including:
You can't uninstall the Windows Security app, but you can do one of the following:
Disable the interface on Windows Server 2016. See Microsoft Defender Antivirus on Windows Server.
Hide all of the sections on client computers (see below).
Disable Microsoft Defender Antivirus, if needed. See Enable and configure Microsoft Defender AV always-on
protection and monitoring.
You can find more information about each section, including options for configuring the sections - such as
hiding each of the sections - at the following topics:
Virus & threat protection, which has information and access to antivirus ransomware protection settings and
notifications, including Controlled folder access, and sign-in to Microsoft OneDrive.
Account protection, which has information and access to sign-in and account protection settings.
Firewall & network protection, which has information and access to firewall settings, including Windows
Defender Firewall.
App & browser control, covering Windows Defender SmartScreen settings and Exploit protection
mitigations.
Device security, which provides access to built-in device security settings.
Device performance & health, which has information about drivers, storage space, and general Windows
Update issues.
Family options, which includes access to parental controls along with tips and information for keeping kids
safe online.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
How the Windows Security app works with Windows security features
IMPORTANT
Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes.
The Windows Security app uses the Windows Security Service (SecurityHealthService or Windows Security Health Service),
which in turn utilizes the Windows Security Center Service (wscsvc) to ensure the app provides the most up-to-date
information about the protection status on the endpoint, including protection offered by third-party antivirus products,
Windows Defender Firewall, third-party firewalls, and other security protection.
These services do not affect the state of Microsoft Defender Antivirus. Disabling or modifying these services will not
disable Microsoft Defender Antivirus, and will lead to a lowered protection state on the endpoint, even if you are using a
third-party antivirus product.
Microsoft Defender Antivirus will be disabled automatically when a third-party antivirus product is installed and kept up
to date.
Disabling the Windows Security Center Service will not disable Microsoft Defender Antivirus or Windows Defender
Firewall.
WARNING
If you disable the Windows Security Center Service, or configure its associated Group Policy settings to prevent it from
starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall
products you have installed on the device.
It may also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus,
or if you uninstall any third-party antivirus products you may have previously installed.
This will significantly lower the protection of your device and could lead to malware infection.
The Windows Security app operates as a separate app or process from each of the individual features, and will
display notifications through the Action Center.
It acts as a collector or single place to see the status and perform some configuration for each of the features.
Disabling any of the individual features (through Group Policy or other management tools, such as Microsoft
Endpoint Configuration Manager) will prevent that feature from reporting its status in the Windows Security
app. The Windows Security app itself will still run and show status for the other security features.
IMPORTANT
Individually disabling any of the services will not disable the other services or the Windows Security app.
For example, using a third-party antivirus will disable Microsoft Defender Antivirus. However, the Windows
Security app will still run, show its icon in the taskbar, and display information about the other features, such as
Windows Defender SmartScreen and Windows Defender Firewall.
Virus and threat protection
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
The Virus & threat protection section contains information and settings for antivirus protection from
Microsoft Defender Antivirus and third-party AV products.
In Windows 10, version 1803, this section also contains information and settings for ransomware protection and
recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in
protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This
area also notifies users and provides recovery instructions in case of a ransomware attack.
IT administrators and IT pros can get more configuration information from these articles:
Microsoft Defender Antivirus in the Windows Security app
Microsoft Defender Antivirus documentation library
Protect important folders with Controlled folder access
Defend yourself from cybercrime with new Office 365 capabilities
Microsoft Defender for Office 365
Ransomware detection and recovering your files
You can hide the Virus & threat protection section or the Ransomware protection area from users of the
machine. This can be useful if you don't want employees in your organization to see or have access to user-
configured options for these features.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > Virus and threat protection .
4. Open the Hide the Virus and threat protection area setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > Virus and threat protection .
4. Open the Hide the Ransomware data recover y area setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
Account protection
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
The Account protection section contains information and settings for account protection and sign-in. You can
get more information about these capabilities from the following list:
Microsoft Account
Windows Hello for Business
Lock your Windows 10 PC automatically when you step away from it
You can also choose to hide the section from users of the device. This is useful if you don't want your employees
to access or view user-configured options for these features.
IMPORTANT
Requirements
You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and select Edit .
2. In the Group Policy Management Editor go to Computer configuration and select Administrative
templates .
3. Expand the tree to Windows components > Windows Security > Account protection .
4. Open the Hide the Account protection area setting and set it to Enabled . Select OK .
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Firewall and network protection
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
The Firewall & network protection section contains information about the firewalls and network
connections used by the machine, including the status of Windows Defender Firewall and any other third-party
firewalls. IT administrators and IT pros can get configuration guidance from the Windows Defender Firewall with
Advanced Security documentation library.
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This information is
useful if you don't want employees in your organization to see or have access to user-configured options for the
features shown in the section.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > Firewall and network
protection .
4. Open the Hide the Firewall and network protection area setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
App and browser control
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
The App and browser control section contains information and settings for Windows Defender SmartScreen.
IT administrators and IT pros can get configuration guidance from the Windows Defender SmartScreen
documentation library.
In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection.
You can prevent users from modifying these specific options with Group Policy. IT administrators can get more
information at Exploit protection.
You can also choose to hide the section from users of the machine. This can be useful if you don't want
employees in your organization to see or have access to user-configured options for the features shown in the
section.
IMPORTANT
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration , select Policies and then
Administrative templates .
3. Expand the tree to Windows components > Windows Security > App and browser protection .
4. Open the Prevent users from modifying settings setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration , select Policies and then
Administrative templates .
3. Expand the tree to Windows components > Windows Security > App and browser protection .
4. Open the Hide the App and browser protection area setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Device security
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
The Device security section contains information and settings for built-in device security.
You can choose to hide the section from users of the machine. This can be useful if you don't want employees in
your organization to see or have access to user-configured options for the features shown in the section.
IMPORTANT
You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and then select
Administrative templates .
3. Expand the tree to Windows components > Windows Security > Device security .
4. Open the Hide the Device security area setting and set it to Enabled . Select OK .
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Disable the Clear TPM button
If you don't want users to be able to click the Clear TPM button in the Windows Security app, you can disable it.
IMPORTANT
You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and then select
Administrative templates .
3. Expand the tree to Windows components > Windows Security > Device security .
4. Open the Disable the Clear TPM button setting and set it to Enabled . Select OK .
5. Deploy the updated GPO as you normally do.
IMPORTANT
You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and then select
Administrative templates .
3. Expand the tree to Windows components > Windows Security > Device security .
4. Open the Disable Memor y integrity switch setting and set it to Enabled . Select OK .
5. Deploy the updated GPO as you normally do.
Device performance and health
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
The Device performance & health section contains information about hardware, devices, and drivers related
to the machine. IT administrators and IT pros should reference the appropriate documentation library for the
issues they are seeing, such as the configure the Load and unload device drivers security policy setting and how
to deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager.
The Windows 10 IT pro troubleshooting topic, and the main Windows 10 documentation library can also be
helpful for resolving issues.
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful
if you don't want employees in your organization to see or have access to user-configured options for the
features shown in the section.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > Device performance and
health .
4. Open the Hide the Device performance and health area setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Family options
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
The Family options section contains links to settings and further information for parents of a Windows 10 PC.
It is not generally intended for enterprise or business environments.
Home users can learn more at the Help protection your family online in Windows Security topic at
support.microsoft.com
In Windows 10, version 1709, the section can be hidden from users of the machine. This can be useful if you
don't want employees in your organization to see or have access to this section.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > Family options .
4. Open the Hide the Family options area setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Security policy settings
3/3/2022 • 22 minutes to read • Edit Online
Applies to
Windows 10
This reference topic describes the common scenarios, architecture, and processes for security settings.
Security policy settings are rules that administrators configure on a computer or multiple devices for the
purpose of protecting resources on a device or network. The Security Settings extension of the Local Group
Policy Editor snap-in allows you to define security configurations as part of a Group Policy Object (GPO). The
GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and they enable
you to manage security settings for multiple devices from any device joined to the domain. Security settings
policies are used as part of your overall security implementation to help secure domain controllers, servers,
clients, and other resources in your organization.
Security settings can control:
User authentication to a network or device.
The resources that users are permitted to access.
Whether to record a user's or group's actions in the event log.
Membership in a group.
To manage security configurations for multiple devices, you can use one of the following options:
Edit specific security settings in a GPO.
Use the Security Templates snap-in to create a security template that contains the security policies you want
to apply, and then import the security template into a Group Policy Object. A security template is a file that
represents a security configuration, and it can be imported to a GPO, applied to a local device, or used to
analyze security.
For more info about managing security configurations, see Administer security policy settings.
The Security Settings extension of the Local Group Policy Editor includes the following types of security policies:
Account Policies. These polices are defined on devices; they affect how user accounts can interact with
the computer or domain. Account policies include the following types of policies:
Password Policy. These policies determine settings for passwords, such as enforcement and
lifetimes. Password policies are used for domain accounts.
Account Lockout Policy. These policies determine the conditions and length of time that an account
will be locked out of the system. Account lockout policies are used for domain or local user accounts.
Kerberos Policy. These policies are used for domain user accounts; they determine Kerberos-related
settings, such as ticket lifetimes and enforcement.
Local Policies. These policies apply to a computer and include the following types of policy settings:
Audit Policy. Specify security settings that control the logging of security events into the Security
log on the computer, and specifies what types of security events to log (success, failure, or both).
NOTE
For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy
Configuration rather than the Audit Policy settings under Local Policies.
User Rights Assignment. Specify the users or groups that have logon rights or privileges on a
device
Security Options. Specify security settings for the computer, such as Administrator and Guest
Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon
prompts; and so on.
Windows Firewall with Advanced Security. Specify settings to protect the device on your network by
using a stateful firewall that allows you to determine which network traffic is permitted to pass between
your device and the network.
Network List Manager Policies. Specify settings that you can use to configure different aspects of
how networks are listed and displayed on one device or on many devices.
Public Key Policies. Specify settings to control Encrypting File System, Data Protection, and BitLocker
Drive Encryption in addition to certain certificate paths and services settings.
Software Restriction Policies. Specify settings to identify software and to control its ability to run on
your local device, organizational unit, domain, or site.
Application Control Policies. Specify settings to control which users or groups can run particular
applications in your organization based on unique identities of files.
IP Security Policies on Local Computer. Specify settings to ensure private, secure communications
over IP networks through the use of cryptographic security services. IPsec establishes trust and security
from a source IP address to a destination IP address.
Advanced Audit Policy Configuration. Specify settings that control the logging of security events into
the security log on the device. The settings under Advanced Audit Policy Configuration provide finer
control over which activities to monitor as opposed to the Audit Policy settings under Local Policies.
NOTE
These refresh settings vary between versions of the operating system and can be configured.
By using Group Policy−based security configurations in conjunction with the delegation of administration, you
can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an
OU. This approach makes it simple to update a number of servers with any additional changes required in the
future.
Dependencies on other operating system technologies
For devices that are members of a Windows Server 2008 or later domain, security settings policies depend on
the following technologies:
Active Director y Domain Ser vices (AD DS)
The Windows-based directory service, AD DS, stores information about objects on a network and makes
this information available to administrators and users. By using AD DS, you can view and manage
network objects on the network from a single location, and users can access permitted network resources
by using a single logon.
Group Policy
The infrastructure within AD DS that enables directory-based configuration management of user and
computer settings on devices running Windows Server. By using Group Policy, you can define
configurations for groups of users and computers, including policy settings, registry-based policies,
software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer
maintenance, and security.
Domain Name System (DNS)
A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP
networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to
domain names. This allows users, computers, and applications to query DNS to specify remote systems
by fully qualified domain names rather than by IP addresses.
Winlogon
A part of the Windows operating system that provides interactive logon support. Winlogon is designed
around an interactive logon model that consists of three components: the Winlogon executable, a
credential provider, and any number of network providers.
Setup
Security configuration interacts with the operating system setup process during a clean installation or
upgrade from earlier versions of Windows Server.
Security Accounts Manager (SAM)
A Windows service used during the logon process. SAM maintains user account information, including
groups to which a user belongs.
Local Security Authority (LSA)
A protected subsystem that authenticates and logs users onto the local system. LSA also maintains
information about all aspects of local security on a system, collectively known as the Local Security Policy
of the system.
Windows Management Instrumentation (WMI)
A feature of the Microsoft Windows operating system, WMI is the Microsoft implementation of Web-
Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology
for accessing management information in an enterprise environment. WMI provides access to
information about objects in a managed environment. Through WMI and the WMI application
programming interface (API), applications can query for and make changes to static information in the
Common Information Model (CIM) repository and dynamic information maintained by the various types
of providers.
Resultant Set of Policy (RSoP)
An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug
policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in
a what-if situation, and what the extension has done in an actual situation. This allows administrators to
easily determine the combination of policy settings that apply to, or will apply to, a user or device.
Ser vice Control Manager (SCM)
Used for configuration of service startup modes and security.
Registr y
Used for configuration of registry values and security.
File system
Used for configuration of security.
File system conversions
Security is set when an administrator converts a file system from FAT to NTFS.
Microsoft Management Console (MMC)
The user interface for the Security Settings tool is an extension of the Local Group Policy Editor MMC
snap-in.
Security settings policies and Group Policy
The Security Settings extension of the Local Group Policy Editor is part of the Security Configuration Manager
tool set. The following components are associated with Security Settings: a configuration engine; an analysis
engine; a template and database interface layer; setup integration logic; and the secedit.exe command-line tool.
The security configuration engine is responsible for handling security configuration editor-related security
requests for the system on which it runs. The analysis engine analyzes system security for a given configuration
and saves the result. The template and database interface layer handles reading and writing requests from and
to the template or database (for internal storage). The Security Settings extension of the Local Group Policy
Editor handles Group Policy from a domain-based or local device. The security configuration logic integrates
with setup and manages system security for a clean installation or upgrade to a more recent Windows operating
system. Security information is stored in templates (.inf files) or in the Secedit.sdb database.
The following diagram shows Security Settings and related features.
Security Settings Policies and Related Features
Scesr v.dll
Provides the core security engine functionality.
Scecli.dll
Provides the client-side interfaces to the security configuration engine and provides data to Resultant Set
of Policy (RSoP).
Wsecedit.dll
The Security Settings extension of Local Group Policy Editor. scecli.dll is loaded into wsecedit.dll to
support the Security Settings user interface.
Gpedit.dll
The Local Group Policy Editor MMC snap-in.
NOTE
Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it.
In this section
TO P IC DESC RIP T IO N
Administer security policy settings This article discusses different methods to administer
security policy settings on a local device or throughout a
small- or medium-sized organization.
Configure security policy settings Describes steps to configure a security policy setting on the
local device, on a domain-joined device, and on a domain
controller.
Security policy settings reference This reference of security settings provides information
about how to implement and manage security policies,
including setting options and security considerations.
Security auditing
3/3/2022 • 2 minutes to read • Edit Online
Topics in this section are for IT professionals and describes the security auditing features in Windows and how
your organization can benefit from using these technologies to enhance the security and manageability of your
network.
Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As
part of your overall security strategy, you should determine the level of auditing that is appropriate for your
environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks
against resources that you have determined to be valuable in your risk assessment.
In this section
TO P IC DESC RIP T IO N
Basic security audit policies Before you implement auditing, you must decide on an
auditing policy. A basic audit policy specifies categories of
security-related events that you want to audit. When this
version of Windows is first installed, all auditing categories
are disabled. By enabling various auditing event categories,
you can implement an auditing policy that suits the security
needs of your organization.
Advanced security audit policies Advanced security audit policy settings are found in
Security Settings\Advanced Audit Policy
Configuration\System Audit Policies and appear to
overlap with basic security audit policies, but they are
recorded and applied differently.
Encryption and data protection in Windows client
3/3/2022 • 2 minutes to read • Edit Online
When people travel with their computers and devices, their confidential information travels with them.
Wherever confidential data is stored, it must be protected against unauthorized access, whether through
physical device theft or from malicious applications. Encryption and data protection features include:
Encrypted Hard Drive
BitLocker
BitLocker
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses
the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
BitLocker provides encryption for the operating system, fixed data, and removable data drives, using
technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
Windows consistently improves data protection by improving existing options and providing new strategies.
See also
Encrypted Hard Drive
BitLocker
Encrypted Hard Drive
3/3/2022 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2022
Windows Server 2019
Windows Server 2016
Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data
security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance
and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise
devices can expand BitLocker deployment with minimal impact on productivity.
Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for
full disk hardware encryption. You can install Windows to Encrypted Hard Drives without additional
modification beginning with Windows 8 and Windows Server 2012.
Encrypted Hard Drives provide:
Better performance : Encryption hardware, integrated into the drive controller, allows the drive to operate
at full data rate with no performance degradation.
Strong security based in hardware : Encryption is always "on" and the keys for encryption never leave the
hard drive. User authentication is performed by the drive before it will unlock, independently of the
operating system
Ease of use : Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard
Drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
Lower cost of ownership : There is no need for new infrastructure to manage encryption keys, since
BitLocker leverages your existing infrastructure to store recovery information. Your device operates more
efficiently because processor cycles do not need to be used for the encryption process.
Encrypted Hard Drives are supported natively in the operating system through the following mechanisms:
Identification : The operating system can identify that the drive is an Encrypted Hard Drive device type
Activation : The operating system disk management utility can activate, create and map volumes to
ranges/bands as appropriate
Configuration : The operating system can create and map volumes to ranges/bands as appropriate
API : API support for applications to manage Encrypted Hard Drives independently of BitLocker Drive
Encryption (BDE)
BitLocker suppor t : Integration with the BitLocker Control Panel provides a seamless BitLocker end user
experience.
WARNING
Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard
Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard
Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for
Windows when planning for deployment.
If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see
the Encrypted Hard Drive Device Guide.
System Requirements
To use Encrypted Hard Drives, the following system requirements apply:
For an Encrypted Hard Drive used as a data drive :
The drive must be in an uninitialized state.
The drive must be in a security inactive state.
For an Encrypted Hard Drive used as a star tup drive :
The drive must be in an uninitialized state.
The drive must be in a security inactive state.
The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL
defined. (This protocol is used to allow programs running in the EFI boot services environment to send
security protocol commands to the drive).
The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
The computer must always boot natively from UEFI.
WARNING
All Encrypted Hard Drives must be attached to non-RAID controllers to function properly.
Technical overview
Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly
improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-
step process to complete read/write requests. In Windows Server 2012, Windows 8, or later, Encrypted Hard
Drives offload the cryptographic operations to the drive controller for much greater efficiency. When the
operating system identifies an Encrypted Hard Drive, it activates the security mode. This activation lets the drive
controller generate a media key for every volume that the host computer creates. This media key, which is never
exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from
the disk.
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
This topic provides a high-level overview of BitLocker, including a list of system requirements, practical
applications, and deprecated features.
BitLocker overview
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses
the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.
The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works
with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the
system was offline.
On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows
operating system drive. However, this implementation will require the user to insert a USB startup key to start
the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume
password to protect the operating system volume on a computer without TPM. Both options do not provide the
pre-startup system integrity verification offered by BitLocker with a TPM.
In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a
personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a
startup key. These additional security measures provide multifactor authentication and assurance that the
computer will not start or resume from hibernation until the correct PIN or startup key is presented.
Practical applications
Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool
against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate
unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible
when BitLocker-protected computers are decommissioned or recycled.
There are two additional tools in the Remote Server Administration Tools, which you can use to manage
BitLocker.
BitLocker Recover y Password Viewer . The BitLocker Recovery Password Viewer enables you to locate
and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory
Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has
been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the
Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. By using this tool,
you can examine a computer object's Proper ties dialog box to view the corresponding BitLocker
recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker
recovery password across all the domains in the Active Directory forest. To view recovery passwords, you
must be a domain administrator, or you must have been delegated permissions by a domain
administrator.
BitLocker Drive Encr yption Tools . BitLocker Drive Encryption Tools include the command-line tools,
manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and
the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker
control panel, and they are appropriate to use for automated deployments and other scripting scenarios.
Repair-bde is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be
unlocked normally or by using the recovery console.
System requirements
BitLocker has the following hardware requirements:
For BitLocker to use the system integrity check provided by a Trusted Platform Module (TPM), the computer
must have TPM 1.2 or later. If your computer does not have a TPM, enabling BitLocker requires that you save a
startup key on a removable device, such as a USB flash drive.
A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The
BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include
support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-
compliant firmware.
The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage
device class, including reading small files on a USB flash drive in the pre-operating system environment.
IMPORTANT
From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see Tip of the Day:
Bitlocker without TPM or USB.
NOTE
TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode
configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For
added security Enable the Secure Boot feature.
Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed
to UEFI. Use the tool MBR2GPT before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
In this section
TO P IC DESC RIP T IO N
Overview of BitLocker Device Encryption in Windows This topic for the IT professional provides an overview of the
ways that BitLocker Device Encryption can help protect data
on devices running Windows.
BitLocker frequently asked questions (FAQ) This topic for the IT professional answers frequently asked
questions concerning the requirements to use, upgrade,
deploy and administer, and key management policies for
BitLocker.
Prepare your organization for BitLocker: Planning and This topic for the IT professional explains how can you plan
policies your BitLocker deployment.
BitLocker basic deployment This topic for the IT professional explains how BitLocker
features can be used to protect your data through drive
encryption.
BitLocker: How to deploy on Windows Server This topic for the IT professional explains how to deploy
BitLocker on Windows Server.
BitLocker: How to enable Network Unlock This topic for the IT professional describes how BitLocker
Network Unlock works and how to configure it.
BitLocker: Use BitLocker Drive Encryption Tools to manage This topic for the IT professional describes how to use tools
BitLocker to manage BitLocker.
BitLocker: Use BitLocker Recovery Password Viewer This topic for the IT professional describes how to use the
BitLocker Recovery Password Viewer.
BitLocker Group Policy settings This topic for IT professionals describes the function,
location, and effect of each Group Policy setting that is used
to manage BitLocker.
BCD settings and BitLocker This topic for IT professionals describes the BCD settings
that are used by BitLocker.
BitLocker Recovery Guide This topic for IT professionals describes how to recover
BitLocker keys from AD DS.
Protect BitLocker from pre-boot attacks This detailed guide will help you understand the
circumstances under which the use of pre-boot
authentication is recommended for devices running
Windows 11, Windows 10, Windows 8.1, Windows 8, or
Windows 7; and when it can be safely omitted from a
device’s configuration.
TO P IC DESC RIP T IO N
Troubleshoot BitLocker This guide describes the resources that can help you
troubleshoot BitLocker issues, and provides solutions for
several common BitLocker issues.
Protecting cluster shared volumes and storage area This topic for IT pros describes how to protect CSVs and
networks with BitLocker SANs with BitLocker.
Enabling Secure Boot and BitLocker Device Encryption on This topic covers how to use BitLocker with Windows IoT
Windows IoT Core Core
Overview of BitLocker Device Encryption in
Windows
3/3/2022 • 13 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
This topic explains how BitLocker Device Encryption can help protect data on devices running Windows. For a
general overview and list of topics about BitLocker, see BitLocker.
When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it
must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection
solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows
2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives.
Windows consistently improves data protection by improving existing options and by providing new strategies.
Table 2 lists specific data-protection concerns and how they are addressed in Windows 11, Windows 10, and
Windows 7.
Table 2. Data Protection in Windows 11, Windows 10, and Windows 7
W IN DO W S 7 W IN DO W S 11 A N D W IN DO W S 10
When BitLocker is used with a PIN to protect startup, PCs Modern Windows devices are increasingly protected with
such as kiosks cannot be restarted remotely. BitLocker Device Encryption out of the box and support SSO
to seamlessly protect the BitLocker encryption keys from
cold boot attacks.
When BitLocker is enabled, the provisioning process can take BitLocker pre-provisioning, encrypting hard drives, and Used
several hours. Space Only encryption allow administrators to enable
BitLocker quickly on new computers.
There is no support for using BitLocker with self-encrypting BitLocker supports offloading encryption to encrypted hard
drives (SEDs). drives.
Administrators have to use separate tools to manage BitLocker supports encrypted hard drives with onboard
encrypted hard drives. encryption hardware built in, which allows administrators to
use the familiar BitLocker administrative tools to manage
them.
Encrypting a new flash drive can take more than 20 minutes. Used Space Only encryption in BitLocker To Go allows users
to encrypt removable data drives in seconds.
BitLocker could require users to enter a recovery key when BitLocker requires the user to enter a recovery key only
system configuration changes occur. when disk corruption occurs or when he or she loses the PIN
or password.
W IN DO W S 7 W IN DO W S 11 A N D W IN DO W S 10
Users need to enter a PIN to start the PC, and then their Modern Windows devices are increasingly protected with
password to sign in to Windows. BitLocker Device Encryption out of the box and support SSO
to help protect the BitLocker encryption keys from cold boot
attacks.
NOTE
BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. In case you need to use a different encryption
method and/or cipher strength, the device must be configured and decrypted (if already encrypted) first. After that,
different BitLocker settings can be applied.
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
This topic for the IT professional explains how can you plan your BitLocker deployment.
When you design your BitLocker deployment strategy, define the appropriate policies and configuration
requirements based on the business requirements of your organization. The following sections will help you
collect information. Use this information to help with your decision-making process about deploying and
managing BitLocker systems.
Startup key only Yes The user is prompted for the USB flash
drive that has the recovery key and/or
startup key, and then reboot the
computer.
BitLocker provisioning
In Windows Vista and Windows 7, BitLocker was provisioned after the installation for system and data volumes.
It used the manage-bde command line interface or the Control Panel user interface. With newer operating
systems, BitLocker can be provisioned before the operating system is installed. Preprovisioning requires the
computer have a TPM.
To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker
control panel applet or Windows Explorer. The "Waiting For Activation" status with a yellow exclamation icon
means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector
used when encrypting the volume. In this case, the volume isn't protected, and needs to have a secure key added
to the volume before the drive is considered fully protected. Administrators can use the control panel options,
manage-bde tool, or WMI APIs to add an appropriate key protector. The volume status will be updated.
When using the control panel options, administrators can choose to Turn on BitLocker and follow the steps in
the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or
a password or smart card protector to a data volume. Then the drive security window is presented before
changing the volume status.
Administrators can enable BitLocker before to operating system deployment from the Windows Pre-installation
Environment (WinPE). This step is done with a randomly generated clear key protector applied to the formatted
volume. It encrypts the volume before running the Windows setup process. If the encryption uses the Used Disk
Space Only option, then this step takes only a few seconds. And, it incorporates into the regular deployment
processes.
NOTE
The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for
computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic
algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National
Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine
whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An
implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has
passed NIST validation. An algorithm that hasn't been submitted can't be considered FIPS-compliant, even if the
implementation produces identical data as a validated implementation of the same algorithm.
Before these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the
creation or use of recovery passwords and instead forced the user to use recovery keys. For more information
about these issues, see the support article kb947249.
But on computers running these supported systems with BitLocker enabled:
FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These
protectors use the FIPS 140 NIST SP800-132 algorithm.
Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords
created on other systems.
Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases
that currently work for recovery passwords.
When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write
access even while in FIPS mode.
FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode.
The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that
support BitLocker, whether in FIPs mode or not.
On Windows Server 2012 R2 and Windows 8.1 and older, you can't use recovery passwords generated on a
system in FIPS mode. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are
incompatible with BitLocker on operating systems older than Windows Server 2012 R2 and Windows 8.1. So,
recovery keys should be used instead.
More information
Trusted Platform Module
TPM Group Policy settings
BitLocker frequently asked questions (FAQ)
BitLocker
BitLocker Group Policy settings
BitLocker basic deployment
BitLocker deployment comparison
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
This article depicts the BitLocker deployment comparison chart.
Minimum client operating Windows 11 and Windows Windows 11, Windows 10, Windows 7, Windows 8,
system version 10 and Windows 8.1 Windows 8.1, Windows 10,
and Windows 10 IoT
Supported Windows SKUs Enterprise, Pro, Education Enterprise, Pro, Education Enterprise
Supported domain-joined Microsoft Azure Active Active Directory joined, Active Directory joined
status Directory (Azure AD) joined, hybrid Azure AD joined
hybrid Azure AD joined
Server components
required?
Additional agent required? No (device enrollment only) Configuration Manager MBAM client
client
Administrative portal
installation required
Compliance reporting
capabilities
Force encryption
M IC RO SO F T EN DP O IN T M IC RO SO F T B IT LO C K ER
C O N F IGURAT IO N A DM IN IST RAT IO N A N D
REQ UIREM EN T S M IC RO SO F T IN T UN E M A N A GER M O N ITO RIN G ( M B A M )
Manage startup
authentication
Store recovery password for Yes (Active Directory and Yes (Active Directory only) Yes (Active Directory only)
operating system and fixed Azure AD)
drives to Azure AD or
Active Directory
Customize preboot
message and recovery link
Can be administered
outside company network
Wait to complete
encryption until recovery
information is backed up to
Azure AD
M IC RO SO F T EN DP O IN T M IC RO SO F T B IT LO C K ER
C O N F IGURAT IO N A DM IN IST RAT IO N A N D
REQ UIREM EN T S M IC RO SO F T IN T UN E M A N A GER M O N ITO RIN G ( M B A M )
Wait to complete
encryption until recovery
information is backed up to
Active Directory
Manage auto-unlock
functionality
BitLocker basic deployment
3/3/2022 • 21 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
This article for the IT professional explains how BitLocker features can be used to protect your data through
drive encryption.
NOTE
For more info about using this tool, see Bdehdcfg in the Command-Line Reference.
Hardware configuration The computer must meet the minimum requirements for the
supported Windows versions.
File system For computers that boot natively with UEFI firmware, at least
one FAT32 partition for the system drive and one NTFS
partition for the operating system drive.
For computers with legacy BIOS firmware, at least two NTFS
disk partitions, one for the system drive and one for the
operating system drive.
For either firmware, the system drive partition must be at
least 350 megabytes (MB) and set as the active partition.
Hardware encrypted drive prerequisites (optional) To use a hardware encrypted drive as the boot drive, the
drive must be in the uninitialized state and in the security
inactive state. In addition, the system must always boot with
native UEFI version 2.3.1 or higher and the CSM (if any)
disabled.
Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does
not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the
appropriate actions to be taken. Once a strong password has been created for the volume, a recovery key will be
generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker
recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time
on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that
Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and
BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A
recovery key can also be used to gain access to your files and folders on a removable data drive (such as an
external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the
password or your computer cannot access the drive.
You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network
folder or on your OneDrive, or on another drive of your computer that you are not encrypting. You cannot save
the recovery key to the root directory of a non-removable drive and cannot be stored on the encrypted volume.
You cannot save the recovery key for a removable data drive (such as a USB flash drive) on removable media.
Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can
use the BitLocker control panel to make additional copies.
When the recovery key has been properly stored, the BitLocker Drive Encryption Wizard will prompt the user to
choose how to encrypt the drive. There are two options:
Encrypt used disk space only - Encrypts only disk space that contains data
Encrypt entire drive - Encrypts the entire volume including free space
It is recommended that drives with little to no data utilize the used disk space only encryption option and that
drives with data or an operating system utilize the encr ypt entire drive option.
NOTE
Deleted files appear as free space to the file system, which is not encrypted by used disk space only . Until they are
wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
Selecting an encryption type and choosing Next will give the user the option of running a BitLocker system
check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption
keys before the volume encryption begins. We recommend running this system check before starting the
encryption process. If the system check is not run and a problem is encountered when the operating system
attempts to start, the user will need to provide the recovery key to start Windows.
After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer
to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating
system volume. Users can check encryption status by checking the system notification area or the BitLocker
control panel.
Until encryption is completed, the only available options for managing BitLocker involve manipulation of the
password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
Data volume
Encrypting data volumes using the BitLocker control panel interface works in a similar fashion to encryption of
the operating system volumes. Users select Turn on BitLocker within the control panel to begin the BitLocker
Drive Encryption wizard. Unlike for operating system volumes, data volumes are not required to pass any
configuration tests for the wizard to proceed. Upon launching the wizard, a choice of authentication methods to
unlock the drive appears. The available options are password and smar t card and automatically unlock
this drive on this computer . Disabled by default, the latter option will unlock the data volume without user
input when the operating system volume is unlocked.
After selecting the desired authentication method and choosing Next , the wizard presents options for storage of
the recovery key. These options are the same as for operating system volumes. With the recovery key saved,
selecting Next in the wizard will show available options for encryption. These options are the same as for
operating system volumes; used disk space only and full drive encr yption . If the volume being encrypted
is new or empty, it is recommended that used space only encryption is selected.
With an encryption method chosen, a final confirmation screen displays before beginning the encryption
process. Selecting Star t encr ypting will begin encryption.
Encryption status displays in the notification area or within the BitLocker control panel.
OneDrive option
There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that
computers are not members of a domain and that the user is using a Microsoft Account. Local accounts do not
give the option to utilize OneDrive. Using the OneDrive option is the default, recommended recovery key
storage method for computers that are not joined to a domain.
Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder that is
created automatically during the save process. The folder will contain two files, a readme.txt and the recovery
key. For users storing more than one recovery password on their OneDrive, they can identify the required
recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
Using BitLocker within Windows Explorer
Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right-clicking a volume and
selecting Turn On BitLocker . This option is available on client computers by default. On servers, you must first
install the BitLocker and Desktop-Experience features for this option to be available. After selecting Turn on
BitLocker , the wizard works exactly as it does when launched using the BitLocker control panel.
Down-level compatibility
The following table shows the compatibility matrix for systems that have been BitLocker enabled then presented
to a different version of Windows.
Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted
volumes
W IN DO W S 11, W IN DO W S
EN C RY P T IO N T Y P E 10, A N D W IN DO W S 8. 1 W IN DO W S 8 W IN DO W S 7
Partially encrypted volume Windows 11, Windows 10, Windows 8 will complete N/A
from Windows 7 and Windows 8.1 will encryption regardless of
complete encryption policy
regardless of policy
This command returns the volumes on the target, current encryption status, and volume type (operating system
or data) for each volume. Using this information, users can determine the best encryption method for their
environment.
Enabling BitLocker without a TPM
For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable
BitLocker for the operating system volume, you will need to use a USB flash drive as a startup key to boot (in
this example, the drive letter E). You would first create the startup key needed for BitLocker using the –protectors
option and save it to the USB drive on E: and then begin the encryption process. You will need to reboot the
computer when prompted to complete the encryption process.
This command will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a
volume, they can use the -protectors option in manage-bde to list this information with the command:
manage-bde -protectors -get <volume>
This command will require the user to enter and then confirm the password protector before adding them to the
volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker.
Data volume
Data volumes use the same syntax for encryption as operating system volumes but they do not require
protectors for the operation to complete. Encrypting data volumes can be done using the base command:
manage-bde -on <drive letter> or users can choose to add protectors to the volume. We recommend that you
add at least one primary protector and a recovery protector to a data volume.
Enabling BitLocker with a password
A common protector for a data volume is the password protector. In the example below, we add a password
protector to the volume and turn on BitLocker.
NAME PA RA M ET ERS
Add-BitLockerKeyProtector ADAccountOrGroup
ADAccountOrGroupProtector
Confirm
MountPoint
Password
PasswordProtector
Pin
RecoveryKeyPath
RecoveryKeyProtector
RecoveryPassword
RecoveryPasswordProtector
Service
StartupKeyPath
StartupKeyProtector
TpmAndPinAndStartupKeyProtector
TpmAndPinProtector
TpmAndStartupKeyProtector
TpmProtector
WhatIf
Backup-BitLockerKeyProtector Confirm
KeyProtectorId
MountPoint
WhatIf
Disable-BitLocker Confirm
MountPoint
WhatIf
Disable-BitLockerAutoUnlock Confirm
MountPoint
WhatIf
Enable-BitLocker AdAccountOrGroup
AdAccountOrGroupProtector
Confirm
EncryptionMethod
HardwareEncryption
Password
PasswordProtector
Pin
RecoveryKeyPath
RecoveryKeyProtector
RecoveryPassword
RecoveryPasswordProtector
Service
SkipHardwareTest
StartupKeyPath
StartupKeyProtector
TpmAndPinAndStartupKeyProtector
TpmAndPinProtector
TpmAndStartupKeyProtector
TpmProtector
UsedSpaceOnly
WhatIf
NAME PA RA M ET ERS
Enable-BitLockerAutoUnlock Confirm
MountPoint
WhatIf
Get-BitLockerVolume MountPoint
Lock-BitLocker Confirm
ForceDismount
MountPoint
WhatIf
Remove-BitLockerKeyProtector Confirm
KeyProtectorId
MountPoint
WhatIf
Resume-BitLocker Confirm
MountPoint
WhatIf
Suspend-BitLocker Confirm
MountPoint
RebootCount
WhatIf
Unlock-BitLocker AdAccountOrGroup
Confirm
MountPoint
Password
RecoveryKeyPath
RecoveryPassword
RecoveryPassword
WhatIf
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the
control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting
prior to running Windows PowerShell cmdlets.
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the
Get-BitLocker volume cmdlet. The output from this cmdlet displays information on the volume type, protectors,
protection status, and other useful information.
Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the
output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe
command (|) to format a listing of the protectors.
NOTE
In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For
volumes with more than four protectors, use the method described in the section below to generate a listing of all
protectors with protector ID.
Get-BitLockerVolume C: | fl
If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the
Remove-BitLockerKeyProtector cmdlet. Accomplishing this task requires the GUID associated with the protector
to be removed. A simple script can pipe the values of each Get-BitLockerVolume return out to another
variable as seen below:
$vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
Using this script, we can display the information in the $keyprotectors variable to determine the GUID for each
protector. Using this information, we can then remove the key protector for a specific volume using the
command:
NOTE
The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID,
with braces, is included in the command.
Enable-BitLocker C:
The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker
hardware test. In this example, encryption starts immediately without the need for a reboot.
Data volume
Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the
desired protectors prior to encrypting the volume. The following example adds a password protector to the E:
volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the
user-defined password. Last, encryption begins.
To add an ADAccountOrGroup protector to a volume, you need either the actual domain SID or the group name
preceded by the domain and a backslash. In the example below, the CONTOSO\Administrator account is added
as a protector to the data volume G.
For users who wish to use the SID for the account or group, the first step is to determine the SID associated with
the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
NOTE
Use of this command requires the RSAT-AD-PowerShell feature.
TIP
In addition to the Windows PowerShell command above, information about the locally logged on user and group
membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
In the example below, the user wishes to add a domain SID-based protector to the previously encrypted
operating system volume. The user knows the SID for the user account or group they wish to add and uses the
following command:
NOTE
Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
Waiting for Activation BitLocker is enabled with a clear protector key and requires
further action to be fully protected
If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation
icon on the volume. This status means that there was only a clear protector used when encrypting the volume.
In this case, the volume is not in a protected state and needs to have a secure key added to the volume before
the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an
appropriate key protector. Once complete, the control panel will update to reflect the new status. Using the
control panel, administrators can choose Turn on BitLocker to start the BitLocker Drive Encryption wizard and
add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart
card protector to a data volume. The drive security window displays prior to changing the volume status.
Selecting Activate BitLocker will complete the encryption process.
Once BitLocker protector activation is completed, the completion notice is displayed.
Checking BitLocker status with manage -bde
Administrators who prefer a command-line interface can utilize manage-bde to check volume status. Manage-
bde is capable of returning more information about the volume than the graphical user interface tools in the
control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the
protectors associated with a volume.
To check the status of a volume using manage-bde, use the following command:
NOTE
If no volume letter is associated with the -status command, all volumes on the computer display their status.
This command will display information about the encryption method, volume type, key protectors, etc.
Provisioning BitLocker during operating system deployment
Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation
Environment. This task is done with a randomly generated clear key protector applied to the formatted volume
and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk
Space Only option described later in this document, this step takes only a few seconds and incorporates well
into regular deployment processes.
Decrypting BitLocker volumes
Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should
occur when protection is no longer required. BitLocker decryption should not occur as a troubleshooting step.
BitLocker can be removed from a volume using the BitLocker control panel applet, manage-bde, or Windows
PowerShell cmdlets. We will discuss each method further below.
Decrypting volumes using the BitLocker control panel applet
BitLocker decryption using the control panel is done using a Wizard. The control panel can be called from
Windows Explorer or by opening the directly. After opening the BitLocker control panel, users will select the Turn
off BitLocker option to begin the process. Once selected, the user chooses to continue by clicking the
confirmation dialog. With Turn off BitLocker confirmed, the drive decryption process will begin and report status
to the control panel.
The control panel does not report decryption progress but displays it in the notification area of the task bar.
Selecting the notification area icon will open a modal dialog with progress.
Once decryption is complete, the drive will update its status in the control panel and is available for encryption.
Decrypting volumes using the manage -bde command-line interface
Decrypting volumes using manage-bde is straightforward. Decryption with manage-bde offers the advantage
of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the
decryption process. A sample command for decryption is:
manage-bde -off C:
This command disables protectors while it decrypts the volume and removes all protectors when decryption is
complete. If a user wishes to check the status of the decryption, they can use the following command:
manage-bde -status C:
Disable-BitLocker
If a user did not want to input each mount point individually, using the -MountPoint parameter in an array can
sequence the same command into one line without requiring additional user input. An example command is:
See also
Prepare your organization for BitLocker: Planning and policies
BitLocker recovery guide
BitLocker: How to enable Network Unlock
BitLocker overview
BitLocker: How to deploy on Windows Server 2012
and later
3/3/2022 • 4 minutes to read • Edit Online
Applies to: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
This topic for the IT professional explains how to deploy BitLocker on Windows Server 2012 and later. For all
Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets.
BitLocker requires administrator privileges on the server to install.
Installing BitLocker
To install BitLocker using Server Manager
1. Open Server Manager by selecting the Server Manager icon or running servermanager.exe.
2. Select Manage from the Ser ver Manager Navigation bar and select Add Roles and Features to
start the Add Roles and Features Wizard.
3. With the Add Roles and Features Wizard open, select Next at the Before you begin pane (if shown).
4. Select Role-based or feature-based installation on the Installation type pane of the Add Roles
and Features Wizard pane and select Next to continue.
5. Select the Select a ser ver from the ser ver pool option in the Ser ver Selection pane and confirm
the server for the BitLocker feature install.
6. Server roles and features install using the same wizard in Server Manager. Select Next on the Ser ver
Roles pane of the Add Roles and Features wizard to proceed to the Features pane.
7. Select the check box next to BitLocker Drive Encr yption within the Features pane of the Add Roles
and Features Wizard . The wizard will show the additional management features available for BitLocker.
If you do not want to install these features, deselect the Include management tools option and select
Add Features . Once optional features selection is complete, select Next to proceed in the wizard.
Note: The Enhanced Storage feature is a required feature for enabling BitLocker. This feature
enables support for Encrypted Hard Drives on capable systems.
8. Select Install on the Confirmation pane of the Add Roles and Features Wizard to begin BitLocker
feature installation. The BitLocker feature requires a restart to complete. Selecting the Restar t the
destination ser ver automatically if required option in the Confirmation pane will force a restart of
the computer after installation is complete.
9. If the Restar t the destination ser ver automatically if required check box is not selected, the
Results pane of the Add Roles and Features Wizard will display the success or failure of the
BitLocker feature installation. If required, a notification of additional action necessary to complete the
feature installation, such as the restart of the computer, will be displayed in the results text.
To install BitLocker using Windows PowerShell
Windows PowerShell offers administrators another option for BitLocker feature installation. Windows
PowerShell installs features using the servermanager or dism module; however, the servermanager and dism
modules do not always share feature name parity. Because of this, it is advisable to confirm the feature or role
name prior to installation.
Note: You must restart the server to complete the installation of BitLocker.
The results of this command show that only the BitLocker Drive Encryption feature installs using this command.
To see what would be installed with the BitLocker feature including all available management tools and sub-
features, use the following command:
The result of this command displays the following list of all the administration tools for BitLocker that would be
installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and
Active Directory Lightweight Directory Services (AD LDS).
BitLocker Drive Encryption
BitLocker Drive Encryption Tools
BitLocker Drive Encryption Administration Utilities
BitLocker Recovery Password Viewer
AD DS Snap-Ins and Command-Line Tools
AD DS Tools
AD DS and AD LDS Tools
The command to complete a full installation of the BitLocker feature with all available features and then
rebooting the server at completion is:
Impor tant: Installing the BitLocker feature using Windows PowerShell does not install the Enhanced
Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to
install the Enhanced Storage feature separately.
From this output, we can see that there are three BitLocker related optional feature names: BitLocker, BitLocker-
Utilities and BitLocker-NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities
features are the only required items.
To install BitLocker using the dism module, use the following command:
This command will prompt the user for a reboot. The Enable-WindowsOptionalFeature cmdlet does not offer
support for forcing a reboot of the computer. This command does not include installation of the management
tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following
command:
More information
BitLocker overview
BitLocker frequently asked questions (FAQ)
Prepare your organization for BitLocker: Planning and policies
BitLocker: How to enable Network Unlock
BitLocker Management for Enterprises
3/3/2022 • 5 minutes to read • Edit Online
The ideal for BitLocker management is to eliminate the need for IT admins to set management policies using
tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision
leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware
improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a
consequent decrease in support call volumes, yielding improved user satisfaction. Windows continues to be the
focus for new features and improvements for built-in encryption management, such as automatically enabling
encryption on devices that support Modern Standby beginning with Windows 8.1.
Though much Windows BitLocker documentation has been published, customers frequently ask for
recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused
on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to
help answer this and other related frequently-asked questions, and also provides BitLocker recommendations
for different types of computers.
IMPORTANT
Microsoft BitLocker Administration and Monitoring (MBAM) capabilities will be offered from ConfigMgr in on-prem
scenarios in the future.
Managing servers
Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use
PowerShell to enable BitLocker on a server, ideally as part of the initial setup. BitLocker is an Optional
Component (OC) in Windows Server, so follow the directions in BitLocker: How to deploy on Windows Server
2012 and later to add the BitLocker OC.
The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a Server Core
installation, you must add the necessary GUI components first. The steps to add shell components to Server
Core are described in Using Features on Demand with Updated Systems and Patched Images and How to
update local source media to add roles and features.
If you are installing a server manually, such as a stand-alone server, then choosing Server with Desktop
Experience is the easiest path because you can avoid performing the steps to add a GUI to Server Core.
Additionally, lights out data centers can take advantage of the enhanced security of a second factor while
avoiding the need for user intervention during reboots by optionally using a combination of BitLocker
(TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware
protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps,
see BitLocker: How to enable Network Unlock.
For more information, see the Bitlocker FAQs article and other useful links in Related Articles.
PowerShell examples
For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure
Active Directory.
Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker
For domain-joined computers, including servers, the recovery password should be stored in Active Directory
Domain Services (AD DS).
Example: Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456
Related Articles
BitLocker: FAQs
Microsoft BitLocker Administration and Management (MBAM)
Overview of BitLocker Device Encryption in Windows
BitLocker Group Policy Reference
Microsoft Intune (Overview)
Configuration Settings Providers (Policy CSP: See Security-RequireDeviceEncryption)
BitLocker CSP
Windows Ser ver setup tools
Windows Server Installation Options
How to update local source media to add roles and features
How to add or remove optional components on Server Core (Features on Demand)
BitLocker: How to deploy on Windows Server 2012 and newer
BitLocker: How to enable Network Unlock
Shielded VMs and Guarded Fabric
PowerShell
BitLocker cmdlets for Windows PowerShell
Surface Pro Specifications
BitLocker: How to enable Network Unlock
3/3/2022 • 20 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
This article for IT professionals describes how BitLocker Network Unlock works and how to configure it.
Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for
operating system volumes. Network Unlock helps you manage BitLocker-enabled desktops and servers in a
domain environment by automatically unlocking operating system volumes when the system is rebooted and is
connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver
implemented in its UEFI firmware.
Without Network Unlock, operating system volumes that use TPM+PIN protectors require a PIN when a
computer reboots or resumes after hibernation (for example, by Wake on LAN). For enterprises, this setup can
make software patches difficult to roll out to unattended desktops and remotely administered servers.
Network Unlock allows BitLocker-enabled systems that use TPM+PIN and that meet the hardware requirements
to boot into Windows without user intervention. Network Unlock works like the TPM+StartupKey at boot. But
the StartupKey doesn't need to be read from USB media. Instead, the key for Network Unlock is composed from
a key that's stored in the TPM and an encrypted network key that's sent to the server. It's decrypted and returned
to the client in a secure session.
NOTE
To properly support DHCP within UEFI, the UEFI-based system should be in native mode and shouldn't have a
compatibility support module (CSM) enabled.
On computers that run Windows 8 and later, the first network adapter on the computer, usually the onboard
adapter, must be configured to support DHCP. This adapter must be used for Network Unlock.
Use this configuration especially when you have multiple adapters and you want to configure one without DHCP,
such as for a lights-out management protocol. The configuration is necessary because Network Unlock stops
enumerating adapters when it reaches an adapter that has a DHCP port that has failed for any reason. So if the
first enumerated adapter doesn't support DHCP, isn't plugged into the network, or fails to report availability of
the DHCP port for any reason, then Network Unlock will fail.
On supported versions of Windows Server 2012 and later, the Network Unlock server component installs as a
Windows feature. It uses Server Manager or Windows PowerShell cmdlets. In Server Manager, the feature name
is BitLocker Network Unlock. In Windows PowerShell, the feature name is BitLocker-NetworkUnlock. This
feature is a core requirement.
Network Unlock requires WDS in the environment where the feature will be used. Configuration of the WDS
installation isn't required. But the WDS service must be running on the server.
The network key is stored on the system drive along with an AES 256 session key. It's encrypted with the 2048-
bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on
a supported version of Windows Server that's running WDS. The network key is returned encrypted with its
corresponding session key.
Install-WindowsFeature WDS-Deployment
Configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain
Services) and the client computer. Use the WDS management tool, wdsmgmt.msc . This tool starts the Windows
Deployment Services Configuration Wizard.
Confirm the WDS service is running
To confirm the WDS service is running, use the Services Management console or Windows PowerShell. To
confirm the service is running in the Services Management console, open the console by using services.msc .
Then check the status of the WDS service.
To confirm the service is running by using Windows PowerShell, use the following command:
Get-Service WDSServer
Install-WindowsFeature BitLocker-NetworkUnlock
[NewRequest]
Subject="CN=BitLocker Network Unlock certificate"
ProviderType=0
MachineKeySet=True
Exportable=true
RequestType=Cert
KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG | NCRYPT_ALLOW_SIGNING_FLAG"
KeyLength=2048
SMIME=FALSE
HashAlgorithm=sha512
[Extensions]
1.3.6.1.4.1.311.21.10 = "{text}"
_continue_ = "OID=1.3.6.1.4.1.311.67.1.1"
2.5.29.37 = "{text}"
_continue_ = "1.3.6.1.4.1.311.67.1.1"
3. Open an elevated command prompt and use the certreq tool to create a new certificate. Use the
following command, specifying the full path to the file that you created previously. Also specify the file
name.
4. Verify the previous command properly created the certificate by confirming the .cer file exists.
5. Launch Cer tificates - Local Machine by running certlm.msc .
6. Create a .pfx file by opening the Certificates – Local Computer\Personal\Certificates path in the
navigation pane. Right-click the previously imported certificate, and then select All Tasks > Expor t .
Follow through the steps to create the .pfx file.
Deploy the private key and certificate to the WDS server
Now that you've created the certificate and key, deploy them to the infrastructure to properly unlock systems. To
deploy the certificates:
1. On the WDS server, open a new Microsoft Management Console (MMC), and then add the certificates snap-
in. When you're prompted, select the computer account and local computer.
2. Right-click Cer tificates (Local Computer) - BitLocker Drive Encr yption Network Unlock , and then
choose All Tasks > Impor t .
3. In the File to Impor t dialog box, choose the .pfx file that you created previously.
4. Enter the password that you used to create the .pfx file, and finish the steps.
Configure Group Policy settings for Network Unlock
You've now deployed the certificate and key to the WDS server for Network Unlock. In the final step, you'll use
Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock by
using the Network Unlock key. Find Group Policy settings for BitLocker in \Computer
Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption by using the Local
Group Policy Editor or the MMC.
To enable the Group Policy setting that's required to configure Network Unlock:
1. Open Group Policy Management Console ( gpmc.msc ).
2. Enable the policy Require additional authentication at star tup , and then select Require star tup PIN
with TPM or Allow star tup PIN with TPM .
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
To deploy the required Group Policy setting:
NOTE
The Group Policy settings Allow network unlock at star tup and Add Network Unlock Cer tificate were introduced
in Windows Server 2012.
1. Copy the .cer file that you created for Network Unlock to the domain controller.
2. On the domain controller, open Group Policy Management Console ( gpmc.msc ).
3. Create a new Group Policy Object or modify an existing object to enable the Allow network unlock at
star tup setting.
4. Deploy the public certificate to clients:
a. In Group Policy Management Console, go to Computer Configuration\Policies\Windows
Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate.
b. Right-click the folder, and then choose Add Network Unlock Cer tificate .
c. Follow the steps and import the .cer file that you copied earlier.
NOTE
Only one network unlock certificate can be available at a time. If you need a new certificate, delete the current
certificate before you deploy a new one. The Network Unlock certificate is located in the
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP key on the client computer.
NOTE
The Network (Cer tificate Based) protector is added only after a reboot where the policy is enabled and a valid
certificate is present in the FVE_NKP store.
[SUBNETS]
SUBNET1=10.185.250.0/24 ; a comment about this subrange could be here, after the semicolon
SUBNET2=10.185.252.200/28
SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-
EXCEPT-RECEP.
Following the [SUBNETS] section are sections for each Network Unlock certificate. A certificate is identified by
the certificate thumbprint, which is formatted without any spaces. These sections define subnet clients that you
can unlock by using that certificate.
NOTE
When you specify the certificate thumbprint, don't include spaces. Thumbprints that include spaces aren't recognized as
valid. The spaces will cause the subnet configuration to fail.
Each certificate section defines subnet restrictions by denoting the allowed list of permitted subnets. If any
subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet
is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate has no section in
the subnet policy configuration file, then no subnet unlocking restrictions are applied for that certificate.
So to apply restrictions to every certificate, you must add a certificate section for every Network Unlock
certificate on the server. And you must add an explicit allow list set for each certificate section.
Create subnet lists by putting the name of a subnet from the [SUBNETS] section on its own line below the
certificate section header. Then, the server will unlock clients that have this certificate only on the subnets that
the list specifies.
To troubleshoot, you can quickly exclude a subnet without deleting it from the section. Just comment it out by
using a prepended semicolon.
[2158a767e1c14e88e27a4c0aee111d2de2eafe60]
;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so
on.
;This list shows this cert is allowed to unlock clients only on the SUBNET1 and SUBNET3 subnets. In this
example, SUBNET2 is commented out.
SUBNET1
;SUBNET2
SUBNET3
To disallow the use of a certificate altogether, add a DISABLED line to its subnet list.
NOTE
Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also
effectively disable the server's ability to respond to unlock requests for that certificate. However, this condition is seen as
an error. It's not a supported or recommended method for turning off the Network Unlock server.
NOTE
Servers that don't receive the Group Policy Object (GPO) will require a PIN when they boot. In such cases, find out why
the server didn't receive the GPO to update the certificate.
The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address.
See also
BitLocker overview
BitLocker frequently asked questions (FAQ)
Prepare your organization for BitLocker: Planning and policies
BitLocker: Use BitLocker Drive Encryption Tools to
manage BitLocker
3/3/2022 • 10 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
This article for the IT professional describes how to use tools to manage BitLocker.
BitLocker Drive Encryption Tools include the command-line tools manage-bde and repair-bde and the BitLocker
cmdlets for Windows PowerShell.
Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through
the BitLocker control panel and are appropriate to use for automated deployments and other scripting
scenarios.
Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker
protected drive cannot be unlocked normally or using the recovery console.
1. Manage-bde
2. Repair-bde
3. BitLocker cmdlets for Windows PowerShell
Manage-bde
Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers
additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde options,
see the Manage-bde command-line reference.
Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For
example, using just the manage-bde -on command on a data volume will fully encrypt the volume without any
authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker
protection, even though the command successfully completed because an authentication method needs to be
added to the volume for it to be fully protected. The following sections provide examples of common usage
scenarios for manage-bde.
Using manage -bde with operating system volumes
Listed below are examples of basic valid commands for operating system volumes. In general, using only the
manage-bde -on <drive letter> command will encrypt the operating system volume with a TPM-only protector
and no recovery key. However, many environments require more secure protectors such as passwords or PIN
and expect to be able to recover information with a recovery key. We recommend that you add at least one
primary protector and a recovery protector to an operating system volume.
A good practice when using manage-bde is to determine the volume status on the target system. Use the
following command to determine volume status:
manage-bde -status
This command returns the volumes on the target, current encryption status, encryption method, and volume
type (operating system or data) for each volume:
The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the
encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When
BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to
obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to
reboot to complete the encryption process.
NOTE
After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
An alternative to the startup key protector on non-TPM hardware is to use a password and an
ADaccountorgroup protector to protect the operating system volume. In this scenario, you would add the
protectors first. To add them, use this command:
This command will require you to enter and then confirm the password protector before adding them to the
volume. With the protectors enabled on the volume, you can then turn on BitLocker.
On computers with a TPM, it is possible to encrypt the operating system volume without any defined protectors
using manage-bde. Use this command:
manage-bde -on C:
This command encrypts the drive using the TPM as the default protector. If you are not sure if a TPM protector is
available, to list the protectors available for a volume, run the following command:
manage-bde -protectors -get <volume>
Repair-bde
You may experience a problem that damages an area of a hard disk on which BitLocker stores critical
information. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly.
The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if
the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage
recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the
BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in
addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain
Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the
recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is
corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use
the BitLocker Recovery Password Viewer to obtain this key package from AD DS.
TIP
If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use
the command manage-bde -KeyPackage to generate a key package for a volume.
The Repair-bde command-line tool is intended for use when the operating system does not start or when you
cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true:
You have encrypted the drive by using BitLocker Drive Encryption.
Windows does not start, or you cannot start the BitLocker recovery console.
You do not have a copy of the data that is contained on the encrypted drive.
NOTE
Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose
and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment
(Windows RE) provides additional options to repair computers.
NAME PA RA M ET ERS
Add-BitLockerKeyProtector ADAccountOrGroup
ADAccountOrGroupProtector
Confirm
MountPoint
Password
PasswordProtector
Pin
RecoveryKeyPath
RecoveryKeyProtector
RecoveryPassword
RecoveryPasswordProtector
Service
StartupKeyPath
StartupKeyProtector
TpmAndPinAndStartupKeyProtector
TpmAndPinProtector
TpmAndStartupKeyProtector
TpmProtector
WhatIf
Backup-BitLockerKeyProtector Confirm
KeyProtectorId
MountPoint
WhatIf
Disable-BitLocker Confirm
MountPoint
WhatIf
Disable-BitLockerAutoUnlock Confirm
MountPoint
WhatIf
NAME PA RA M ET ERS
Enable-BitLocker AdAccountOrGroup
AdAccountOrGroupProtector
Confirm
EncryptionMethod
HardwareEncryption
Password
PasswordProtector
Pin
RecoveryKeyPath
RecoveryKeyProtector
RecoveryPassword
RecoveryPasswordProtector
Service
SkipHardwareTest
StartupKeyPath
StartupKeyProtector
TpmAndPinAndStartupKeyProtector
TpmAndPinProtector
TpmAndStartupKeyProtector
TpmProtector
UsedSpaceOnly
WhatIf
Enable-BitLockerAutoUnlock Confirm
MountPoint
WhatIf
Get-BitLockerVolume MountPoint
Lock-BitLocker Confirm
ForceDismount
MountPoint
WhatIf
Remove-BitLockerKeyProtector Confirm
KeyProtectorId
MountPoint
WhatIf
Resume-BitLocker Confirm
MountPoint
WhatIf
Suspend-BitLocker Confirm
MountPoint
RebootCount
WhatIf
Unlock-BitLocker AdAccountOrGroup
Confirm
MountPoint
Password
RecoveryKeyPath
RecoveryPassword
RecoveryPassword
WhatIf
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the
control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting
prior to running Windows PowerShell cmdlets.
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the
Get-BitLockerVolume cmdlet.
The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status, and
other details.
TIP
Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output
display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to
format a full listing of the protectors. Get-BitLockerVolume C: | fl
If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the
Remove-BitLockerKeyProtector cmdlet. Accomplishing this requires the GUID associated with the protector to be
removed.
A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below:
$vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
By using this script, you can display the information in the $keyprotectors variable to determine the GUID for
each protector.
By using this information, you can then remove the key protector for a specific volume using the command:
NOTE
The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID,
with braces, is included in the command.
Using the BitLocker Windows PowerShell cmdlets with operating system volumes
Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting
operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the
desired protector as part command for encrypting the volume. Below are examples of common user scenarios
and steps to accomplish them in BitLocker Windows PowerShell.
The following example shows how to enable BitLocker on an operating system drive using only the TPM
protector:
Enable-BitLocker C:
In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker
hardware test. In this example, encryption starts immediately without the need for a reboot.
WARNING
The ADAccountOrGroup protector requires the use of an additional protector for use (such as TPM, PIN, or recovery
key) when used on operating system volumes
To add an ADAccountOrGroup protector to a volume, use either the actual domain SID or the group name
preceded by the domain and a backslash. In the example below, the CONTOSO\Administrator account is added
as a protector to the data volume G.
For users who wish to use the SID for the account or group, the first step is to determine the SID associated with
the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
NOTE
Use of this command requires the RSAT-AD-PowerShell feature.
TIP
In addition to the PowerShell command above, information about the locally logged on user and group membership can
be found using: WHOAMI /ALL. This does not require the use of additional features.
The following example adds an ADAccountOrGroup protector to the previously encrypted operating system
volume using the SID of the account:
More information
BitLocker overview
BitLocker frequently asked questions (FAQ)
Prepare your organization for BitLocker: Planning and policies
BitLocker: How to enable Network Unlock
BitLocker: How to deploy on Windows Server 2012
BitLocker: Use BitLocker Recovery Password Viewer
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.
The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server
Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active
Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has
been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an
extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using
this tool, you can examine a computer object's Proper ties dialog box to view the corresponding BitLocker
recovery passwords. Additionally you can right-click a domain container and then search for a BitLocker
recovery password across all the domains in the Active Directory forest. You can also search for a password by
password identifier (ID).
More information
BitLocker Overview
BitLocker frequently asked questions (FAQ)
Prepare your organization for BitLocker: Planning and policies
BitLocker: How to deploy on Windows Server 2012
BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
BitLocker Group Policy settings
3/3/2022 • 79 minutes to read • Edit Online
Applies to:
Windows 10, Windows 11, Windows Server 2019, Windows Server 2016, Windows 8.1, and Windows
Server 2012 R2
This article for IT professionals describes the function, location, and effect of each Group Policy setting that is
used to manage BitLocker Drive Encryption.
To control the drive encryption tasks the user can perform from the Windows Control Panel or to modify other
configuration options, you can use Group Policy administrative templates or local computer policy settings. How
you configure these policy settings depends on how you implement BitLocker and what level of user interaction
will be allowed.
NOTE
A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those
settings, see Trusted Platform Module Group Policy settings.
BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy
Management Console (GPMC) under Computer Configuration\Administrative Templates\Windows
Components\BitLocker Drive Encr yption . Most of the BitLocker Group Policy settings are applied when
BitLocker is initially turned on for a drive. If a computer isn't compliant with existing Group Policy settings,
BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of
compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial
BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no
change can be made to the BitLocker configuration of that drive except a change that will bring it into
compliance.
If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection,
make the necessary changes, and then resume protection. This situation could occur, for example, if a removable
drive is initially configured to be unlocked with a password and then Group Policy settings are changed to
disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using
the Manage-bde command-line tool, delete the password unlock method, and add the smart card method. After
this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can
be resumed.
NOTE
For more details about Active Directory configuration related to BitLocker enablement, please see Set up MDT for
BitLocker.
Policy description With this policy setting, you can allow TPM-only protection
for newer, more secure devices, such as devices that support
Modern Standby or HSTI, while requiring PIN on older
devices.
Conflicts This setting overrides the Require star tup PIN with TPM
option of the Require additional authentication at startup
policy on compliant hardware.
When enabled Users on Modern Standby and HSTI compliant devices will
have the choice to turn on BitLocker without preboot
authentication.
When disabled or not configured The options of the Require additional authentication at
startup policy apply.
Reference
The preboot authentication option Require star tup PIN with TPM of the Require additional authentication at
startup policy is often enabled to help ensure security for older devices that don't support Modern Standby. But
visually impaired users have no audible way to know when to enter a PIN. This setting enables an exception to
the PIN-required policy on secure hardware.
Allow network unlock at startup
This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required
to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the
necessary network key protector during encryption.
This policy is used with the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the
Public Key Policies folder of Local Computer Policy) to allow systems that are connected to a trusted network
to properly utilize the Network Unlock feature.
Policy description With this policy setting, you can control whether a BitLocker-
protected computer that is connected to a trusted local area
network and joined to a domain can create and use network
key protectors on TPM-enabled computers to automatically
unlock the operating system drive when the computer is
started.
Conflicts None
When disabled or not configured Clients can't create and use Network Key Protectors
Reference
To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive
Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock
certificate is used to create a network key protector and to protect the information exchange with the server to
unlock the computer. You can use the Group Policy setting Computer Configuration\Windows
Settings\Security Settings\Public Key Policies\BitLocker Drive Encr yption Network Unlock
Cer tificate on the domain controller to distribute this certificate to computers in your organization. This unlock
method uses the TPM on the computer, so computers that don't have a TPM can't create network key protectors
to automatically unlock by using Network Unlock.
NOTE
For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is
disconnected from the wired network or can't connect to the domain controller at startup.
For more information about Network Unlock, see BitLocker: How to enable Network Unlock.
Require additional authentication at startup
This policy setting is used to control which unlock options are available for operating system drives.
Policy description With this policy setting, you can configure whether BitLocker
requires additional authentication each time the computer
starts and whether you are using BitLocker with a Trusted
Platform Module (TPM). This policy setting is applied when
you turn on BitLocker.
When disabled or not configured Users can configure only basic options on computers with a
TPM.
Only one of the additional authentication options can be
required at startup; otherwise, a policy error occurs.
Reference
If you want to use BitLocker on a computer without a TPM, select Allow BitLocker without a compatible
TPM . In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is
used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating
system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the
drive.
On a computer with a compatible TPM, additional authentication methods can be used at startup to improve
protection for encrypted data. When the computer starts, it can use:
Only the TPM
Insertion of a USB flash drive containing the startup key
The entry of a 4-digit to 20-digit personal identification number (PIN)
A combination of the PIN and the USB flash drive
There are four options for TPM-enabled computers or devices:
Configure TPM startup
Allow TPM
Require TPM
Do not allow TPM
Configure TPM startup PIN
Allow startup PIN with TPM
Require startup PIN with TPM
Do not allow startup PIN with TPM
Configure TPM startup key
Allow startup key with TPM
Require startup key with TPM
Do not allow startup key with TPM
Configure TPM startup key and PIN
Allow TPM startup key with PIN
Require startup key and PIN with TPM
Do not allow TPM startup key with PIN
Allow enhanced PINs for startup
This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN.
Policy description With this policy setting, you can configure whether
enhanced startup PINs are used with BitLocker.
Conflicts None
When enabled All new BitLocker startup PINs that are set will be enhanced
PINs. Existing drives that were protected by using standard
startup PINs aren't affected.
Reference
Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols,
numbers, and spaces). This policy setting is applied when you turn on BitLocker.
IMPORTANT
Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users
perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
Policy description With this policy setting, you can configure a minimum length
for a TPM startup PIN. This policy setting is applied when
you turn on BitLocker. The startup PIN must have a
minimum length of four digits, and it can have a maximum
length of 20 digits. By default, the minimum PIN length is 6.
Conflicts None
When enabled You can require that startup PINs set by users must have a
minimum length you choose that is between 4 and 20 digits.
When disabled or not configured Users can configure a startup PIN of any length between 6
and 20 digits.
Reference
This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of four
digits and can have a maximum length of 20 digits.
Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for logon, which
can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
The TPM can be configured to use Dictionary Attack Prevention parameters (lockout threshold and lockout
duration) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how
much time must elapse before another attempt can be made.
The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For
example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over
time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only
one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is four digits,
all 9999 possible PIN combinations could be attempted in a little over two years.
Increasing the PIN length requires a greater number of guesses for an attacker. In that case, the lockout duration
between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while
maintaining a similar level of protection.
Beginning with Windows 10, version 1703, or Windows 11, the minimum length for the BitLocker PIN was
increased to six characters to better align with other Windows features that use TPM 2.0, including Windows
Hello. To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10,
version 1703 with the October 2017, or Windows 11 cumulative update installed, the BitLocker PIN length is six
characters by default, but it can be reduced to four characters. If the minimum PIN length is reduced from the
default of six characters, then the TPM 2.0 lockout period will be extended.
Disable new DMA devices when this computer is locked
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user
signs in to Windows.
Policy description This setting helps prevent attacks that use external PCI-
based devices to access BitLocker keys.
Conflicts None
When enabled Every time the user locks the scree, DMA will be blocked on
hot pluggable PCI ports until the user signs in again.
When disabled or not configured DMA is available on hot pluggable PCI devices if the device
is turned on, regardless of whether a user is signed in.
Reference
This policy setting is only enforced when BitLocker or device encryption is enabled. As explained in the Microsoft
Security Guidance blog, in some cases when this setting is enabled, internal, PCI-based peripherals can fail,
including wireless network drivers and input and audio peripherals. This problem is fixed in the April 2018
quality update.
Disallow standard users from changing the PIN or password
This policy setting allows you to configure whether standard users are allowed to change the PIN or password
that is used to protect the operating system drive.
Policy description With this policy setting, you can configure whether standard
users are allowed to change the PIN or password used to
protect the operating system drive.
Conflicts None
When disabled or not configured Standard users are permitted to change BitLocker PINs or
passwords.
Reference
To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting
is applied when you turn on BitLocker.
Configure use of passwords for operating system drives
This policy controls how non-TPM based systems utilize the password protector. Used with the Password must
meet complexity requirements policy, this policy allows administrators to require password length and
complexity for using the password protector. By default, passwords must be eight characters in length.
Complexity configuration options determine how important domain connectivity is for the client. For the
strongest password security, administrators should choose Require password complexity because it requires
domain connectivity, and it requires that the BitLocker password meets the same password complexity
requirements as domain sign-in passwords.
Policy description With this policy setting, you can specify the constraints for
passwords that are used to unlock operating system drives
that are protected with BitLocker.
When enabled Users can configure a password that meets the requirements
you define. To enforce complexity requirements for the
password, select Require complexity .
When disabled or not configured The default length constraint of eight characters will apply to
operating system drive passwords and no complexity checks
will occur.
Reference
If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce
complexity requirements on the password, and configure a minimum length for the password. For the
complexity requirement setting to be effective, the Group Policy setting Password must meet complexity
requirements , which is located at Computer Configuration\Windows Settings\Security
Settings\Account Policies\Password Policy\ must be also enabled.
NOTE
These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive
with any of the protectors that are available on the drive.
When set to Require complexity , a connection to a domain controller is necessary when BitLocker is enabled
to validate the complexity the password. When set to Allow complexity , a connection to a domain controller is
attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are
found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted
by using that password as a protector. When set to Do not allow complexity , there is no password complexity
validation. Passwords must be at least eight characters. To configure a greater minimum length for the
password, enter the desired number of characters in the Minimum password length box.
When this policy setting is enabled, you can set the option Configure password complexity for operating
system drives to:
Allow password complexity
Do not allow password complexity
Require password complexity
Require additional authentication at startup (Windows Server 2008 and Windows Vista)
This policy setting is used to control what unlock options are available for computers running Windows Server
2008 or Windows Vista.
Policy description With this policy setting, you can control whether the
BitLocker Setup Wizard on computers running Windows
Vista or Windows Server 2008 can set up an additional
authentication method that is required each time the
computer starts.
When enabled The BitLocker Setup Wizard displays the page that allows the
user to configure advanced startup options for BitLocker.
You can further configure setting options for computers with
or without a TPM.
When disabled or not configured The BitLocker Setup Wizard displays basic steps that allow
users to enable BitLocker on computers with a TPM. In this
basic wizard, no additional startup key or startup PIN can be
configured.
Reference
On a computer with a compatible TPM, two authentication methods can be used at startup to provide added
protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains
a startup key. It can also require users to enter a 6-digit to 20-digit startup PIN.
A USB drive that contains a startup key is needed on computers without a compatible TPM. Without a TPM,
BitLocker-encrypted data is protected solely by the key material that is on this USB drive.
There are two options for TPM-enabled computers or devices:
Configure TPM startup PIN
Allow startup PIN with TPM
Require startup PIN with TPM
Do not allow startup PIN with TPM
Configure TPM startup key
Allow startup key with TPM
Require startup key with TPM
Do not allow startup key with TPM
These options are mutually exclusive. If you require the startup key, you must not allow the startup PIN. If you
require the startup PIN, you must not allow the startup key. Otherwise, a policy error will occur.
To hide the advanced page on a TPM-enabled computer or device, set these options to Do not allow for the
startup key and for the startup PIN.
Configure use of smart cards on fixed data drives
This policy setting is used to require, allow, or deny the use of smart cards with fixed data drives.
Policy description With this policy setting, you can specify whether smart cards
can be used to authenticate user access to the BitLocker-
protected fixed data drives on a computer.
Conflicts To use smart cards with BitLocker, you may also need to
modify the object identifier setting in the Computer
Configuration\Administrative Templates\BitLocker
Drive Encr yption\Validate smar t card cer tificate
usage rule compliance policy setting to match the object
identifier of your smart card certificates.
When enabled Smart cards can be used to authenticate user access to the
drive. You can require smart card authentication by selecting
the Require use of smar t cards on fixed data drives
check box.
When disabled Users can't use smart cards to authenticate their access to
BitLocker-protected fixed data drives.
When not configured Smart cards can be used to authenticate user access to a
BitLocker-protected drive.
Reference
NOTE
These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by
using any of the protectors that are available on the drive.
When enabled Users can configure a password that meets the requirements
you define. To require the use of a password, select Require
password for fixed data drive . To enforce complexity
requirements on the password, select Require complexity .
When not configured Passwords are supported with the default settings, which
don't include password complexity requirements and require
only eight characters.
Reference
When set to Require complexity , a connection to a domain controller is necessary to validate the complexity
of the password when BitLocker is enabled.
When set to Allow complexity , a connection to a domain controller is attempted to validate that the
complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is
accepted regardless of the actual password complexity, and the drive is encrypted by using that password as a
protector.
When set to Do not allow complexity , no password complexity validation is performed.
Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the
desired number of characters in the Minimum password length box.
NOTE
These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive
with any of the protectors that are available on the drive.
For the complexity requirement setting to be effective, the Group Policy setting Computer
Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password
must meet complexity requirements must also be enabled. This policy setting is configured on a per-
computer basis. This means that it applies to local user accounts and domain user accounts. Because the
password filter that's used to validate password complexity is located on the domain controllers, local user
accounts can't access the password filter because they're not authenticated for domain access. When this policy
setting is enabled, if you sign in with a local user account, and you attempt to encrypt a drive or change a
password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this
situation, the password key protector can't be added to the drive.
Enabling this policy setting requires that connectivity to a domain be established before adding a password key
protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they can't
connect to the domain should be made aware of this requirement so that they can schedule a time when they
will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data
drive.
IMPORTANT
Passwords can't be used if FIPS compliance is enabled. The System cr yptography: Use FIPS-compliant algorithms
for encr yption, hashing, and signing policy setting in Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options specifies whether FIPS compliance is enabled.
Policy description With this policy setting, you can specify whether smart cards
can be used to authenticate user access to BitLocker-
protected removable data drives on a computer.
Conflicts To use smart cards with BitLocker, you may also need to
modify the object identifier setting in the Computer
Configuration\Administrative Templates\BitLocker
Drive Encr yption\Validate smar t card cer tificate
usage rule compliance policy setting to match the object
identifier of your smart card certificates.
When enabled Smart cards can be used to authenticate user access to the
drive. You can require smart card authentication by selecting
the Require use of smar t cards on removable data
drives check box.
When disabled or not configured Users aren't allowed to use smart cards to authenticate their
access to BitLocker-protected removable data drives.
When not configured Smart cards are available to authenticate user access to a
BitLocker-protected removable data drive.
Reference
NOTE
These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive
with any of the protectors that are available on the drive.
Policy description With this policy setting, you can specify whether a password
is required to unlock BitLocker-protected removable data
drives.
When enabled Users can configure a password that meets the requirements
you define. To require the use of a password, select Require
password for removable data drive . To enforce
complexity requirements on the password, select Require
complexity .
When not configured Passwords are supported with the default settings, which
don't include password complexity requirements and require
only eight characters.
Reference
If you choose to allow the use of a password, you can require a password to be used, enforce complexity
requirements, and configure a minimum length. For the complexity requirement setting to be effective, the
Group Policy setting Password must meet complexity requirements , which is located at Computer
Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be
enabled.
NOTE
These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive
with any of the protectors that are available on the drive.
Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the
wanted number of characters in the Minimum password length box.
When set to Require complexity , a connection to a domain controller is necessary when BitLocker is enabled
to validate the complexity the password.
When set to Allow complexity , a connection to a domain controller will be attempted to validate that the
complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password will
still be accepted regardless of actual password complexity and the drive will be encrypted by using that
password as a protector.
When set to Do not allow complexity , no password complexity validation will be done.
NOTE
Passwords can't be used if FIPS compliance is enabled. The System cr yptography: Use FIPS-compliant algorithms
for encr yption, hashing, and signing policy setting in Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options specifies whether FIPS compliance is enabled.
For information about this setting, see System cryptography: Use FIPS-compliant algorithms for encryption,
hashing, and signing.
Validate smart card certificate usage rule compliance
This policy setting is used to determine what certificate to use with BitLocker.
Policy description With this policy setting, you can associate an object identifier
from a smart card certificate to a BitLocker-protected drive.
Conflicts None
Reference
This policy setting is applied when you turn on BitLocker.
The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which
certificates can be used to authenticate a user certificate to a BitLocker-protected drive by matching the object
identifier in the certificate with the object identifier that is defined by this policy setting.
The default object identifier is 1.3.6.1.4.1.311.67.1.1.
NOTE
BitLocker doesn't require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must
be set to an object identifier that matches the object identifier configured for BitLocker.
Policy description With this policy setting, you can allow users to enable
authentication options that require user input from the
preboot environment, even if the platform indicates a lack of
preboot input capability.
Conflicts None
When disabled or not configured The Windows Recovery Environment must be enabled on
tablets to support entering the BitLocker recovery password.
Reference
The Windows touch keyboard (such as used by tablets) isn't available in the preboot environment where
BitLocker requires additional information, such as a PIN or password.
It's recommended that administrators enable this policy only for devices that are verified to have an alternative
means of preboot input, such as attaching a USB keyboard.
When the Windows Recovery Environment isn't enabled and this policy isn't enabled, you can't turn on BitLocker
on a device that uses the Windows touch keyboard.
If you don't enable this policy setting, the following options in the Require additional authentication at
star tup policy might not be available:
Configure TPM startup PIN: Required and Allowed
Configure TPM startup key and PIN: Required and Allowed
Configure use of passwords for operating system drives
Deny write access to fixed drives not protected by BitLocker
This policy setting is used to require encryption of fixed drives prior to granting Write access.
Policy description With this policy setting, you can set whether BitLocker
protection is required for fixed data drives to be writable on
a computer.
When enabled All fixed data drives that aren't BitLocker-protected are
mounted as Read-only. If the drive is protected by BitLocker,
it's mounted with Read and Write access.
When disabled or not configured All fixed data drives on the computer are mounted with Read
and Write access.
Reference
This policy setting is applied when you turn on BitLocker.
Conflict considerations include:
1. When this policy setting is enabled, users receive "Access denied" error messages when they try to save
data to unencrypted fixed data drives. See the Reference section for additional conflicts.
2. If BdeHdCfg.exe is run on a computer when this policy setting is enabled, you could encounter the
following issues:
If you attempted to shrink the drive and create the system drive, the drive size is successfully reduced
and a raw partition is created. However, the raw partition isn't formatted. The following error message
is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive
for BitLocker."
If you attempt to use unallocated space to create the system drive, a raw partition will be created.
However, the raw partition will not be formatted. The following error message is displayed: "The new
active drive cannot be formatted. You may need to manually prepare your drive for BitLocker."
If you attempt to merge an existing drive into the system drive, the tool fails to copy the required boot
file onto the target drive to create the system drive. The following error message is displayed:
"BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker."
3. If this policy setting is enforced, a hard drive can't be repartitioned because the drive is protected. If you
are upgrading computers in your organization from a previous version of Windows, and those
computers were configured with a single partition, you should create the required BitLocker system
partition before you apply this policy setting to the computers.
Deny write access to removable drives not protected by BitLocker
This policy setting is used to require that removable drives are encrypted prior to granting Write access, and to
control whether BitLocker-protected removable drives that were configured in another organization can be
opened with Write access.
Policy description With this policy setting, you can configure whether BitLocker
protection is required for a computer to be able to write
data to a removable data drive.
When enabled All removable data drives that aren't BitLocker-protected are
mounted as Read-only. If the drive is protected by BitLocker,
it's mounted with Read and Write access.
When disabled or not configured All removable data drives on the computer are mounted
with Read and Write access.
Reference
If the Deny write access to devices configured in another organization option is selected, only drives
with identification fields that match the computer's identification fields are given Write access. When a
removable data drive is accessed, it's checked for a valid identification field and allowed identification fields.
These fields are defined by the Provide the unique identifiers for your organization policy setting.
NOTE
You can override this policy setting with the policy settings under User Configuration\Administrative
Templates\System\Removable Storage Access . If the Removable Disks: Deny write access policy setting is
enabled, this policy setting will be ignored.
Policy description With this policy setting, you can control the use of BitLocker
on removable data drives.
Introduced Windows Server 2008 R2 and Windows 7
Conflicts None
When enabled You can select property settings that control how users can
configure BitLocker.
When not configured Users can use BitLocker on removable data drives.
Reference
This policy setting is applied when you turn on BitLocker.
For information about suspending BitLocker protection, see BitLocker Basic Deployment.
The options for choosing property settings that control how users can configure BitLocker are:
Allow users to apply BitLocker protection on removable data drives Enables the user to run the
BitLocker Setup Wizard on a removable data drive.
Allow users to suspend and decr ypt BitLocker on removable data drives Enables the user to
remove BitLocker from the drive or to suspend the encryption while performing maintenance.
Choose drive encryption method and cipher strength
This policy setting is used to control the encryption method and cipher strength.
Policy description With this policy setting, you can control the encryption
method and strength for drives.
Conflicts None
When enabled You can choose an encryption algorithm and key cipher
strength for BitLocker to use to encrypt drives.
When disabled or not configured Beginning with Windows 10, version 1511, or Windows 11,
BitLocker uses the default encryption method of XTS-AES
128-bit or the encryption method that is specified by the
setup script.
Reference
The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may
want to control the encryption level for increased security (AES-256 is stronger than AES-128).
If you enable this setting, you can configure an encryption algorithm and key cipher strength for fixed data
drives, operating system drives, and removable data drives individually. For fixed and operating system drives,
we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or
AES-CBC 256-bit if the drive will be used in other devices that aren't running Windows 10, version 1511 or later,
or Windows 11.
Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In
these cases, this policy setting is ignored.
WARNING
This policy doesn't apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during
partitioning.
When this policy setting is disabled or not configured, BitLocker will use the default encryption method of XTS-
AES 128-bit or the encryption method that is specified in the setup script.
Configure use of hardware -based encryption for fixed data drives
This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they're used
as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that
involve frequent reading or writing of data to the drive.
Policy description With this policy setting, you can manage BitLocker’s use of
hardware-based encryption on fixed data drives and to
specify which encryption algorithms BitLocker can use with
hardware-based encryption.
Conflicts None
When enabled You can specify additional options that control whether
BitLocker software-based encryption is used instead of
hardware-based encryption on computers that don't
support hardware-based encryption. You can also specify
whether you want to restrict the encryption algorithms and
cipher suites that are used with hardware-based encryption.
Reference
NOTE
The Choose drive encr yption method and cipher strength policy setting doesn't apply to hardware-based
encryption.
The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By
default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The Restrict
encr yption algorithms and cipher suites allowed for hardware-based encr yption option of this
setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the
algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption.
Encryption algorithms are specified by object identifiers (OID), for example:
Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
Configure use of hardware -based encryption for operating system drives
This policy controls how BitLocker reacts when encrypted drives are used as operating system drives. Using
hardware-based encryption can improve the performance of drive operations that involve frequent reading or
writing of data to the drive.
Policy description With this policy setting, you can manage BitLocker’s use of
hardware-based encryption on operating system drives and
specify which encryption algorithms it can use with
hardware-based encryption.
Conflicts None
When enabled You can specify additional options that control whether
BitLocker software-based encryption is used instead of
hardware-based encryption on computers that don't
support hardware-based encryption. You can also specify
whether you want to restrict the encryption algorithms and
cipher suites that are used with hardware-based encryption.
Reference
If hardware-based encryption isn't available, BitLocker software-based encryption is used instead.
NOTE
The Choose drive encr yption method and cipher strength policy setting doesn't apply to hardware-based
encryption.
The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By
default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The Restrict
encr yption algorithms and cipher suites allowed for hardware-based encr yption option of this
setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the
algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption.
Encryption algorithms are specified by object identifiers (OID), for example:
Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
Configure use of hardware -based encryption for removable data drives
This policy controls how BitLocker reacts to encrypted drives when they're used as removable data drives. Using
hardware-based encryption can improve the performance of drive operations that involve frequent reading or
writing of data to the drive.
Policy description With this policy setting, you can manage BitLocker’s use of
hardware-based encryption on removable data drives and
specify which encryption algorithms it can use with
hardware-based encryption.
When enabled You can specify additional options that control whether
BitLocker software-based encryption is used instead of
hardware-based encryption on computers that don't
support hardware-based encryption. You can also specify
whether you want to restrict the encryption algorithms and
cipher suites that are used with hardware-based encryption.
Reference
If hardware-based encryption isn't available, BitLocker software-based encryption is used instead.
NOTE
The Choose drive encr yption method and cipher strength policy setting doesn't apply to hardware-based
encryption.
The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By
default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The Restrict
encr yption algorithms and cipher suites allowed for hardware-based encr yption option of this
setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the
algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption.
Encryption algorithms are specified by object identifiers (OID), for example:
Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
Enforce drive encryption type on fixed data drives
This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this
policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection
displays to the user.
Policy description With this policy setting, you can configure the encryption
type that is used by BitLocker.
Conflicts None
When enabled This policy defines the encryption type that BitLocker uses to
encrypt drives, and the encryption type option isn't
presented in the BitLocker Setup Wizard.
When disabled or not configured The BitLocker Setup Wizard asks the user to select the
encryption type before turning on BitLocker.
Reference
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive
is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be
encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of
the drive that is used to store data is encrypted when BitLocker is turned on.
NOTE
This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption
method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped
as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by
using the following command: manage-bde -w . If the volume is shrunk, no action is taken for the new free space.
For more information about the tool to manage BitLocker, see Manage-bde.
Enforce drive encryption type on operating system drives
This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption.
Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption
selection displays to the user.
Policy description With this policy setting, you can configure the encryption
type that is used by BitLocker.
Conflicts None
When enabled The encryption type that BitLocker uses to encrypt drives is
defined by this policy, and the encryption type option isn't
presented in the BitLocker Setup Wizard.
When disabled or not configured The BitLocker Setup Wizard asks the user to select the
encryption type before turning on BitLocker.
Reference
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive
is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be
encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of
the drive that is used to store data is encrypted when BitLocker is turned on.
NOTE
This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption
method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped
as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by
using the following command: manage-bde -w . If the volume is shrunk, no action is taken for the new free space.
For more information about the tool to manage BitLocker, see Manage-bde.
Enforce drive encryption type on removable data drives
This policy controls whether fixed data drives utilize Full encryption or Used Space Only encryption. Setting this
policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection
displays to the user.
Policy description With this policy setting, you can configure the encryption
type that is used by BitLocker.
Conflicts None
When enabled The encryption type that BitLocker uses to encrypt drives is
defined by this policy, and the encryption type option isn't
presented in the BitLocker Setup Wizard.
When disabled or not configured The BitLocker Setup Wizard asks the user to select the
encryption type before turning on BitLocker.
Reference
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive
is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be
encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of
the drive that is used to store data is encrypted when BitLocker is turned on.
NOTE
This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption
method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped
as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by
using the following command: manage-bde -w . If the volume is shrunk, no action is taken for the new free space.
For more information about the tool to manage BitLocker, see Manage-bde.
Choose how BitLocker-protected operating system drives can be recovered
This policy setting is used to configure recovery methods for operating system drives.
Policy description With this policy setting, you can control how BitLocker-
protected operating system drives are recovered in the
absence of the required startup key information.
Conflicts You must disallow the use of recovery keys if the Deny
write access to removable drives not protected by
BitLocker policy setting is enabled.
When enabled You can control the methods that are available to users to
recover data from BitLocker-protected operating system
drives.
When disabled or not configured The default recovery options are supported for BitLocker
recovery. By default, a data recovery agent is allowed, the
recovery options can be specified by the user (including the
recovery password and recovery key), and recovery
information isn't backed up to AD DS.
Reference
This policy setting is applied when you turn on BitLocker.
The Allow data recover y agent check box is used to specify whether a data recovery agent can be used with
BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from
Public Key Policies , which is located in the Group Policy Management Console (GPMC) or in the Local Group
Policy Editor.
For more information about adding data recovery agents, see BitLocker basic deployment.
In Configure user storage of BitLocker recover y information , select whether users are allowed, required,
or not allowed to generate a 48-digit recovery password.
Select Omit recover y options from the BitLocker setup wizard to prevent users from specifying recovery
options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use
when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy
setting.
In Save BitLocker recover y information to Active Director y Domain Ser vices , choose which BitLocker
recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you
select Store recover y password and key packages , the BitLocker recovery password and the key package
are stored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted.
If you select Store recover y password only , only the recovery password is stored in AD DS.
Select the Do not enable BitLocker until recover y information is stored in AD DS for operating
system drives check box if you want to prevent users from enabling BitLocker unless the computer is
connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
NOTE
If the Do not enable BitLocker until recover y information is stored in AD DS for operating system drives
check box is selected, a recovery password is automatically generated.
Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running
Windows Server 2008 or Windows Vista.
Policy description With this policy setting, you can control whether the
BitLocker Setup Wizard can display and specify BitLocker
recovery options.
Drive type Operating system drives and fixed data drives on computers
running Windows Server 2008 and Windows Vista
When enabled You can configure the options that the BitLocker Setup
Wizard displays to users for recovering BitLocker encrypted
data.
When disabled or not configured The BitLocker Setup Wizard presents users with ways to
store recovery options.
Reference
This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting
is applied when you turn on BitLocker.
Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key
information. Users can type a 48-digit numerical recovery password, or they can insert a USB drive that contains
a 256-bit recovery key.
Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit
recovery key as a hidden file. Saving it to a folder stores the 48-digit recovery password as a text file. Printing it
sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery
password prevents users from printing or saving recovery information to a folder.
IMPORTANT
If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the
BitLocker recovery information. The 48-digit recovery password isn't available in FIPS-compliance mode.
IMPORTANT
To prevent data loss, you must have a way to recover BitLocker encryption keys. If you don't allow both recovery options,
you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.
Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and
Windows Vista)
This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This provides an
administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key
information.
Policy description With this policy setting, you can manage the AD DS backup
of BitLocker Drive Encryption recovery information.
Drive type Operating system drives and fixed data drives on computers
running Windows Server 2008 and Windows Vista.
Conflicts None
When disabled or not configured BitLocker recovery information isn't backed up to AD DS.
Reference
This policy is only applicable to computers running Windows Server 2008 or Windows Vista.
This policy setting is applied when you turn on BitLocker.
BitLocker recovery information includes the recovery password and unique identifier data. You can also include
a package that contains an encryption key for a BitLocker-protected drive. This key package is secured by one or
more recovery passwords, and it can help perform specialized recovery when the disk is damaged or corrupted.
If you select Require BitLocker backup to AD DS , BitLocker can't be turned on unless the computer is
connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is
selected by default to help ensure that BitLocker recovery is possible.
A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package
contains a drive’s BitLocker encryption key, which is secured by one or more recovery passwords. Key packages
may help perform specialized recovery when the disk is damaged or corrupted.
If the Require BitLocker backup to AD DS option isn't selected, AD DS backup is attempted, but network or
other backup failures don't prevent the BitLocker setup. The Backup process isn't automatically retried, and the
recovery password might not be stored in AD DS during BitLocker setup. TPM initialization might be needed
during the BitLocker setup. Enable the Turn on TPM backup to Active Director y Domain Ser vices policy
setting in Computer Configuration\Administrative Templates\System\Trusted Platform Module
Ser vices to ensure that TPM information is also backed up.
For more information about this setting, see TPM Group Policy settings.
Choose default folder for recovery password
This policy setting is used to configure the default folder for recovery passwords.
Policy description With this policy setting, you can specify the default path that
is displayed when the BitLocker Setup Wizard prompts the
user to enter the location of a folder in which to save the
recovery password.
Conflicts None
When enabled You can specify the path that will be used as the default
folder location when the user chooses the option to save the
recovery password in a folder. You can specify a fully qualified
path or include the target computer's environment variables
in the path. If the path isn't valid, the BitLocker Setup Wizard
displays the computer's top-level folder view.
When disabled or not configured The BitLocker Setup Wizard displays the computer's top-level
folder view when the user chooses the option to save the
recovery password in a folder.
Reference
This policy setting is applied when you turn on BitLocker.
NOTE
This policy setting doesn't prevent the user from saving the recovery password in another folder.
Conflicts You must disallow the use of recovery keys if the Deny
write access to removable drives not protected by
BitLocker policy setting is enabled.
When enabled You can control the methods that are available to users to
recover data from BitLocker-protected fixed data drives.
When disabled or not configured The default recovery options are supported for BitLocker
recovery. By default, a data recovery agent is allowed, the
recovery options can be specified by the user (including the
recovery password and recovery key), and recovery
information isn't backed up to AD DS.
Reference
This policy setting is applied when you turn on BitLocker.
The Allow data recover y agent check box is used to specify whether a data recovery agent can be used with
BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from Public
Key Policies , which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy
Editor.
In Configure user storage of BitLocker recover y information , select whether users are allowed, required,
or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Select Omit recover y options from the BitLocker setup wizard to prevent users from specifying recovery
options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use
when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy
setting.
In Save BitLocker recover y information to Active Director y Domain Ser vices , choose which BitLocker
recovery information to store in AD DS for fixed data drives. If you select Backup recover y password and
key package , the BitLocker recovery password and the key package are stored in AD DS. Storing the key
package supports recovering data from a drive that has been physically corrupted. To recover this data, you can
use the Repair-bde command-line tool. If you select Backup recover y password only , only the recovery
password is stored in AD DS.
For more information about the BitLocker repair tool, see Repair-bde.
Select the Do not enable BitLocker until recover y information is stored in AD DS for fixed data
drives check box if you want to prevent users from enabling BitLocker unless the computer is connected to the
domain and the backup of BitLocker recovery information to AD DS succeeds.
NOTE
If the Do not enable BitLocker until recover y information is stored in AD DS for fixed data drives check box
is selected, a recovery password is automatically generated.
Policy description With this policy setting, you can control how BitLocker-
protected removable data drives are recovered in the
absence of the required credentials.
Conflicts You must disallow the use of recovery keys if the Deny
write access to removable drives not protected by
BitLocker policy setting is enabled.
When enabled You can control the methods that are available to users to
recover data from BitLocker-protected removable data
drives.
When disabled or not configured The default recovery options are supported for BitLocker
recovery. By default, a data recovery agent is allowed, the
recovery options can be specified by the user (including the
recovery password and recovery key), and recovery
information isn't backed up to AD DS.
Reference
This policy setting is applied when you turn on BitLocker.
The Allow data recover y agent check box is used to specify whether a data recovery agent can be used with
BitLocker-protected removable data drives. Before a data recovery agent can be used, it must be added from
Public Key Policies , which is accessed using the GPMC or the Local Group Policy Editor.
In Configure user storage of BitLocker recover y information , select whether users are allowed, required,
or not allowed to generate a 48-digit recovery password.
Select Omit recover y options from the BitLocker setup wizard to prevent users from specifying recovery
options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use
when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy
setting.
In Save BitLocker recover y information to Active Director y Domain Ser vices , choose which BitLocker
recovery information to store in AD DS for removable data drives. If you select Backup recover y password
and key package , the BitLocker recovery password and the key package are stored in AD DS. If you select
Backup recover y password only , only the recovery password is stored in AD DS.
Select the Do not enable BitLocker until recover y information is stored in AD DS for removable data
drives check box if you want to prevent users from enabling BitLocker unless the computer is connected to the
domain and the backup of BitLocker recovery information to AD DS succeeds.
NOTE
If the Do not enable BitLocker until recover y information is stored in AD DS for fixed data drives check box
is selected, a recovery password is automatically generated.
Policy description With this policy setting, you can configure the BitLocker
recovery screen to display a customized message and URL.
Introduced Windows
Conflicts None
When enabled The customized message and URL are displayed on the pre-
boot recovery screen. If you have previously enabled a
custom recovery message and URL and want to revert to
the default message and URL, you must keep the policy
setting enabled and select the Use default recover y
message and URL option.
When disabled or not configured If the setting hasn't been previously enabled, then the
default pre-boot recovery screen is displayed for BitLocker
recovery. If the setting previously was enabled and is later
disabled, then the last message in Boot Configuration Data
(BCD) is displayed whether it was the default recovery
message or the custom message.
Reference
Enabling the Configure the pre-boot recover y message and URL policy setting allows you to customize
the default recovery screen message and URL to assist customers in recovering their key.
Once you enable the setting, you have three options:
If you select the Use default recover y message and URL option, the default BitLocker recovery message
and URL will be displayed on the pre-boot recovery screen.
If you select the Use custom recover y message option, type the custom message in the Custom
recover y message option text box. The message that you type in the Custom recover y message
option text box will be displayed on the pre-boot recovery screen. If a recovery URL is available, include it in
the message.
If you select the Use custom recover y URL option, type the custom message URL in the Custom
recover y URL option text box. The URL that you type in the Custom recover y URL option text box
replaces the default URL in the default recovery message, which will be displayed on the pre-boot recovery
screen.
IMPORTANT
Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify
the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen.
IMPORTANT
Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you can't return the
policy setting to the default setting by selecting the Not Configured option after you have configured this policy
setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the Use default
message options from the Choose an option for the pre-boot recover y message drop-down list box.
Policy description With this policy setting, you can configure whether Secure
Boot will be allowed as the platform integrity provider for
BitLocker operating system drives.
When enabled or not configured BitLocker uses Secure Boot for platform integrity if the
platform is capable of Secure Boot-based integrity validation.
When disabled BitLocker uses legacy platform integrity validation, even on
systems that are capable of Secure Boot-based integrity
validation.
Reference
Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by
authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations
than BitLocker integrity checks prior to Windows Server 2012 and Windows 8. When this policy is enabled and
the hardware is capable of using Secure Boot for BitLocker scenarios, the Use enhanced Boot Configuration
Data validation profile Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the
Secure Boot policy setting, which is configured separately from BitLocker.
WARNING
Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this
policy, suspend BitLocker prior to applying firmware updates.
Policy description With this policy setting, you can associate unique
organizational identifiers to a new drive that is enabled with
BitLocker.
When enabled You can configure the identification field on the BitLocker-
protected drive and any allowed identification field that is
used by your organization.
Reference
These identifiers are stored as the identification field and the allowed identification field. The identification field
allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is
automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected
drives by using the Manage-bde command-line tool.
An identification field is required to manage certificate-based data recovery agents on BitLocker-protected
drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery
agents only when the identification field on the drive matches the value that is configured in the identification
field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the
drive matches the value that is configured for the identification field.
For more information about the tool to manage BitLocker, see Manage-bde.
The allowed identification field is used in combination with the Deny write access to removable drives not
protected by BitLocker policy setting to help control the use of removable drives in your organization. It's a
comma-separated list of identification fields from your organization or external organizations.
You can configure the identification fields on existing drives by using the Manage-bde command-line tool.
When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field
and the allowed identification field are used to determine whether the drive is from an outside organization.
Multiple values separated by commas can be entered in the identification and allowed identification fields. The
identification field can be any value up to 260 characters.
Prevent memory overwrite on restart
This policy setting is used to control whether the computer's memory will be overwritten the next time the
computer is restarted.
Policy description With this policy setting, you can control computer restart
performance at the risk of exposing BitLocker secrets.
Conflicts None
When enabled The computer will not overwrite memory when it restarts.
Preventing memory overwrite may improve restart
performance, but it increases the risk of exposing BitLocker
secrets.
When disabled or not configured BitLocker secrets are removed from memory when the
computer restarts.
Reference
This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to
encrypt data. This policy setting applies only when BitLocker protection is enabled.
Configure TPM platform validation profile for BIOS -based firmware configurations
This policy setting determines what values the TPM measures when it validates early boot components before it
unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the
Compatibility Support Module (CSM) enabled.
Policy description With this policy setting, you can configure how the
computer's TPM security hardware secures the BitLocker
encryption key.
Conflicts None
When enabled You can configure the boot components that the TPM
validates before unlocking access to the BitLocker-encrypted
operating system drive. If any of these components change
while BitLocker protection is in effect, then the TPM doesn't
release the encryption key to unlock the drive. Instead, the
computer displays the BitLocker Recovery console and
requires that the recovery password or the recovery key is
provided to unlock the drive.
When disabled or not configured The TPM uses the default platform validation profile or the
platform validation profile that is specified by the setup
script.
Reference
This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker has already been
turned on with TPM protection.
IMPORTANT
This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the
CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform
Configuration Registers (PCRs). Use the Configure TPM platform validation profile for native UEFI firmware
configurations Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform
validation profile secures the encryption key against changes to the following:
Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
Option ROM Code (PCR 2)
Master Boot Record (MBR) Code (PCR 4)
NTFS Boot Sector (PCR 8)
NTFS Boot Block (PCR 9)
Boot Manager (PCR 10)
BitLocker Access Control (PCR 11)
NOTE
Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s
sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or
exclusion (respectively) of the PCRs.
Policy description With this policy setting, you can configure how the
computer's TPM security hardware secures the BitLocker
encryption key.
Conflicts None
When enabled You can configure the boot components that the TPM
validates before unlocking access to the BitLocker-encrypted
operating system drive. If any of these components change
while BitLocker protection is in effect, the TPM doesn't
release the encryption key to unlock the drive. Instead, the
computer displays the BitLocker Recovery console and
requires that the recovery password or the recovery key is
provided to unlock the drive.
When disabled or not configured The TPM uses the default platform validation profile or the
platform validation profile that is specified by the setup
script.
Reference
This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned
on with TPM protection.
A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform
validation profile secures the encryption key against changes to the following:
Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
Option ROM Code (PCR 2)
Master Boot Record (MBR) Code (PCR 4)
NTFS Boot Sector (PCR 8)
NTFS Boot Block (PCR 9)
Boot Manager (PCR 10)
BitLocker Access Control (PCR 11)
NOTE
The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs
0, 2, 4, and 11 only.
WARNING
Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's
sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or
exclusion (respectively) of the PCRs.
Configure TPM platform validation profile for native UEFI firmware configurations
This policy setting determines what values the TPM measures when it validates early boot components before
unlocking an operating system drive on a computer with native UEFI firmware configurations.
Policy description With this policy setting, you can configure how the
computer's Trusted Platform Module (TPM) security
hardware secures the BitLocker encryption key.
Conflicts Setting this policy with PCR 7 omitted, overrides the Allow
Secure Boot for integrity validation Group Policy
setting, and it prevents BitLocker from using Secure Boot for
platform or Boot Configuration Data (BCD) integrity
validation.
If your environments use TPM and Secure Boot for
platform integrity checks, this policy is configured.
For more information about PCR 7, see Platform
Configuration Register (PCR) in this article.
When enabled Before you turn on BitLocker, you can configure the boot
components that the TPM validates before it unlocks access
to the BitLocker-encrypted operating system drive. If any of
these components change while BitLocker protection is in
effect, the TPM doesn't release the encryption key to unlock
the drive. Instead, the computer displays the BitLocker
Recovery console and requires that the recovery password
or the recovery key is provided to unlock the drive.
When disabled or not configured BitLocker uses the default platform validation profile or the
platform validation profile that is specified by the setup
script.
Reference
This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned
on with TPM protection.
IMPORTANT
This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or
UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration
Registers (PCRs). Use the Configure TPM platform validation profile for BIOS-based firmware configurations
Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI
firmware with a CSM enabled.
A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to
23. The default platform validation profile secures the encryption key against changes to the core system
firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and
the BitLocker access control (PCR 11).
The following list identifies all of the PCRs available:
PCR 0: Core System Firmware executable code
PCR 1: Core System Firmware data
PCR 2: Extended or pluggable executable code
PCR 3: Extended or pluggable firmware data
PCR 4: Boot Manager
PCR 5: GPT/Partition Table
PCR 6: Resume from S4 and S5 Power State Events
PCR 7: Secure Boot State
For more information about this PCR, see Platform Configuration Register (PCR) in this article.
PCR 8: Initialized to 0 with no Extends (reserved for future use)
PCR 9: Initialized to 0 with no Extends (reserved for future use)
PCR 10: Initialized to 0 with no Extends (reserved for future use)
PCR 11: BitLocker access control
PCR 12: Data events and highly volatile events
PCR 13: Boot Module Details
PCR 14: Boot Authorities
PCR 15 – 23: Reserved for future use
WARNING
Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's
sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or
exclusion (respectively) of the PCRs.
Policy description With this policy setting, you can control whether platform
validation data is refreshed when Windows is started
following a BitLocker recovery.
Conflicts None
Reference
For more information about the recovery process, see the BitLocker recovery guide.
Use enhanced Boot Configuration Data validation profile
This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform
validation. A platform validation uses the data in the platform validation profile, which consists of a set of
Platform Configuration Register (PCR) indices that range from 0 to 23.
Policy description With this policy setting, you can specify Boot Configuration
Data (BCD) settings to verify during platform validation.
Conflicts When BitLocker is using Secure Boot for platform and Boot
Configuration Data integrity validation, the Use enhanced
Boot Configuration Data validation profile Group
Policy setting is ignored (as defined by the Allow Secure
Boot for integrity validation Group Policy setting).
When enabled You can add additional BCD settings, exclude the BCD
settings you specify, or combine inclusion and exclusion lists
to create a customized BCD validation profile, which gives
you the ability to verify those BCD settings.
When not configured The computer verifies the default BCD settings in Windows.
Reference
NOTE
The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it's included in the
inclusion or the exclusion list.
Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader,
and if the application is installed on the drive.
Policy description With this policy setting, you can configure whether fixed
data drives that are formatted with the FAT file system can
be unlocked and viewed on computers running Windows
Vista, Windows XP with Service Pack 3 (SP3), or Windows XP
with Service Pack 2 (SP2).
Conflicts None
When enabled and When not configured Fixed data drives that are formatted with the FAT file system
can be unlocked on computers running Windows Server
2008, Windows Vista, Windows XP with SP3, or Windows XP
with SP2, and their content can be viewed. These operating
systems have Read-only access to BitLocker-protected
drives.
When disabled Fixed data drives that are formatted with the FAT file system
and are BitLocker-protected can't be unlocked on computers
running Windows Vista, Windows XP with SP3, or Windows
XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) isn't
installed.
Reference
NOTE
This policy setting doesn't apply to drives that are formatted with the NTFS file system.
When this policy setting is enabled, select the Do not install BitLocker To Go Reader on FAT formatted
fixed drives check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If
BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified,
or if the drive has the same identification field as specified in the Provide unique identifiers for your
organization policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted
from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista,
Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If
this check box isn't selected, then BitLocker To Go Reader will be installed on the fixed drive to enable users to
unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.
Allow access to BitLocker-protected removable data drives from earlier versions of Windows
This policy setting controls access to removable data drives that are using the BitLocker To Go Reader and
whether the BitLocker To Go Reader can be installed on the drive.
Policy description With this policy setting, you can configure whether
removable data drives that are formatted with the FAT file
system can be unlocked and viewed on computers running
Windows Vista, Windows XP with SP3, or Windows XP with
SP2.
Conflicts None
When enabled and When not configured Removable data drives that are formatted with the FAT file
system can be unlocked on computers running Windows
Vista, Windows XP with SP3, or Windows XP with SP2, and
their content can be viewed. These operating systems have
Read-only access to BitLocker-protected drives.
When disabled Removable data drives that are formatted with the FAT file
system that are BitLocker-protected can't be unlocked on
computers running Windows Vista, Windows XP with SP3, or
Windows XP with SP2. BitLocker To Go Reader
(bitlockertogo.exe) isn't installed.
Reference
NOTE
This policy setting doesn't apply to drives that are formatted with the NTFS file system.
When this policy setting is enabled, select the Do not install BitLocker To Go Reader on FAT formatted
removable drives check box to help prevent users from running BitLocker To Go Reader from their removable
drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field
specified, or if the drive has the same identification field as specified in the Provide unique identifiers for
your organization policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is
deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows
Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the
computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the removable drive to
enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP
with SP2 that don't have BitLocker To Go Reader installed.
FIPS setting
You can configure the Federal Information Processing Standard (FIPS) setting for FIPS compliance. As an effect
of FIPS compliance, users can't create or save a BitLocker password for recovery or as a key protector. The use of
a recovery key is permitted.
Reference
This policy must be enabled before any encryption key is generated for BitLocker. When this policy is enabled,
BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead.
You can save the optional recovery key to a USB drive. Because recovery passwords can't be saved to AD DS
when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy.
You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) or by editing the Windows registry.
You must be an administrator to perform these procedures.
For more information about setting this policy, see System cryptography: Use FIPS compliant algorithms for
encryption, hashing, and signing.
See also
Trusted Platform Module
TPM Group Policy settings
BitLocker frequently asked questions (FAQ)
BitLocker overview
Prepare your organization for BitLocker: Planning and policies
Boot Configuration Data settings and BitLocker
3/3/2022 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
This topic for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the
security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered.
Not all BCD settings have friendly names, for those settings the hex value is the only way to configure an
exclusion policy.
When specifying BCD values in the Use enhanced Boot Configuration Data validation profile Group
Policy setting, use the following syntax:
Prefix the setting with the boot application prefix
Append a colon ‘:’
Append either the hex value or the friendly name
If entering more than one BCD setting, you will need to enter each BCD setting on a new line
For example, either “ winload:hypervisordebugport ” or “ winload:0x250000f4 ” yield the same value.
Setting that applies to all boot applications may be applied only to an individual application, however the
reverse is not true. For example, one can specify either: “ all:locale ” or “ winresume:locale ”, but as the bcd
setting “ win-pe ” does not apply to all boot applications, “ winload:winpe ” is valid, but “ all:winpe ” is not valid.
The setting that controls boot debugging (“ bootdebug ” or 0x16000010) will always be validated and will have
no effect if it is included in the provided fields.
NOTE
Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the
correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
0x25000020 winload nx
NOTE
Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this
list.
0x1600001e all vm
Applies to:
Windows 10
Windows 11
Windows Server 2016 and above
This article for IT professionals describes how to recover BitLocker keys from AD DS.
Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to
access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker
deployment is recommended.
This article assumes that you understand how to set up AD DS to back up BitLocker recovery information
automatically, and what types of recovery information are saved to AD DS.
This article does not detail how to configure AD DS to store the BitLocker recovery information.
NOTE
Some computers have BIOS settings that skip measurements to certain PCRs, such as PCR[2] . Changing this
setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.
NOTE
The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process
must explicitly have changed this value.
Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).
Pressing the F8 or F10 key during the boot process.
Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in
cards.
Using a BIOS hot key during the boot process to change the boot order to something other than the hard
drive.
NOTE
Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the
problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer
by obtaining physical access, you can create new security policies for tracking who has physical presence. After the
recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current
values of the measured components.
For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by
temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the
administrator can quickly resume BitLocker protection after the planned task has been completed. Using
suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
NOTE
If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified
using the manage-bde command line tool.
If software maintenance requires the computer to be restarted and you are using two-factor authentication, you
can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do
not have an on-premises user to provide the additional authentication method.
Recovery has been described within the context of unplanned or undesired behavior, but you can also cause
recovery as an intended production scenario, in order to manage access control. For example, when you
redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force
BitLocker into recovery before the computer is given to a new user.
Testing recovery
Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery
process works for both end users (people who call your helpdesk for the recovery password) and administrators
(people who help the end user get the recovery password). The -forcerecovery command of manage-bde is an
easy way for you to step through the recovery process before your users encounter a recovery situation.
To force a recover y for the local computer :
1. Select the Star t button, type cmd in the Star t Search box, right-click cmd.exe , and then select Run as
administrator .
2. At the command prompt, type the following command and then press Enter :
manage-bde -forcerecovery <BitLockerVolume>
NOTE
Recovery triggered by -forcerecovery persists for multiple restarts until a TPM protector is added or protection
is suspended by the user. When using Modern Standby devices (such as Surface devices), the -forcerecovery
option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE
environment before the OS can boot up again. For more information, see BitLocker Troubleshooting: Continuous
reboot loop with BitLocker recovery on a slate device.
NOTE
If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their
Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure
that you do not lose access to your data in the event that recovery is required.
The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain
administrators to view BitLocker recovery passwords for specific computer objects in Active Directory.
You can use the following list as a template for creating your own recovery process for recovery password
retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and
Computers tool.
Record the name of the user's computer
Verify the user's identity
Locate the recovery password in AD DS
Gather information to determine why recovery occurred
Give the user the recovery password
Record the name of the user's computer
You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not
know the name of the computer, ask the user to read the first word of the Drive Label in the BitLocker Drive
Encr yption Password Entr y user interface. This is the computer name when BitLocker was enabled and is
probably the current name of the computer.
Verify the user's identity
Verify that the person that is asking for the recovery password is truly the authorized user of that computer. You
might also want to verify that the computer with the name the user provided belongs to the user.
Locate the recovery password in AD DS
Locate the Computer object with the matching name in AD DS. Because Computer object names are listed in the
AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest.
Multiple recovery passwords
If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker
recovery information object includes the date that the password was created.
If at any time you are unsure what password to provide, or if you think you might be providing the incorrect
password, ask the user to read the eight character password ID that is displayed in the recovery console.
Since the password ID is a unique value that is associated with each recovery password stored in AD DS,
running a query using this ID will find the correct password to unlock the encrypted volume.
Gather information to determine why recovery occurred
Before you give the user the recovery password, you should gather any information that will help determine
why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more
info about post-recovery analysis, see Post-recovery analysis.
Give the user the recovery password
Because the recovery password is 48 digits long, the user might need to record the password by writing it down
or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is
recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.
NOTE
Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype
the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit
block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
Post-recovery analysis
When a volume is unlocked using a recovery password, an event is written to the event log and the platform
validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means
that the encryption key has been released and is ready for on-the-fly encryption when data is written to the
volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker
behaves the same way, regardless of how the access was granted.
If you notice that a computer is having repeated recovery password unlocks, you might want to have an
administrator perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker
platform validation so that the user no longer needs to enter a recovery password each time that the computer
starts up. See:
Determine the root cause of the recovery
Refresh BitLocker protection
Determine the root cause of the recovery
If a user needed to recover the drive, it is important to determine the root cause that initiated the recovery as
soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that
have broader implications for enterprise security.
While an administrator can remotely investigate the cause of recovery in some cases, the end user might need
to bring the computer that contains the recovered drive on site to analyze the root cause further.
Review and answer the following questions for your organization:
1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which
PCR profile is in use on the PC?
2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
3. If TPM mode was in effect, was recovery caused by a boot file change?
4. If recovery was caused by a boot file change, was the change an intended user action (for example, BIOS
upgrade), or was it caused by malicious software?
5. When was the user last able to start the computer successfully, and what might have happened to the
computer since then?
6. Might the user have encountered malicious software or left the computer unattended since the last
successful startup?
To help you answer these questions, use the BitLocker command-line tool to view the current configuration and
protection mode (for example, manage-bde -status ). Scan the event log to find events that help indicate why
recovery was initiated (for example, if the boot file changed). Both of these capabilities can be performed
remotely.
Resolve the root cause
After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every
startup.
The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root
cause, or if malicious software or a rootkit might have infected the computer, Helpdesk should apply best-
practice virus policies to react appropriately.
NOTE
You can perform a BitLocker validation profile reset by suspending and resuming BitLocker.
Unknown PIN
Lost startup key
Changes to boot files
Unknown PIN
If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to
prevent BitLocker from initiating recovery each time the computer is restarted.
To prevent continued recover y due to an unknown PIN
1. Unlock the computer using the recovery password.
2. Reset the PIN:
a. Right-click the drive and then select Change PIN .
b. In the BitLocker Drive Encryption dialog, select Reset a forgotten PIN . If you are not logged in with
an administrator account, provide administrative credentials at this time.
c. In the PIN reset dialog, provide and confirm the new PIN to use and then select Finish .
3. You will use the new PIN the next time you unlock the drive.
Lost startup key
If you have lost the USB flash drive that contains the startup key, then you must unlock the drive by using the
recovery key and then create a new startup key.
To prevent continued recover y due to a lost star tup key
1. Log on as an administrator to the computer that has the lost startup key.
2. Open Manage BitLocker.
3. Select Duplicate star t up key , insert the clean USB drive on which you are going to write the key and then
select Save .
Changes to boot files
This error might occur if you updated the firmware. As a best practice, you should suspend BitLocker before
making changes to the firmware and then resume protection after the update has completed. This action
prevents the computer from going into recovery mode. However if changes were made when BitLocker
protection was on, then log on to the computer using the recovery password, and the platform validation profile
will be updated so that recovery will not occur the next time.
There are rules governing which hint is shown during the recovery (in order of processing):
1. Always display custom recovery message if it has been configured (using GPO or MDM).
2. Always display generic hint: "For more information, go to https://aka.ms/recoverykeyfaq".
3. If multiple recovery keys exist on the volume, prioritize the last created (and successfully backed up) recovery
key.
4. Prioritize keys with successful backup over keys that have never been backed up.
5. Prioritize backup hints in the following order for remote backup locations: Microsoft Account > Azure AD
> Active Director y .
6. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the
key," instead of two separate hints.
7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key,
prioritize backup info with latest backed up date.
8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if
configured) or a generic message, "Contact your organization's help desk," will be displayed.
9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will
ask for a key that has been backed up, even if another key is newer.
Example 1 (single recovery key with single backup)
C USTO M URL Y ES
Saved to Azure AD No
Printed No
Saved to file No
Result: The hint for the Microsoft Account and the custom URL are displayed.
Example 2 (single recovery key with single backup)
C USTO M URL Y ES
Saved to Azure AD No
Printed No
Saved to file No
C USTO M URL NO
Printed Yes
C USTO M URL NO
Saved to Azure AD No
Printed No
Key ID A564F193
C USTO M URL NO
Saved to Azure AD No
C USTO M URL NO
Printed No
Saved to file No
Key ID T4521ER5
Result: Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key.
C USTO M URL NO
Printed No
Saved to file No
Key ID 99631A34
C USTO M URL NO
Printed No
Saved to file No
Key ID 9DF70931
NOTE
You must use the BitLocker Repair tool repair-bde to use the BitLocker key package.
The BitLocker key package is not saved by default. To save the package along with the recovery password in AD
DS, you must select the Backup recover y password and key package option in the Group Policy settings
that control the recovery method. You can also export the key package from a working volume. For more details
about how to export key packages, see Retrieving the BitLocker Key Package.
Resetting recovery passwords
Invalidate a recovery password after it has been provided and used. It should also be done when you
intentionally want to invalidate an existing recovery password for any reason.
You can reset the recovery password in two ways:
Use manage-bde : You can use manage-bde to remove the old recovery password and add a new recovery
password. The procedure identifies the command and the syntax for this method.
Run a script : You can run a script to reset the password without decrypting the volume. The sample script in
the procedure illustrates this functionality. The sample script creates a new recovery password and
invalidates all other passwords.
To reset a recover y password using manage-bde:
1. Remove the previous recovery password
3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password.
WARNING
You must include the braces in the ID string.
IMPORTANT
This sample script is configured to work only for the C volume. You must customize the script to match the
volume where you want to test password reset.
NOTE
To manage a remote computer, you can specify the remote computer name rather than the local computer name.
You can use the following sample script to create a VBScript file to reset the recovery passwords:
' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------
Sub ShowUsage
Wscript.Echo "USAGE: GetBitLockerKeyPackageADDS [Path To Save Key Package] [Optional Computer Name]"
Wscript.Echo "If no computer name is specified, the local computer is assumed."
Wscript.Echo
Wscript.Echo "Example: GetBitLockerKeyPackageADDS E:\bitlocker-ad-key-package mycomputer"
WScript.Quit
End Sub
' --------------------------------------------------------------------------------
' Parse Arguments
' --------------------------------------------------------------------------------
Set args = WScript.Arguments
Select Case args.Count
Case 1
If args(0) = "/?" Or args(0) = "-?" Then
ShowUsage
Else
strFilePath = args(0)
' Get the name of the local computer
Set objNetwork = CreateObject("WScript.Network")
strComputerName = objNetwork.ComputerName
End If
Case 2
If args(0) = "/?" Or args(0) = "-?" Then
ShowUsage
Else
strFilePath = args(0)
strComputerName = args(1)
End If
Case Else
ShowUsage
End Select
End Select
' --------------------------------------------------------------------------------
' Get path to Active Directory computer object associated with the computer name
' --------------------------------------------------------------------------------
Function GetStrPathToComputer(strComputerName)
' Uses the global catalog to find the computer in the forest
' Search also includes deleted computers in the tombstone
Set objRootLDAP = GetObject("LDAP://rootDSE")
namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com
strBase = "<GC://" & namingContext & ">"
The following sample script exports a new key package from an unlocked, encrypted volume.
To run the sample key package retrieval script:
1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackage.vbs
2. Open an administrator command prompt, and then type a command similar to the following sample
script:
cscript GetBitLockerKeyPackage.vbs -?
' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------
Sub ShowUsage
Wscript.Echo "USAGE: GetBitLockerKeyPackage [VolumeLetter/DriveLetter:] [Path To Save Key Package]"
Wscript.Echo
Wscript.Echo "Example: GetBitLockerKeyPackage C: E:\bitlocker-backup-key-package"
WScript.Quit
End Sub
' --------------------------------------------------------------------------------
' Parse Arguments
' --------------------------------------------------------------------------------
Set args = WScript.Arguments
Select Case args.Count
Case 2
If args(0) = "/?" Or args(0) = "-?" Then
ShowUsage
Else
strDriveLetter = args(0)
strFilePath = args(1)
End If
Case Else
ShowUsage
End Select
' --------------------------------------------------------------------------------
' Other Inputs
' --------------------------------------------------------------------------------
' Target computer name
' Use "." to connect to the local computer
strComputerName = "."
' Default key protector ID to use. Specify "" to let the script choose.
strDefaultKeyProtectorID = ""
' strDefaultKeyProtectorID = "{001298E0-870E-4BA0-A2FF-FC74758D5720}" ' sample
' --------------------------------------------------------------------------------
' Connect to the BitLocker WMI provider class
' --------------------------------------------------------------------------------
strConnectionStr = "winmgmts:" _
& "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
& strComputerName _
& "\root\cimv2\Security\MicrosoftVolumeEncryption"
See also
BitLocker overview
BitLocker Countermeasures
3/3/2022 • 10 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
Windows uses technologies including Trusted Platform Module (TPM), Secure Boot, and Measured Boot to help
protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data
against offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable. For
example, there could be unauthorized access, either by running a software attack tool against it or by
transferring the computer’s hard disk to a different computer.
BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating
system is started by:
Encr ypting volumes on your computer. For example, you can turn on BitLocker for your operating
system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so
on). Turning on BitLocker for your operating system volume encrypts all system files on the volume,
including the paging files and hibernation files. The only exception is for the System partition, which includes
the Windows Boot Manager and minimal boot collateral required for decryption of the operating system
volume after the key is unsealed.
Ensuring the integrity of early boot components and boot configuration data. On devices that
have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data
accessible only if the computer’s BIOS firmware code and configuration, original boot sequence, boot
components, and BCD configuration all appear unaltered and the encrypted disk is located in the original
computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve
usability.
The next sections provide more details about how Windows protects against various attacks on the BitLocker
encryption keys in Windows 11, Windows 10, Windows 8.1, and Windows 8.
For more information about how to enable the best overall security configuration for devices beginning with
Windows 10 version 1803 or Windows 11, see Standards for a highly secure Windows device.
NOTE
This does not protect against physical attacks where an attacker opens the case and attacks the hardware.
Security policies
The next sections cover pre-boot authentication and DMA policies that can provide additional protection for
BitLocker.
Pre -boot authentication
Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN,
a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group
Policy setting is Require additional authentication at startup and the corresponding setting in the BitLocker CSP
is SystemDrivesRequireStartupAuthentication.
BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. If
Windows can’t access the encryption keys, the device can’t read or edit the files on the system drive. The only
option for bypassing pre-boot authentication is entering the recovery key.
Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory
without the trusted user supplying another authentication factor such as a PIN or startup key. This helps
mitigate DMA and memory remanence attacks.
On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in
four ways:
TPM-only. Using TPM-only validation does not require any interaction with the user to unlock and provide
access to the drive. If the TPM validation succeeds, the user sign in experience is the same as a standard
logon. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or
configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery
mode, and the user must enter a recovery password to regain access to the data. This option is more
convenient for sign-in but less secure than the other options, which require an additional authentication
factor.
TPM with star tup key. In addition to the protection that the TPM-only provides, part of the encryption key
is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed
without the startup key.
TPM with PIN. In addition to the protection that the TPM provides, BitLocker requires that the user enter a
PIN. Data on the encrypted volume cannot be accessed without entering the PIN. TPMs also have anti-
hammering protection that is designed to prevent brute force attacks that attempt to determine the PIN.
TPM with star tup key and PIN. In addition to the core component protection that the TPM-only provides,
part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the
TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot
be used for access to the drive, because the correct PIN is also required.
In the following Group Policy example, TPM + PIN is required to unlock an operating system drive:
Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because
an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Pre-boot
authentication with a PIN can also mitigate DMA port attacks during the window of time between when
BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that
have been configured.
On the other hand, Pre-boot authentication prompts can be inconvenient to users. In addition, users who forget
their PIN or lose their startup key are denied access to their data until they can contact their organization’s
support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update
unattended desktops and remotely administered servers because a PIN needs to be entered when a computer
reboots or resumes from hibernation.
To address these issues, you can deploy BitLocker Network Unlock. Network Unlock allows systems within the
physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with
TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an
enterprise Windows Deployment Services (WDS) server.
Protecting Thunderbolt and other DMA ports
There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10
version 1803 or Windows 11, new Intel-based devices have kernel protection against DMA attacks via
Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems
beginning with Windows 10 version 1803 or Windows 11, as it requires changes in the system firmware and/or
BIOS.
You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection
enabled:
If kernel DMA protection not enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
1. Require a password for BIOS changes
2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Please refer to Intel
Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation
3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or
Windows 11):
MDM: DataProtection/AllowDirectMemoryAccess policy
Group Policy: Disable new DMA devices when this computer is locked (This setting is not configured
by default.)
For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the “Thunderbolt Mitigation” section in KB
2516445. For SBP-2 and 1394 (a.k.a. Firewire), refer to the “SBP-2 Mitigation” section in KB 2516445.
Attack countermeasures
This section covers countermeasures for specific types of attacks.
Bootkits and rootkits
A physically-present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot
chain in an attempt to steal the BitLocker keys. The TPM should observe this installation via PCR measurements,
and the BitLocker key will not be released. This is the default configuration.
A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the
BitLocker security promise. Intel Boot Guard and AMD Hardware Verified Boot support stronger
implementations of Secure Boot that provide additional resilience against malware and physical attacks. Intel
Boot Guard and AMD Hardware Verified Boot are part of platform boot verification standards for a highly secure
Windows device.
Brute force attacks against a PIN
Require TPM + PIN for anti-hammering protection.
DMA attacks
See Protecting Thunderbolt and other DMA ports earlier in this topic.
Paging file, crash dump, and Hyberfil.sys attacks
These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. It also blocks
automatic or manual attempts to move the paging file.
Memory remanence
Enable Secure Boot and require a password to change BIOS settings. For customers requiring protection against
these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or
hibernate the device before it leaves the control of an authorized user.
Attacker countermeasures
The following sections cover mitigations for different types of attackers.
Attacker without much skill or with limited physical access
Physical access may be limited by a form factor that does not expose buses and memory. For example, there are
no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the
mainboard. This attacker of opportunity does not use destructive methods or sophisticated forensics
hardware/software.
Mitigation:
Pre-boot authentication set to TPM only (the default)
Attacker with skill and lengthy physical access
Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated
hardware or software.
Mitigation:
Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN
[enhanced pin] to help the TPM anti-hammering mitigation).
-And-
Disable Standby power management and shut down or hibernate the device before it leaves the control
of an authorized user. This can be set using Group Policy:
Computer Configuration|Policies|Administrative Templates|Windows Components|File Explorer|Show
hibernate in the power options menu
Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep
Settings|Allow standby states (S1-S3) when sleeping (plugged in)
Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep
Settings|Allow standby states (S1-S3) when sleeping (on battery)
These settings are Not configured by default.
For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could
possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and
require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy
setting for enhanced PIN is:
Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption|Operating
System Drives|Allow enhanced PINs for startup
This setting is Not configured by default.
For secure administrative workstations, Microsoft recommends TPM with PIN protector and disable Standby
power management and shut down or hibernate the device.
See also
Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to
BitLocker
BitLocker Group Policy settings
BitLocker CSP
Winlogon automatic restart sign-on (ARSO)
Protecting cluster shared volumes and storage area
networks with BitLocker
3/3/2022 • 8 minutes to read • Edit Online
Applies to
Windows Server 2016
This article for IT pros describes how to protect CSVs and SANs with BitLocker.
BitLocker can protect both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on
clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive,
highly available data. By adding additional protectors to the clustered volume, administrators can also add an
additional barrier of security to resources within an organization by allowing only certain user accounts access
to unlock the BitLocker volume.
IMPORTANT
SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see Windows Hardware
Lab Kit.
Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows
Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using
BitLocker with volumes designated for a cluster, the volume will need to turn on BitLocker before its addition to
the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will
complete.
Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker
on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0
volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other
volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in
the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for
cluster disk resource or CSV2.0 resources is not available in the Control Panel item.
NOTE
Mount points can be used to support remote mount points on SMB based network shares. This type of share is not
supported for BitLocker encryption.
For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space
Only encryption mode. You cannot use the manage-bde -WipeFreeSpace command to transition the volume
to full-volume encryption on these types of volumes. This action is blocked in order to avoid expanding thinly
provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
Active Directory-based protector
You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held
within your AD DS infrastructure. The ADAccountOrGroup protector is a domain security identifier (SID)-
based protector that can be bound to a user account, machine account, or group. When an unlock request is
made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker
protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user
intervention by attempting protectors in the following order:
1. Clear key
2. Driver-based auto-unlock key
3. ADAccountOrGroup protector
a. Service context protector
b. User protector
4. Registry-based auto-unlock key
NOTE
A Windows Server 2012 or later domain controller is required for this feature to work properly.
Get-Cluster
4. Enable BitLocker on the volume of your choice with an ADAccountOrGroup protector, using the cluster
name. For example, use a command such as:
WARNING
You must configure an ADAccountOrGroup protector using the cluster CNO for a BitLocker enabled volume to
either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
3. Put the physical disk resource into maintenance mode using Windows PowerShell.
Get-Cluster
5. Enable BitLocker on the volume of your choice with an ADAccountOrGroup protector, using the cluster
name. For example, use a command such as:
WARNING
You must configure an ADAccountOrGroup protector using the cluster CNO for a BitLocker enabled volume to
either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
6. Use Resume-ClusterResource to take the physical disk resource back out of maintenance mode:
a. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will
encounter a hard block. Otherwise, the encryption will continue.
b. Using the -sync parameter is optional. Using it ensures the command waits until the encryption
for the volume is completed before releasing the volume for use in the cluster storage pool.
4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be
clustered
Once the disk is clustered, it can also be enabled for CSV.
5. During the resource online operation, cluster will check to see if the disk is BitLocker encrypted.
a. If the volume is not BitLocker enabled, traditional cluster online operations occur.
b. If the volume is BitLocker enabled, the following check occurs:
If volume is locked , BitLocker will impersonate the CNO and unlock the volume using the CNO
protector. If this operation fails, an event will be logged that the volume could not be unlocked
and the online operation will fail.
6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource
and choosing Add to cluster shared volumes .
CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for
BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume
inside the CSV namespace as seen in the example command line below.
O N M ETA DATA
O N O W N ER N O DE O F SERVER ( M DS) O F O N ( DATA SERVER) M A IN T EN A N C E
A C T IO N FA ILO VER VO L UM E C SV DS O F C SV M O DE
Unlock Automatic via cluster Automatic via cluster Automatic via cluster Allowed
service service service
NOTE
Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused
encryption or decryption from the MDS node
In the case where a physical disk resource experiences a failover event during conversion, the new owning node
will detect the conversion is not complete and will complete the conversion process.
Other considerations when using BitLocker on CSV2.0
Also take these considerations into account for BitLocker on clustered storage:
BitLocker volumes have to be initialized and beginning encryption before they are available to add to a
CSV2.0 volume.
If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put into disk
maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete.
If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it in
maintenance mode.
If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster
thread (health check) will automatically resume conversion when the volume is online to the cluster.
If conversion is paused with encryption in progress and a physical disk resource volume is offline from the
cluster, the BitLocker driver will automatically resume conversion when the volume is online to the cluster.
If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the
cluster thread (health check) will automatically resume conversion when moving the volume back from
maintenance.
If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode,
the BitLocker driver will automatically resume conversion when the volume is moved back from
maintenance mode.
Guidelines for troubleshooting BitLocker
3/3/2022 • 4 minutes to read • Edit Online
This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This
article also provides information such as what data to collect and what settings to check. This information
makes your troubleshooting process much easier.
To use the Get-WinEvent cmdlet to export the same log to a comma-separated text file, open a Windows
Powershell window and run the following command:
You can use Get-WinEvent in an elevated PowerShell window to display filtered information from the system or
application log by using the following syntax:
To display BitLocker-related information:
NOTE
If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section.
C OMMAND N OT ES
get-tpm > C:\TPM.txt Exports information about the local computer's Trusted
Platform Module (TPM). This cmdlet shows different values
depending on whether the TPM chip is version 1.2 or 2.0.
This cmdlet is not supported in Windows 7.
manage-bde –status > C:\BDEStatus.txt Exports information about the general encryption status of
all drives on the computer.
reagentc /info > C:\reagent.txt Exports information about an online or offline image about
the current status of the Windows Recovery Environment
(WindowsRE) and any available recovery image.
C OMMAND N OT ES
gpresult /h <Filename> Exports the Resultant Set of Policy information, and saves
the information as an HTML file.
2. Open Registry Editor, and export the entries in the following subkeys:
HKLM\SOFTWARE\Policies\Microsoft\FVE
HKLM\SYSTEM\CurrentControlSet\Ser vices\TPM\
Next steps
If the information that you have examined so far indicates a specific issue (for example, WindowsRE is not
enabled), the issue may have a straightforward fix.
Resolving issues that do not have obvious causes depends on exactly which components are involved and what
behavior you see. The information that you have gathered helps you narrow down the areas to investigate.
If you are working on a device that is managed by Microsoft Intune, see Enforcing BitLocker policies by using
Intune: known issues.
If BitLocker does not start or cannot encrypt a drive and you notice errors or events that are related to the
TPM, see BitLocker cannot encrypt a drive: known TPM issues.
If BitLocker does not start or cannot encrypt a drive, see BitLocker cannot encrypt a drive: known issues.
If BitLocker Network Unlock does not behave as expected, see BitLocker Network Unlock: known issues.
If BitLocker does not behave as expected when you recover an encrypted drive, or if you did not expect
BitLocker to recover the drive, see BitLocker recovery: known issues.
If BitLocker or the encrypted drive does not behave as expected, and you notice errors or events that are
related to the TPM, see BitLocker and TPM: other known issues.
If BitLocker or the encrypted drive does not behave as expected, see BitLocker configuration: known issues.
We recommend that you keep the information that you have gathered handy in case you decide to contact
Microsoft Support for help to resolve your issue.
BitLocker cannot encrypt a drive: known issues
3/3/2022 • 2 minutes to read • Edit Online
This article describes common issues that may prevent BitLocker from encrypting a drive. This article also
provides guidance to address these issues.
NOTE
If you have determined that your BitLocker issue involves the Trusted Platform Module (TPM), see BitLocker cannot
encrypt a drive: known TPM issues.
Cause
This issue may be caused by settings that are controlled by Group Policy Objects (GPOs).
Resolution
IMPORTANT
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you
modify it, back up the registry for restoration in case problems occur.
3. Copy this output, and use it as part of the Conver tFrom-SddlString command in the PowerShell
window, as follows.
If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause
of the issue. Under typical conditions, the output should resemble the following:
NOTE
GPOs that change the security descriptors of services have been known to cause this issue.
Resolution
1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following
command:
This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage
silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or
more managed devices.
To start narrowing down the cause of the problem, review the event logs as described in Troubleshoot BitLocker.
Concentrate on the Management and Operations logs in the Applications and Ser vices
logs\Microsoft\Windows\BitLocker-API folder. The following sections provide more information about how
to resolve the indicated events and error messages:
Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this
computer
Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
Event ID 854: WinRE is not configured
Event ID 851: Contact manufacturer for BIOS upgrade
Error message: The UEFI variable 'SecureBoot' could not be read
Event ID 846, 778, and 851: Error 0x80072f9a
Error message: Conflicting Group Policy settings for recovery options on operating system drives
If you do not have a clear trail of events or error messages to follow, other areas to investigate include the
following:
Review the hardware requirements for using Intune to manage BitLocker on devices
Review your BitLocker policy configuration
For information about how to verify that Intune policies are enforcing BitLocker correctly, see Verifying that
BitLocker is operating correctly.
Cause
During the provisioning process, BitLocker Drive Encryption records the configuration of the device to establish
a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery
mode automatically starts.
To avoid this situation, the provisioning process stops if it detects removable bootable media.
Resolution
Remove the bootable media, and restart the device. After the device restarts, verify the encryption status.
Event ID 854: WinRE is not configured
The event information resembles the following:
Cause
Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows
Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to
recover or reset Windows and diagnose Windows issues. If a device cannot start the regular Windows operating
system, the device tries to start WinRE.
The provisioning process enables BitLocker Drive Encryption on the operating system drive during the Windows
PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is
installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
If WinRE is not available on the device, provisioning stops.
Resolution
You can resolve this issue by verifying the configuration of the disk partitions, the status of WinRE, and the
Windows Boot Loader configuration. To do this, follow these steps.
Step 1: Verify the configuration of the disk partitions
The procedures described in this section depend on the default disk partitions that Windows configures during
installation. Windows 11 and Windows 10 automatically create a recovery partition that contains the Winre.wim
file. The partition configuration resembles the following.
To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the
following commands:
diskpart
list volume
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall
Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning.
Make sure that the image uses the correct disk configuration. The image configuration should resemble the
following (this example is from Microsoft Endpoint Configuration Manager).
reagentc /info
If the Windows RE status is not Enabled , run the following command to enable it:
reagentc /enable
Cause
The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker Drive Encryption does
not support legacy BIOS.
Resolution
To verify the BIOS mode, use the System Information app. To do this, follow these steps:
1. Select Star t , and enter msinfo32 in the Search box.
2. Verify that the BIOS Mode setting is UEFI and not Legacy .
3. If the BIOS Mode setting is Legacy , you have to switch the BIOS into UEFI or EFI mode. The steps for
doing this are specific to the device.
NOTE
If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the
device.
Error : BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be
read. A required privilege is not held by the client.
Cause
A Platform Configuration Register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the
state of Secure Boot. Silent BitLocker Drive Encryption requires that Secure Boot is turned on.
Resolution
You can resolve this issue by verifying the PCR validation profile of the TPM and the Secure Boot state. To do
this, follow these steps:
Step 1: Verify the PCR validation profile of the TPM
To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:
In the TPM section of the output of this command, verify that the PCR Validation Profile setting includes 7 , as
follows.
If PCR Validation Profile doesn't include 7 (for example, the values include 0 , 2 , 4 , and 11 , but not 7 ), then
Secure Boot is not turned on.
3. If the Secure Boot State setting is Unsuppor ted , you cannot use Silent BitLocker Encryption on this
device.
NOTE
You can also use the Confirm-SecureBootUEFI cmdlet to verify the Secure Boot state. To do this, open an elevated
PowerShell window and run the following command:
PS C:\> Confirm-SecureBootUEFI
If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."
If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False."
If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not
supported on this platform."
Event ID:846
Event: Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
TraceId: {cbac2b6f-1434-4faa-a9c3-597b17c1dfa3} Error: Unknown HResult Error code: 0x80072f9a
Event ID:778
Event: The BitLocker volume C: was reverted to an unprotected state.
Error : BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy
settings for recovery options on operating system drives. Storing recovery information to Active Directory
Domain Services cannot be required when the generation of recovery passwords is not permitted. Please
have your system administrator resolve these policy conflicts before attempting to enable BitLocker…
Resolution
To resolve this issue, review your Group Policy Object (GPO) settings for conflicts. For further guidance, see the
next section, Review your BitLocker policy configuration.
For more information about GPOs and BitLocker, see BitLocker Group Policy Reference.
NOTE
Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, or Windows 11,
you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-
compliant.
NOTE
If the Warning for other disk encr yption setting is set to Not configured , you have to manually start the BitLocker
Drive Encryption wizard.
If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is
earlier than Windows 10, version 1803, or Windows 11, an endpoint protection policy that has the settings that
are described in this article delivers the policy configuration to the device. However, Windows then notifies the
user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts
the BitLocker Drive Encryption wizard.
The Intune 1901 release provides settings that you can use to configure automatic device encryption for
Autopilot devices for standard users. Each device must meet the following requirements:
Be HSTI-compliant
Support Modern Standby
Use Windows 10 version 1803 or later, or Windows 11
NOTE
This node works together with the RequireDeviceEncr yption and AllowWarningForOtherDiskEncr yption nodes.
For this reason, when you set RequireDeviceEncr yption to 1 , AllowStandardUserEncr yption to 1 , and
AllowWarningForOtherDiskEncr yption to 0 . Intune can enforce silent BitLocker encryption for Autopilot devices that
have standard user profiles.
You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking
the device details in the Azure AD Devices section.
On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the
following subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\BitLocker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device
BitLocker Network Unlock: known issues
3/3/2022 • 4 minutes to read • Edit Online
By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a
BitLocker PIN when each computer starts up. To do this, You have to configure your environment to meet the
following requirements:
Each computer belongs to a domain
Each computer has a wired connection to the corporate network
The corporate network uses DHCP to manage IP addresses
Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware
For general guidelines about how to troubleshoot Network Unlock, see How to enable Network Unlock:
Troubleshoot Network Unlock.
This article describes several known issues that you may encounter when you use Network Unlock, and
provides guidance to address these issues.
where <Drive> is the drive letter, followed by a colon (:), of the bootable drive. If the output of this
command includes a key protector of type TpmCer tificate (9) , the configuration is correct for BitLocker
Network Unlock.
2. Start Registry Editor, and verify the following settings:
Entry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE: OSManageNKP is set to 1
Subkey
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCer tificates\FVE_NKP\Cer tificates
has an entry whose name matches the name of the certificate thumbprint of the Network Unlock key
protector that you found in step 1.
NOTE
If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker Network Unlock by configuring
the device to use the network as its first boot option.
This article describes common issues that may prevent BitLocker from behaving as expected when you recover
a drive, or that may cause BitLocker to start recovery unexpectedly. The article provides guidance to address
these issues.
NOTE
In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit
recovery key. For more information, see BitLocker key protectors.
The recovery password for a laptop was not backed up, and the
laptop is locked
You have a Windows 11 or Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was
encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password was not backed up,
and the usual user of the laptop is not available to provide the password.
Resolution
You can use either of the following methods to manually back up or synchronize an online client's existing
recovery information:
Create a Windows Management Instrumentation (WMI) script that backs up the information. For more
information, see BitLocker Drive Encryption Provider.
In an elevated Command Prompt window, use the manage-bde command to back up the information.
For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated
Command Prompt window and run the following command:
NOTE
BitLocker does not automatically manage this backup process.
Tablet devices do not support using Manage-bde -forcerecovery to
test recovery mode
You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command:
Manage-bde -forcerecovery
However, after you enter the recovery password, the device cannot start.
Cause
IMPORTANT
Tablet devices do not support the manage-bde -forcerecover y command.
This issue occurs because the Windows Boot Manager cannot process touch input during the pre-boot phase of
startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows
Recovery Environment (WinRE), which can process touch input.
If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the manage-bde -
forcerecover y command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the
PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.
This behavior is by design for all versions of Windows.
Workaround
To resolve the restart loop, follow these steps:
1. On the BitLocker Recovery screen, select Skip this drive .
2. Select Troubleshoot > Advanced Options > Command Prompt .
3. In the Command Prompt window, run the following commands:
In this command, <OSDriveLetter> represents the drive letter of the operating system drive.
To resolve this issue and repair the device, follow these steps.
Step 1: Disable the TPM protectors on the boot drive
If you have installed a TPM or UEFI update and your device cannot start, even if you enter the correct BitLocker
recovery password, you can restore the ability to start by using the BitLocker recovery password and a Surface
recovery image to remove the TPM protectors from the boot drive.
To do this, follow these steps:
1. Obtain your BitLocker recovery password from your Microsoft.com account. If BitLocker is managed by a
different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your
administrator for help.
2. Use another computer to download the Surface recovery image from Download a recovery image for
your Surface. Use the downloaded image to create a USB recovery drive.
3. Insert the USB Surface recovery image drive into the Surface device, and start the device.
4. When you are prompted, select the following items:
a. Your operating system language.
b. Your keyboard layout.
5. Select Troubleshoot > Advanced Options > Command Prompt .
6. In the Command Prompt window, run the following commands:
In these commands, <Password> is the BitLocker recovery password that you obtained in step 1, and
<DriveLetter> is the drive letter that is assigned to your operating system drive.
NOTE
For more information about how to use this command, see manage-bde: unlock.
NOTE
After you disable the TPM protectors, BitLocker Drive Encryption no longer protects your device. To re-enable BitLocker
Drive Encryption, select Star t , type Manage BitLocker , and then press Enter. Follow the steps to encrypt your drive.
Step 2: Use Surface BMR to recover data and reset your device
To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of Step 1 to
return to the Command Prompt window, and then follow these steps:
1. At the command prompt, run the following command:
In this command, <Password> is the BitLocker recovery password that you obtained in step 1 of Step 1,
and <DriveLetter> is the drive letter that is assigned to your operating system drive.
2. After the drive is unlocked, use the copy or xcopy command to copy the user data to another drive.
NOTE
For more information about the these commands, see the Windows commands.
3. To reset your device by using a Surface recovery image, follow the instructions in the "How to reset your
Surface using your USB recovery drive" section in Creating and using a USB recovery drive.
Step 3: Restore the default PCR values
To prevent this issue from recurring, we strongly recommend that you restore the default configuration of
Secure Boot and the PCR values.
To enable Secure Boot on a Surface device, follow these steps:
1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following
cmdlet:
IMPORTANT
TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this
process, you must use Suspend-BitLocker and set the Reboot Count parameter to either of the following values:
2 or greater: This value sets the number of times the device can restart before BitLocker Device Encryption resumes.
0 : This value suspends BitLocker Drive Encryption indefinitely, until you use Resume-BitLocker or another mechanism
to resume protection.
To re-enable BitLocker Drive Encryption, select Star t , type Manage BitLocker , and then press Enter. Follow the
steps to encrypt your drive.
Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group>
Manage-bde -protectors -disable c:
exit
These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the
drive. The final command closes the Command Prompt window.
NOTE
These commands suspend BitLocker for one restart of the device. The -rc 1 option works only inside the
operating system and does not work in the recovery environment.
IMPORTANT
Unless you suspend BitLocker before you start the device, this issue recurs.
To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt
window and run the following command:
Resolution
To resolve this issue, install the appropriate update on the affected device:
For Windows 10, version 1703, or Windows 11: July 9, 2019—KB4507450 (OS Build 15063.1928)
For Windows 11, Windows 10, version 1607 and Windows Server 2016: July 9, 2019—KB4507460 (OS Build
14393.3085)
Recovery
Your PC/Device needs to be repaired. A required file couldn't be accessed because your BitLocker key wasn't
loaded correctly.
Error code 0xc0210000
You'll need to use recovery tools. If you don't have any installation media (like a disc or USB device), contact
your PC administrator or PC/Device manufacturer.
Cause
TPM 1.2 does not support Secure Launch. For more information, see System Guard Secure Launch and SMM
protection: Requirements Met by System Guard Enabled Machines
For more information about this technology, see Windows Defender System Guard: How a hardware-based root
of trust helps protect Windows
Resolution
To resolve this issue, do one of the following:
Remove any device that uses TPM 1.2 from any group that is subject to Group Policy Objects (GPOs) that
enforce Secure Launch.
Edit the Turn On Vir tualization Based Security GPO to set Secure Launch Configuration to Disabled .
BitLocker configuration: known issues
3/3/2022 • 6 minutes to read • Edit Online
This article describes common issues that affect your BitLocker configuration and BitLocker's general
functionality. This article also provides guidance to address these issues.
IMPORTANT
To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives.
ID: 8229
Level: Warning
Source: VSS
Message: A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient
error. If the backup process is retried, the error is likely to reoccur.
Changes that the writer made to the writer components while handling the event will not be available to the
requester.
Check the event log for related events from the application hosting the VSS writer.
Operation:
PostSnapshot Event
Context:
Execution Context: Writer Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
Writer Name: NTDS
Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75} Command Line:
C:\Windows\system32\lsass.exe
Process ID: 680
In the domain controller Directory Services event log, you see an event that resembles the following:
NOTE
The internal ID of this event may differ based on your operating system release and path level.
After this issue occurs, if you run the VSSADMIN list writers command, you see output that resembles the
following for the Active Directory Domain Services (NTDS) VSS Writer:
Additionally, you cannot back up the VMs until you restart them.
Cause
After VSS creates a snapshot of a volume, the VSS writer takes "post snapshot" actions. In the case of a
"production snapshot," which you initiate from the host server, Hyper-V tries to mount the snapshotted volume.
However, it cannot unlock the volume for unencrypted access. BitLocker on the Hyper-V server does not
recognize the volume. Therefore, the access attempt fails and then the snapshot operation fails.
This behavior is by design.
Workaround
There is one supported way to perform backup and restore of a virtualized domain controller:
Run Windows Server Backup in the guest operating system.
If you have to take a production snapshot of a virtualized domain controller, you can suspend BitLocker in the
guest operating system before you start the production snapshot. However, this approach is not recommended.
For more information and recommendations about backing up virtualized domain controllers, see Virtualizing
Domain Controllers using Hyper-V: Backup and Restore Considerations for Virtualized Domain Controllers
More information
When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem
Service (LSASS) generates an error entry that resembles the following:
This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent
BitLocker from encrypting a drive. This article also provides guidance to address these issues.
NOTE
If you have determined that your BitLocker issue does not involve the TPM, see BitLocker cannot encrypt a drive: known
issues.
The TPM is locked and you see "The TPM is defending against
dictionary attacks and is in a time-out period"
When you turn on BitLocker Drive Encryption, it does not start. Instead, you receive a message that resembles
"The TPM is defending against dictionary attacks and is in a time-out period."
Cause
The TPM is locked out.
Resolution
To resolve this issue, follow these steps:
1. Open an elevated PowerShell window and run the following script:
2. Restart the computer. If you are prompted at the restart screen, press F12 to agree.
3. Try again to start BitLocker Drive Encryption.
You cannot prepare the TPM, and you see "The TPM is defending
against dictionary attacks and is in a time-out period"
You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to
prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is
defending against dictionary attacks and is in a time-out period."
Cause
The TPM is locked out.
Resolution
To resolve this issue, disable and re-enable the TPM. To do this, follow these steps:
1. Restart the device, and change the BIOS configuration to disable the TPM.
2. Restart the device again, and return to the TPM management console. You should receive a message that
resembles the following:
Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this
computer has 1.2 TPM and it is turned on in the BIOS.
3. Restart the device, and change the BIOS configuration to enable the TPM.
4. Restart the device, and return to the TPM management console.
If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in Troubleshoot
the TPM: Clear all the keys from the TPM.
WARNING
Clearing the TPM can cause data loss.
0x80072030 There is no such object on the server when a policy to back up TPM information to active
directory is enabled
cscript <Path>Add-TPMSelfWriteACE.vbs
This article describes common issues that relate directly to the Trusted Platform Module (TPM), and provides
guidance to address these issues.
Azure AD: Windows Hello for Business and single sign-on do not
work
You have an Azure Active Directory (Azure AD)-joined client computer that cannot authenticate correctly. You
experience one or more of the following symptoms:
Windows Hello for Business does not work.
Conditional access fails.
Single sign-on (SSO) does not work.
Additionally, the computer logs an entry for Event ID 1026, which resembles the following:
Cause
This event indicates that the TPM is not ready or has some setting that prevents access to the TPM keys.
Additionally, the behavior indicates that the client computer cannot obtain a Primary Refresh Token (PRT).
Resolution
To verify the status of the PRT, use the dsregcmd /status command to collect information. In the tool output,
verify that either User state or SSO state contains the AzureAdPr t attribute. If the value of this attribute is
No , the PRT was not issued. This may indicate that the computer could not present its certificate for
authentication.
To resolve this issue, follow these steps to troubleshoot the TPM:
1. Open the TPM management console (tpm.msc). To do this, select Star t , and enter tpm.msc in the Search
box.
2. If you see a notice to either unlock the TPM or reset the lockout, follow those instructions.
3. If you do not see such a notice, review the BIOS settings of the computer for any setting that you can use to
reset or disable the lockout.
4. Contact the hardware vendor to determine whether there is a known fix for the issue.
5. If you still cannot resolve the issue, clear and re-initialize the TPM. To do this, follow the instructions in
Troubleshoot the TPM: Clear all the keys from the TPM.
WARNING
Clearing the TPM can cause data loss.
TPM 1.2 Error: Loading the management console failed. The device
that is required by the cryptographic provider is not ready for use
You have a Windows 11 or Windows 10 version 1703-based computer that uses TPM version 1.2. When you try
to open the TPM management console, you receive a message that resembles the following:
Loading the management console failed. The device that is required by the cryptographic provider is not
ready for use.
HRESULT 0x800900300x80090030 - NTE_DEVICE_NOT_READY
The device that is required by this cryptographic provider is not ready for use.
TPM Spec version: TPM v1.2
On a different device that is running the same version of Windows, you can open the TPM management console.
Cause (suspected)
These symptoms indicate that the TPM has hardware or firmware issues.
Resolution
To resolve this issue, switch the TPM operating mode from version 1.2 to version 2.0.
If this does not resolve the issue, consider replacing the device motherboard. After you replace the motherboard,
switch the TPM operating mode from version 1.2 to version 2.0.
NTE_BAD_KEYSET (0x80090016/- TPM operation failed or was invalid This issue was probably caused by a
2146893802) corrupted sysprep image. Make sure
that you create the sysprep image by
using a computer that is not joined to
or registered in Azure AD or hybrid
Azure AD.
TPM_E_PCP_INTERNAL_ERROR Generic TPM error. If the device returns this error, disable
(0x80290407/-2144795641) its TPM. Windows 10, version 1809
and later versions, or Windows 11
automatically detect TPM failures and
finish the hybrid Azure AD join without
using the TPM.
TPM_E_NOTFIPS (0x80280036/- The FIPS mode of the TPM is currently If the device gives this error, disable its
2144862154) not supported. TPM. Windows 10, version 1809 and
later versions, or Windows 11
automatically detect TPM failures and
finish the hybrid Azure AD join without
using the TPM.
NTE_AUTHENTICATION_IGNORED The TPM is locked out. This error is transient. Wait for the
(0x80090031/-2146893775) cooldown period, and then retry the
join operation.
For more information about TPM issues, see the following articles:
TPM fundamentals: Anti-hammering
Troubleshooting hybrid Azure Active Directory joined devices
Troubleshoot the TPM
Decode Measured Boot logs to track PCR changes
3/3/2022 • 3 minutes to read • Edit Online
Platform Configuration Registers (PCRs) are memory locations in the Trusted Platform Module (TPM). BitLocker
and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can
cause a device or computer to enter BitLocker recovery mode.
By tracking changes in the PCRs, and identifying when they changed, you can gain insight into issues that occur
or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR
changes and other information. These logs are located in the C:\Windows\Logs\MeasuredBoot\ folder.
This article describes tools that you can use to decode these logs: TBSLogGenerator and PCPTool.
For more information about Measured Boot and PCRs, see the following articles:
TPM fundamentals: Measured Boot with support for attestation
Understanding PCR banks on TPM 2.0 devices
3. Under Select the features you want to install , select Windows Hardware Lab Kit—Controller +
Studio .
4. Finish the installation.
To use TBSLogGenerator, follow these steps:
1. After the installation finishes, open an elevated Command Prompt window and navigate to the following
folder:
C:\Program Files (x86)\Windows Kits\10\Hardware Lab
Kit\Tests\amd64\NTTEST\BASETEST\ngscb
This folder contains the TBSLogGenerator.exe file.
The command produces a text file that uses the specified name. In the case of the example, the file is
0000000005-0000000000.txt . The file is located in the same folder as the original .log file.
PCPTool is part of the TPM Platform Crypto-Provider Toolkit. The tool decodes a Measured Boot log file and
converts it into an XML file.
To download and install PCPTool, go to the Toolkit page, select Download , and follow the instructions.
To decode a log, run the following command:
Applies to
Windows 10
Windows 11
S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for
email sent to and from an Exchange ActiveSync (EAS) account. S/MIME lets users encrypt outgoing messages
and attachments so that only intended recipients who have a digital identification (ID), also known as a
certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify
the identity of the sender and that the message hasn't been tampered with.
Prerequisites
S/MIME is enabled for Exchange accounts (on-premises and Office 365). Users can’t use S/MIME signing
and encryption with a personal account such as Outlook.com.
Valid Personal Information Exchange (PFX) certificates are installed on the device.
How to Create PFX Certificate Profiles in Configuration Manager
Enable access to company resources using certificate profiles with Microsoft Intune
4. In Select an account , select the account for which you want to configure S/MIME options.
5. Make a certificate selection for digital signature and encryption.
Select Automatically to let the app choose the certificate.
Select Manually to specify the certificate yourself from the list of valid certificates on the device.
6. (Optional) Select Always sign with S/MIME , Always encr ypt with S/MIME , or both, to automatically
digitally sign or encrypt all outgoing messages.
NOTE
The option to sign or encrypt can be changed for individual messages, unless EAS policies prevent it.
7. Tap the back arrow.
Applies to
Windows 10
Windows 11
This guide will walk you through the decisions you will make for Windows 10 or Windows 11 clients in your
enterprise VPN solution and how to configure your deployment. This guide references the VPNv2 Configuration
Service Provider (CSP) and provides mobile device management (MDM) configuration instructions using
Microsoft Intune and the VPN Profile template for Windows 10 and Windows 11.
To create a Windows 10 VPN device configuration profile see: Windows 10 and Windows Holographic device
settings to add VPN connections using Intune.
NOTE
This guide does not explain server deployment.
In this guide
A RT IC L E DESC RIP T IO N
VPN routing decisions Choose between split tunnel and force tunnel configuration
VPN authentication options Select a method for Extensible Authentication Protocol (EAP)
authentication.
VPN and conditional access Use Azure Active Directory policy evaluation to set access
policies for VPN connections.
VPN auto-triggered profile options Set a VPN profile to connect automatically by app or by
name, to be "always on", and to not trigger VPN on trusted
networks
VPN security features Configure traffic filtering, connect a VPN profile to Windows
Information Protection (WIP), and more
VPN profile options Combine settings into single VPN profile using XML
Learn more
Create VPN profiles to connect to VPN servers in Intune
VPN connection types
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the
Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual
call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point
connection to a remote access server over the Internet. The remote access server answers the call, authenticates
the caller, and transfers data between the VPN client and the organization’s private network.
There are many options for VPN clients. In Windows 10 and Windows 11, the built-in plug-in and the Universal
Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide
focuses on the Windows VPN platform clients and the features that can be configured.
Automatic
The Automatic option means that the device will try each of the built-in tunneling protocols until one
succeeds. It will attempt from most secure to least secure.
Configure Automatic for the NativeProtocolType setting in the VPNv2 CSP.
Related topics
VPN technical guide
VPN routing decisions
VPN authentication options
VPN and conditional access
VPN name resolution
VPN auto-triggered profile options
VPN security features
VPN profile options
VPN routing decisions
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Network routes are required for the stack to understand which interface to use for outbound traffic. One of the
most important decision points for VPN configuration is whether you want to send all the data through VPN
(force tunnel) or only some data through the VPN (split tunnel). This decision impacts the configuration and the
capacity planning, as well as security expectations from the connection.
Configure routing
See VPN profile options and VPNv2 CSP for XML configuration.
When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel
configuration.
Next, in Corporate Boundaries , you add the routes that should use the VPN connection.
Related topics
VPN technical guide
VPN connection types
VPN authentication options
VPN and conditional access
VPN name resolution
VPN auto-triggered profile options
VPN security features
VPN profile options
VPN authentication options
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
In addition to older and less-secure password-based authentication methods (which should be avoided), the
built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both
user name and password, and certificate-based methods. You can only configure EAP-based authentication if
you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).
Windows supports a number of EAP authentication methods.
EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2):
User name and password authentication
Winlogon credentials - can specify authentication with computer sign-in credentials
EAP-Transport Layer Security (EAP-TLS):
Supports the following types of certificate authentication:
Certificate with keys in the software Key Storage Provider (KSP)
Certificate with keys in Trusted Platform Module (TPM) KSP
Smart card certificates
Windows Hello for Business certificate
Certificate filtering:
Certificate filtering can be enabled to search for a particular certificate to use to authenticate
with
Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based
Server validation - with TLS, server validation can be toggled on or off:
Server name - specify the server to validate
Server certificate - trusted root certificate to validate the server
Notification - specify if the user should get a notification asking whether to trust the server or
not
Protected Extensible Authentication Protocol (PEAP):
Server validation - with PEAP, server validation can be toggled on or off:
Server name - specify the server to validate
Server certificate - trusted root certificate to validate the server
Notification - specify if the user should get a notification asking whether to trust the server or
not
Inner method - the outer method creates a secure tunnel inside while the inner method is used to
complete the authentication:
EAP-MSCHAPv2
EAP-TLS
Fast Reconnect: reduces the delay between an authentication request by a client and the response
by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS)
server. This reduces resource requirements for both client and server, and minimizes the number
of times that users are prompted for credentials.
Cryptobinding: By deriving and exchanging values from the PEAP phase 1 key material (Tunnel
Key ) and from the PEAP phase 2 inner EAP method key material (Inner Session Key ), it is
possible to prove that the two authentications terminate at the same two entities (PEAP peer and
PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against
"Man in the Middle" attacks.
Tunneled Transport Layer Security (TTLS)
Inner method
Non-EAP
Password Authentication Protocol (PAP)
CHAP
MSCHAP
MSCHAPv2
EAP
MSCHAPv2
TLS
Server validation: in TTLS, the server must be validated. The following can be configured:
Server name
Trusted root certificate for server certificate
Whether there should be a server validation notification
For a UWP VPN plug-in, the app vendor controls the authentication method to be used. The following credential
types can be used:
Smart card
Certificate
Windows Hello for Business
User name and password
One-time password
Custom credential type
Configure authentication
See EAP configuration for EAP XML configuration.
NOTE
To configure Windows Hello for Business authentication, follow the steps in EAP configuration to create a smart card
certificate. Learn more about Windows Hello for Business.
The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only
appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
Related topics
VPN technical guide
VPN connection types
VPN routing decisions
VPN and conditional access
VPN name resolution
VPN auto-triggered profile options
VPN security features
VPN profile options
VPN and conditional access
3/3/2022 • 5 minutes to read • Edit Online
The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device
compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create
access rules for any Azure Active Directory (Azure AD) connected application.
NOTE
Conditional Access is an Azure AD Premium feature.
Conditional Access Platform components used for Device Compliance include the following cloud-based
services:
Conditional Access Framework
Azure AD Connect Health
Windows Health Attestation Service (optional)
Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based
device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An
Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as
part of an on-premises Enterprise CA. See also Always On VPN deployment for Windows Server and
Windows 10.
Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token
Broker on the local device communicates with Azure Active Directory, which then checks for health based
on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to
authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When
that certificate expires, the client will again check with Azure AD for health validation before a new
certificate is issued.
Microsoft Intune device compliance policies - Cloud-based device compliance leverages Microsoft Intune
Compliance Policies, which are capable of querying the device state and define compliance rules for the
following, among other things.
Antivirus status
Auto-update status and update compliance
Password policy compliance
Encryption compliance
Device health attestation state (validated against attestation service after query)
The following client-side components are also required:
HealthAttestation Configuration Service Provider (CSP)
VPNv2 CSP DeviceCompliance node settings
Trusted Platform Module (TPM)
VPN device compliance
At this time, the Azure AD certificates issued to users do not contain a CRL Distribution Point (CDP) and are not
suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises
resources such as files on a network share, client authentication certificates must be deployed to the Windows
profiles of the users, and their VPNv2 profiles must contain the <SSO> section.
Server-side infrastructure requirements to support VPN device compliance include:
The VPN server should be configured for certificate authentication.
The VPN server should trust the tenant-specific Azure AD CA.
For client access using Kerberos/NTLM, a domain-trusted certificate is deployed to the client device and is
configured to be used for single sign-on (SSO).
After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile
using the VPNv2 DeviceCompliance node.
Two client-side configuration service providers are leveraged for VPN device compliance.
VPNv2 CSP DeviceCompliance settings:
Enabled : enables the Device Compliance flow from the client. If marked as true , the VPN client
attempts to communicate with Azure AD to get a certificate to use for authentication. The VPN should
be set up to use certificate authentication and the VPN server must trust the server returned by Azure
AD.
Sso : entries under SSO should be used to direct the VPN client to use a certificate other than the VPN
authentication certificate when accessing resources that require Kerberos authentication.
Sso/Enabled : if this field is set to true , the VPN client looks for a separate certificate for Kerberos
authentication.
Sso/IssuerHash : hashes for the VPN client to look for the correct certificate for Kerberos
authentication.
Sso/Eku : comma-separated list of Enhanced Key Usage (EKU) extensions for the VPN client to look for
the correct certificate for Kerberos authentication.
HealthAttestation CSP (not a requirement) - functions performed by the HealthAttestation CSP include:
Collects TPM data used to verify health states
Forwards the data to the Health Attestation Service (HAS)
Provisions the Health Attestation Certificate received from the HAS
Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime
information to the MDM server for verification
NOTE
Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and
that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources.
In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA
has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to
ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN
profile to the client, modify the Rasphone.pbk on the client by changing the entry UseRasCredentials from 1 (default)
to 0 (zero).
When a VPNv2 Profile is configured with <DeviceCompliance> <Enabled>true</Enabled> the VPN client uses
this connection flow:
1. The VPN client calls into Windows 10’s or Windows 11’s Azure AD Token Broker, identifying itself as a
VPN client.
2. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device
trying to connect. The Azure AD Server checks if the device is in compliance with the policies.
3. If compliant, Azure AD requests a short-lived certificate.
4. Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token
Broker then returns control back over to the VPN client for further connection processing.
5. The VPN client uses the Azure AD-issued certificate to authenticate with the VPN server.
Related topics
VPN technical guide
VPN connection types
VPN routing decisions
VPN authentication options
VPN name resolution
VPN auto-triggered profile options
VPN security features
VPN profile options
VPN name resolution
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may
also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows
Internet Name Service (WINS) server.
The name resolution setting in the VPN profile configures how name resolution should work on the system
when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any
matches and tries a resolution in the case of a match. If no match is found, the DNS suffix on the most preferred
interface based on the interface metric is appended to the name (in the case of a short name) and a DNS query
is sent out on the preferred interface. If the query times out, the DNS suffix search list is used in order and DNS
queries are sent on all interfaces.
DNS suffix
This setting is used to configure the primary DNS suffix for the VPN interface and the suffix search list after the
VPN connection is established.
Primary DNS suffix is set using the VPNv2/ ProfileName /DnsSuffix node.
Learn more about primaryDNS suffix
Persistent
You can also configure persistent name resolution rules. Name resolution for specified items will only be
performed over the VPN.
Persistent name resolution is set using the
VPNv2/ ProfileName /DomainNameInformationList// dniRowId /Persistent node.
Configure name resolution
See VPN profile options and VPNv2 CSP for XML configuration.
The following image shows name resolution options in a VPN Profile configuration policy using Microsoft
Intune.
The fields in Add or edit DNS rule in the Intune profile correspond to the XML settings shown in the following
table.
F IEL D XM L
Related topics
VPN technical guide
VPN connection types
VPN routing decisions
VPN authentication options
VPN and conditional access
VPN auto-triggered profile options
VPN security features
VPN profile options
VPN auto-triggered profile options
3/3/2022 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
In Windows 10 and Windows 11, a number of features have been added to auto-trigger VPN so users won’t
have to manually connect when VPN is needed to access necessary resources. There are three different types of
auto-trigger rules:
App trigger
Name-based trigger
Always On
NOTE
Auto-triggered VPN connections will not work if Folder Redirection for AppData is enabled. Either Folder Redirection for
AppData must be disabled or the auto-triggered VPN profile must be deployed in system context, which changes the
path to where the rasphone.pbk file is stored.
App trigger
VPN profiles in Windows 10 or Windows 11 can be configured to connect automatically on the launch of a
specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a
VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See Traffic filters for
more details.
The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.
Find a package family name (PFN) for per-app VPN configuration
Name-based trigger
You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.
Name-based auto-trigger can be configured using the
VPNv2/ProfileName/DomainNameInformationList/dniRowId/AutoTrigger setting in the VPNv2 Configuration
Service Provider (CSP).
There are four types of name-based triggers:
Short name: for example, if HRweb is configured as a trigger and the stack sees a DNS resolution request for
HRweb , the VPN will be triggered.
Fully-qualified domain name (FQDN): for example, if HRweb.corp.contoso.com is configured as a trigger
and the stack sees a DNS resolution request for HRweb.corp.contoso.com , the VPN will be triggered.
Suffix: for example, if .corp.contoso.com is configured as a trigger and the stack sees a DNS resolution
request with a matching suffix (such as HRweb.corp.contoso.com ), the VPN will be triggered. For any
short name resolution, VPN will be triggered and the DNS server will be queried for the
ShortName.corp.contoso.com .
All: if used, all DNS resolution should trigger VPN.
Always On
Always On is a feature in Windows 10 and Windows 11 which enables the active VPN profile to connect
automatically on the following triggers:
User sign-in
Network change
Device screen on
When the trigger occurs, VPN tries to connect. If an error occurs or any user input is needed, the user is shown a
toast notification for additional interaction.
When a device has multiple profiles with Always On triggers, the user can specify the active profile in Settings
> Network & Internet > VPN > VPN profile by selecting the Let apps automatically use this VPN
connection checkbox. By default, the first MDM-configured profile is marked as Active . Devices with multiple
users have the same restriction: only one profile and therefore only one user will be able to use the Always On
triggers.
Related topics
VPN technical guide
VPN connection types
VPN routing decisions
VPN authentication options
VPN and conditional access
VPN name resolution
VPN security features
VPN profile options
VPN security features
3/3/2022 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Traffic Filters
Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on
policy. Network admins can use Traffic Filters to effectively add interface specific firewall rules on the VPN
Interface. There are two types of Traffic Filter rules:
App-based rules. With app-based rules, a list of applications can be marked to allow only traffic originating
from these apps to go over the VPN interface.
Traffic-based rules. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified to
allow only traffic matching these rules to go over the VPN interface.
There can be many sets of rules which are linked by OR. Within each set, there can be app-based rules and
traffic-based rules; all the properties within the set will be linked by AND. In addition, these rules can be applied
at a per-app level or a per-device level.
For example, an admin could define rules that specify:
The Contoso HR App must be allowed to go through the VPN and only access port 4545.
The Contoso finance apps are allowed to go over the VPN and only access the Remote IP ranges of
10.10.0.40 - 10.10.0.201 on port 5889.
All other apps on the device should be able to access only ports 80 or 443.
LockDown VPN
A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface.
It has the following features:
The system attempts to keep the VPN connected at all times.
The user cannot disconnect the VPN connection.
The user cannot delete or modify the VPN profile.
The VPN LockDown profile uses forced tunnel connection.
If the VPN connection is not available, outbound network traffic is blocked.
Only one VPN LockDown profile is allowed on a device.
NOTE
For built-in VPN, LockDown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type.
Deploy this feature with caution, as the resultant connection will not be able to send or receive any network
traffic without the VPN being connected.
Related topics
VPN technical guide
VPN connection types
VPN routing decisions
VPN authentication options
VPN and conditional access
VPN name resolution
VPN auto-triggered profile options
VPN profile options
VPN profile options
3/3/2022 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft
Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be
configured using the ProfileXML node in the VPNv2 configuration service provider (CSP).
NOTE
If you're not familiar with CSPs, read Introduction to configuration service providers (CSPs) first.
The following table lists the VPN settings and whether the setting can be configured in Intune and Configuration
Manager, or can only be configured using ProfileXML .
C A N B E C O N F IGURED IN IN T UN E A N D C O N F IGURAT IO N
P RO F IL E SET T IN G M A N A GER
LockDown No
NOTE
VPN proxy settings are only used on Force Tunnel Connections. On Split Tunnel Connections, the general proxy settings
are used.
The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This
node is useful for deploying profiles with features that aren't yet supported by MDMs. You can get more
examples in the ProfileXML XSD article.
<VPNProfile>
<ProfileName>TestVpnProfile</ProfileName>
<NativeProfile>
<Servers>testServer.VPN.com</Servers>
<NativeProtocolType>IKEv2</NativeProtocolType>
<!--Sample routing policy: in this case, this is a split tunnel configuration with two routes
configured-->
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
</NativeProfile>
<Route>
<Address>192.168.0.0</Address>
<PrefixSize>24</PrefixSize>
</Route>
<Route>
<Address>10.10.0.0</Address>
<PrefixSize>16</PrefixSize>
</Route>
<!--Example of per-app VPN. This configures traffic filtering rules for two apps. Internet Explorer is
configured for force tunnel, meaning that all traffic allowed through this app must go over VPN. Microsoft
Edge is configured as split tunnel, so whether data goes over VPN or the physical interface is dictated by
the routing configuration.-->
<TrafficFilter>
<App>
<Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
</App>
<Protocol>6</Protocol>
<LocalPortRanges>10,20-50,100-200</LocalPortRanges>
<RemotePortRanges>20-50,100-200,300</RemotePortRanges>
<RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>
<RoutingPolicyType>ForceTunnel</RoutingPolicyType>
</TrafficFilter>
<TrafficFilter>
<App>
<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
</App>
<LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>
</TrafficFilter>
<!--Name resolution configuration. The AutoTrigger node configures name-based triggering. In this profile,
the domain "hrsite.corporate.contoso.com" triggers VPN.-->
<DomainNameInformation>
<DomainName>hrsite.corporate.contoso.com</DomainName>
<DnsServers>1.2.3.4,5.6.7.8</DnsServers>
<WebProxyServers>5.5.5.5</WebProxyServers>
<AutoTrigger>true</AutoTrigger>
</DomainNameInformation>
<DomainNameInformation>
<DomainName>.corp.contoso.com</DomainName>
<DnsServers>10.10.10.10,20.20.20.20</DnsServers>
<WebProxyServers>100.100.100.100</WebProxyServers>
</DomainNameInformation>
<!--EDPMode is turned on for the enterprise ID "corp.contoso.com". When a user accesses an app with that
ID, VPN will be triggered.-->
<EdpModeId>corp.contoso.com</EdpModeId>
<RememberCredentials>true</RememberCredentials>
<!--Always On is turned off, and triggering VPN for the apps and domain name specified earlier in the
profile will not occur if the user is connected to the trusted network "contoso.com".-->
<AlwaysOn>false</AlwaysOn>
<DnsSuffix>corp.contoso.com</DnsSuffix>
<TrustedNetworkDetection>contoso.com</TrustedNetworkDetection>
<Proxy>
<Manual>
<Server>HelloServer</Server>
</Manual>
<AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
</Proxy>
<!--Device compliance is enabled and an alternate certificate is specified for domain resource
authentication.-->
<DeviceCompliance>
<Enabled>true</Enabled>
<Sso>
<Enabled>true</Enabled>
<Eku>This is my Eku</Eku>
<IssuerHash>This is my issuer hash</IssuerHash>
</Sso>
</DeviceCompliance>
</VPNProfile>
Sample plug-in VPN profile
The following sample is a sample plug-in VPN profile. This blob would fall under the ProfileXML node.
<VPNProfile>
<ProfileName>TestVpnProfile</ProfileName>
<PluginProfile>
<ServerUrlList>testserver1.contoso.com;testserver2.contoso..com</ServerUrlList>
<PluginPackageFamilyName>JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy</PluginPackageFamilyName>
<CustomConfiguration><pulse-
schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>
</CustomConfiguration>
</PluginProfile>
<Route>
<Address>192.168.0.0</Address>
<PrefixSize>24</PrefixSize>
</Route>
<Route>
<Address>10.10.0.0</Address>
<PrefixSize>16</PrefixSize>
</Route>
<AppTrigger>
<App>
<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
</App>
</AppTrigger>
<AppTrigger>
<App>
<Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
</App>
</AppTrigger>
<TrafficFilter>
<App>
<Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
</App>
<Protocol>6</Protocol>
<LocalPortRanges>10,20-50,100-200</LocalPortRanges>
<RemotePortRanges>20-50,100-200,300</RemotePortRanges>
<RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>
<!--<RoutingPolicyType>ForceTunnel</RoutingPolicyType>-->
</TrafficFilter>
<TrafficFilter>
<App>
<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
</App>
<LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>
</TrafficFilter>
<TrafficFilter>
<App>
<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
</App>
<Claims>O:SYG:SYD:(A;;CC;;;AU)</Claims>
<!--<RoutingPolicyType>SplitTunnel</RoutingPolicyType>-->
</TrafficFilter>
<DomainNameInformation>
<DomainName>corp.contoso.com</DomainName>
<DnsServers>1.2.3.4,5.6.7.8</DnsServers>
<WebProxyServers>5.5.5.5</WebProxyServers>
<AutoTrigger>false</AutoTrigger>
</DomainNameInformation>
<DomainNameInformation>
<DomainName>corp.contoso.com</DomainName>
<DnsServers>10.10.10.10,20.20.20.20</DnsServers>
<WebProxyServers>100.100.100.100</WebProxyServers>
</DomainNameInformation>
<!--<EdpModeId>corp.contoso.com</EdpModeId>-->
<RememberCredentials>true</RememberCredentials>
<AlwaysOn>false</AlwaysOn>
<AlwaysOn>false</AlwaysOn>
<DnsSuffix>corp.contoso.com</DnsSuffix>
<TrustedNetworkDetection>contoso.com,test.corp.contoso.com</TrustedNetworkDetection>
<Proxy>
<Manual>
<Server>HelloServer</Server>
</Manual>
<AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
</Proxy>
</VPNProfile>
Learn more
Create VPN profiles to connect to VPN servers in Intune
VPNv2 configuration service provider (CSP) reference
How to Create VPN Profiles in Configuration Manager
Related articles
VPN technical guide
VPN connection types
VPN routing decisions
VPN authentication options
VPN and conditional access
VPN name resolution
VPN auto-triggered profile options
VPN security features
How to configure Diffie Hellman protocol over
IKEv2 VPN connections
3/3/2022 • 2 minutes to read • Edit Online
Applies To: Windows Server (General Availability Channel), Windows Server 2016, Windows 10, Windows
11
In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for
IKE exchanges.
To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.
VPN server
For VPN servers that run Windows Server 2012 R2 or later, you need to run Set-VpnServerConfiguration to
configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration.
Set-VpnServerIPsecConfiguration -CustomPolicy
VPN client
For VPN client, you need to configure each VPN connection. For example, run Set-
VpnConnectionIPsecConfiguration (version 4.0) and specify the name of the connection:
This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi
or VPN connections. The following scenarios are typically used:
Connecting to a network using Wi-Fi or VPN.
Use credentials for WiFi or VPN authentication to also authenticate requests to access a domain resource
without being prompted for your domain credentials.
For example, you want to connect to a corporate network and access an internal website that requires Windows
integrated authentication.
The credentials that are used for the connection authentication are placed in Credential Manager as the default
credentials for the logon session. Credential Manager stores credentials that can be used for specific domain
resources. These are based on the target name of the resource:
For VPN, the VPN stack saves its credential as the session default.
For WiFi, Extensible Authentication Protocol (EAP) provides support.
The credentials are placed in Credential Manager as a "*Session" credential. A "*Session" credential implies that
it is valid for the current user session. The credentials are also cleaned up when the WiFi or VPN connection is
disconnected.
For example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right
Enterprise Authentication capability. This allows WinInet to release the credentials that it gets from the
Credential Manager to the SSP that is requesting it. For more information about the Enterprise Authentication
capability, see App capability declarations.
The local security authority will look at the device application to determine if it has the right capability. This
includes items such as a Universal Windows Platform (UWP) application. If the app isn't a UWP, it doesn't matter.
But if the application is a UWP app, it will evaluate at the device capability for Enterprise Authentication. If it does
have that capability and if the resource that you're trying to access is in the Intranet zone in the Internet Options
(ZoneMap), then the credential will be released. This behavior helps prevent credentials from being misused by
untrusted third parties.
Intranet zone
For the Intranet zone, by default it only allows single-label names, such as Http://finance. If the resource that
needs to be accessed has multiple domain labels, then the workaround is to use the Registry CSP.
Setting the ZoneMap
The ZoneMap is controlled using a registry that can be set through MDM. By default, single-label names such as
http://finance are already in the intranet zone. For multi-label names, such as http://finance.net, the ZoneMap
needs to be updated.
MDM Policy
OMA URI example:
./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-
2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/ <domain name> /*
as an Integer Value of 1 for each of the domains that you want to SSO into from your device. This adds the
specified domains to the Intranet Zone of the Microsoft Edge browser.
Credential requirements
For VPN, the following types of credentials will be added to credential manager after authentication:
Username and password
Certificate-based authentication:
TPM Key Storage Provider (KSP) Certificate
Software Key Storage Provider (KSP) Certificates
Smart Card Certificate
Windows Hello for Business Certificate
The username should also include a domain that can be reached over the connection (VPN or WiFi).
T EM P L AT E EL EM EN T C O N F IGURAT IO N
Key Storage Provider (KSP) If the device is joined to Azure AD, a discrete SSO certificate
is used.
This article describes how to configure the recommendations in the article Optimize Office 365 connectivity for
remote users using VPN split tunneling for the native Windows 10 and Windows 11 VPN client. This guidance
enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the
VPN connection and through existing security gateways and tooling.
This can be achieved for the native/built-in Windows 10 and Windows 11 VPN client using a Force Tunneling
with Exclusions approach. This allows you to define IP-based exclusions even when using force tunneling in
order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface.
Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will
therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN
tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in
performance and usability for remote users.
NOTE
The term force tunneling with exclusions is sometimes confusingly called "split tunnels" by other vendors and in some
online documentation. For Windows 10 and Windows 11 VPN, the term split tunneling is defined differently as described
in the article VPN routing decisions.
Solution Overview
The solution is based upon the use of a VPN Configuration Service Provider Reference profile (VPNv2 CSP) and
the embedded ProfileXML. These are used to configure the VPN profile on the device. Various provisioning
approaches can be used to create and deploy the VPN profile as discussed in the article Step 6. Configure
Windows 10 client Always On VPN connections.
Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as
described in VPN profile options and Configure the VPN client by using Intune.
To enable the use of force tunneling in Windows 10 or Windows 11 VPN, the <RoutingPolicyType> setting is
typically configured with a value of ForceTunnel in your existing Profile XML (or script) by way of the following
entry, under the <NativeProfile></NativeProfile> section:
<RoutingPolicyType>ForceTunnel</RoutingPolicyType>
In order to define specific force tunnel exclusions, you then need to add the following lines to your existing
Profile XML (or script) for each required exclusion, and place them outside of the
<NativeProfile></NativeProfile> section as follows:
<Route>
<Address>[IP addresses or subnet]</Address>
<PrefixSize>[IP Prefix]</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
Entries defined by the [IP Addresses or Subnet] and [IP Prefix] references will consequently be added to the
routing table as more specific route entries that will use the Internet-connected interface as the default gateway,
as opposed to using the VPN interface. You will need to define a unique and separate <Route></Route> section
for each required exclusion.
An example of a correctly formatted Profile XML configuration for force tunnel with exclusions is shown below:
<VPNProfile>
<NativeProfile>
<RoutingPolicyType>ForceTunnel</RoutingPolicyType>
</NativeProfile>
<Route>
<Address>203.0.113.0</Address>
<PrefixSize>24</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
<Route>
<Address>198.51.100.0</Address>
<PrefixSize>22</PrefixSize>
<ExclusionRoute>true</ExclusionRoute>
</Route>
</VPNProfile>
NOTE
The IP addresses and prefix size values in this example are used purely as examples only and should not be used.
Solution Deployment
For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize
categories described in Office 365 URLs and IP address ranges to ensure that they are excluded from VPN force
tunneling.
This can be achieved manually by adding the IP addresses defined within the optimize category entries to an
existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the
required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web
service to ensure the correct IP address ranges are always used.
An example of a PowerShell script that can be used to update a force tunnel VPN connection with Office 365
exclusions is provided below.
<#
.SYNOPSIS
Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel
Windows 10 and Windows 11 VPN profile
Windows 10 and Windows 11 VPN profile
.DESCRIPTION
Connects to the Office 365 worldwide commercial service instance endpoints to obtain the latest
published IP address ranges
Compares the optimized IP addresses with those contained in the supplied VPN Profile (PowerShell or XML
file)
Adds or updates IP addresses as necessary and saves the resultant file with "-NEW" appended to the file
name
.PARAMETERS
Filename and path for a supplied Windows 10 or Windows 11 VPN profile file in either PowerShell or XML
format
.NOTES
Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later
.VERSION
1.0
#>
param (
[string]$VPNprofilefile
)
$usage=@"
VPNprofilefile - The full path and name of the VPN profile PowerShell script or XML file
EXAMPLES
"@
$usage
exit
}
$FileExtension = [System.IO.Path]::GetExtension($VPNprofilefile)
}
catch [System.Xml.XmlException]
{
Write-Verbose "$VPNprofilefile : $($_.toString())"
Write-Host "`nWARNING: The VPN profile XML file is not a valid xml file or incorrectly
formatted!" -ForegroundColor Red
$usage
exit
}
}else
{
Write-Host "`nWARNING: VPN profile XML file does not exist or cannot be found!" -ForegroundColor Red
$usage
exit
}
}
# Check if VPN profile PowerShell script file exists and contains a VPNPROFILE XML section #
if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".ps1")
{
if ( (Test-Path $VPNprofilefile) )
{
if (-Not $(Select-String -Path $VPNprofilefile -Pattern "<VPNPROFILE>") )
{
Write-Host "`nWARNING: PowerShell script file does not contain a valid VPN profile XML section
or is incorrectly formatted!" -ForegroundColor Red
$usage
exit
}
}else
{
Write-Host "`nWARNING: PowerShell script file does not exist or cannot be found!"-ForegroundColor
Red
$usage
exit
}
}
# Fetch client ID and version if data file exists; otherwise create new file #
if (Test-Path $datapath)
{
$content = Get-Content $datapath
$clientRequestId = $content[0]
$lastVersion = $content[1]
}else
{
$clientRequestId = [GUID]::NewGuid().Guid
$lastVersion = "0000000000"
@($clientRequestId, $lastVersion) | Out-File $datapath
}
# Call version method to check the latest version, and pull new data if version number is different #
$version = Invoke-RestMethod -Uri ($ws + "/version?clientRequestId=" + $clientRequestId)
Write-Host
Write-Host "A new version of Office 365 worldwide commercial service instance endpoints has been
detected!" -ForegroundColor Cyan
# Invoke endpoints method to get the data for the VPN profile comparison #
$endpointSets = Invoke-RestMethod -Uri ($uri)
$Optimize = $endpointSets | Where-Object { $_.category -eq "Optimize" }
$optimizeIpsv4 = $Optimize.ips | Where-Object { ($_).contains(".") } | Sort-Object -Unique
$ARRVPN=$null # Array to hold VPN addresses from VPN profile PowerShell file #
$In_Opt_Only=$null # Variable to hold IP addresses that only appear in the optimize list #
$In_VPN_Only=$null # Variable to hold IP addresses that only appear in the VPN profile
PowerShell file #
$regex = '(?sm).*^*.<VPNProfile>\r?\n(.*?)\r?\n</VPNProfile>.*'
if ($In_Opt_Only.Count -gt 0 )
{
Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN
profile`n" -ForegroundColor Red
[int32]$insline=0
if ( $In_VPN_Only.Count -gt 0 )
{
Write-Host "Unknown exclusion route IP addresses have been found in the VPN profile`n" -ForegroundColor
Yellow
}else
{
Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN profile`n"
-ForegroundColor Green
}
}
}
}
if ($In_Opt_Only.Count -gt 0 )
{
Write-Host "Exclusion route IP addresses are unknown, missing, or need to be updated in the VPN
profile`n" -ForegroundColor Red
}else
{
Write-Host "Exclusion route IP addresses are correct and up to date in the VPN profile`n" -
ForegroundColor Green
$OutFile=$VPNprofilefile
}
if ( $In_VPN_Only.Count -gt 0 )
{
Write-Host "Unknown exclusion route IP addresses found in the VPN profile`n" -ForegroundColor
Yellow
}else
{
Write-Host "`nExclusion route IP address has *NOT* been removed from the VPN
profile`n" -ForegroundColor Green
}
}
}
}
Version Support
This solution is supported with the following versions of Windows:
Windows 11
Windows 10 1903/1909 and newer: Included, no action needed
Windows 10 1809: At least KB4490481
Windows 10 1803: At least KB4493437
Windows 10 1709 and lower: Exclusion routes are not supported
Windows 10 Enterprise 2019 LTSC: At least KB4490481
Windows 10 Enterprise 2016 LTSC: Exclusion routes are not supported
Windows 10 Enterprise 2015 LTSC: Exclusion routes are not supported
Microsoft strongly recommends that the latest available Windows 10 cumulative update always be applied.
Other Considerations
You should also be able to adapt this approach to include necessary exclusions for other cloud-services that can
be defined by known/static IP addresses; exclusions required for Cisco WebEx or Zoom are good examples.
Examples
An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365
exclusions is provided below, or refer to the guidance in Create the ProfileXML configuration files to create the
initial PowerShell script:
<#
.SYNOPSIS
Configures an AlwaysOn IKEv2 VPN Connection using a basic script
.DESCRIPTION
Configures an AlwaysOn IKEv2 VPN Connection with proxy PAC information and force tunneling
.PARAMETERS
Parameters are defined in a ProfileXML object within the script itself
.NOTES
Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later
.VERSION
1.0
#>
NOTE
This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace.
<VPNProfile><RememberCredentials>true</RememberCredentials><DnsSuffix>corp.contoso.com</DnsSuffix>
<AlwaysOn>true</AlwaysOn><TrustedNetworkDetection>corp.contoso.com</TrustedNetworkDetection><NativeProfile>
<Servers>edge1.contoso.com</Servers><RoutingPolicyType>ForceTunnel</RoutingPolicyType>
<NativeProtocolType>IKEv2</NativeProtocolType><Authentication><MachineMethod>Certificate</MachineMethod>
</Authentication></NativeProfile><Route><Address>13.107.6.152</Address><PrefixSize>31</PrefixSize>
<ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.18.10</Address>
<PrefixSize>31</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route>
<Address>13.107.128.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route>
<Route><Address>23.103.160.0</Address><PrefixSize>20</PrefixSize><ExclusionRoute>true</ExclusionRoute>
</Route><Route><Address>40.96.0.0</Address><PrefixSize>13</PrefixSize><ExclusionRoute>true</ExclusionRoute>
</Route><Route><Address>40.104.0.0</Address><PrefixSize>15</PrefixSize><ExclusionRoute>true</ExclusionRoute>
</Route><Route><Address>52.96.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute>
</Route><Route><Address>131.253.33.215</Address><PrefixSize>32</PrefixSize>
<ExclusionRoute>true</ExclusionRoute></Route><Route><Address>132.245.0.0</Address>
<PrefixSize>16</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route>
<Address>150.171.32.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route>
<Route><Address>191.234.140.0</Address><PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute>
</Route><Route><Address>204.79.197.215</Address><PrefixSize>32</PrefixSize>
<ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.136.0</Address>
<PrefixSize>22</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route>
<Address>40.108.128.0</Address><PrefixSize>17</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route>
<Route><Address>52.104.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route>
<Route><Address>104.146.128.0</Address><PrefixSize>17</PrefixSize><ExclusionRoute>true</ExclusionRoute>
</Route><Route><Address>150.171.40.0</Address><PrefixSize>22</PrefixSize>
<ExclusionRoute>true</ExclusionRoute></Route><Route><Address>13.107.60.1</Address>
<PrefixSize>32</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route><Route>
<Address>13.107.64.0</Address><PrefixSize>18</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route>
<Route><Address>52.112.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route>
<Route><Address>52.120.0.0</Address><PrefixSize>14</PrefixSize><ExclusionRoute>true</ExclusionRoute></Route>
<Proxy><AutoConfigUrl>http://webproxy.corp.contoso.com/proxy.pac</AutoConfigUrl></Proxy></VPNProfile>
Windows Defender Firewall with Advanced Security
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol
security (IPsec) features.
Feature description
Windows Defender Firewall with Advanced Security is an important part of a layered security model. By
providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks
unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with
Network Awareness so that it can apply security settings appropriate to the types of networks to which the
device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are
integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so
Windows Defender Firewall is also an important part of your network’s isolation strategy.
Practical applications
To help address your organizational network security challenges, Windows Defender Firewall offers the
following benefits:
Reduces the risk of network security threats. Windows Defender Firewall reduces the attack
surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack
surface of a device increases manageability and decreases the likelihood of a successful attack.
Safeguards sensitive data and intellectual proper ty. With its integration with IPsec, Windows
Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications.
It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data,
and optionally helping to protect the confidentiality of the data.
Extends the value of existing investments. Because Windows Defender Firewall is a host-based
firewall that is included with the operating system, there is no additional hardware or software required.
Windows Defender Firewall is also designed to complement existing non-Microsoft network security
solutions through a documented application programming interface (API).
Security baselines
3/3/2022 • 3 minutes to read • Edit Online
Community
Related Videos
You may also be interested in this msdn channel 9 video:
Defrag Tools
See Also
Microsoft Endpoint Configuration Manager
Azure Monitor
Microsoft Security Guidance Blog
Microsoft Security Compliance Toolkit Download
Microsoft Download Center
Microsoft Security Compliance Toolkit 1.0 - How to
use
3/3/2022 • 3 minutes to read • Edit Online
Version Matrix
Client Versions
NAME B UIL D B A SEL IN E REL EA SE DAT E SEC URIT Y TO O L S
Microsoft Products
See also
Windows security baselines
Windows threat protection
3/3/2022 • 2 minutes to read • Edit Online
Applies to:
Windows 10
Windows 11
In Windows client, hardware and software work together to help protect you from new and emerging threats.
Expanded security protections in Windows 11 help boost security from the chip, to the cloud.
Here you will find information about different types of malware, safety tips on how you can protect your
organization, and resources for industry collaboration programs.
Understand malware & other threats
Prevent malware infection
Malware naming convention
How Microsoft identifies malware and PUA
Submit files for analysis
Safety Scanner download
Keep up with the latest malware news and research. Check out our Microsoft Security blogs and follow us on
Twitter for the latest news, discoveries, and protections.
Learn more about Windows security.
Understanding malware & other threats
3/3/2022 • 2 minutes to read • Edit Online
Malware is a term used to describe malicious applications and code that can cause damage and disrupt normal
use of devices. Malware can allow unauthorized access, use system resources, steal passwords, lock you out of
your computer and ask for ransom, and more.
Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch
attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or
extort payment from victims.
As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most
secure version of Windows yet and includes many features to help protect you whether you're at home, at work,
or on the go. With Microsoft Defender for Endpoint, businesses can stay protected with next-generation
protection and other security capabilities.
For good general tips, check out the prevent malware infection topic.
There are many types of malware, including:
Coin miners
Exploits and exploit kits
Macro malware
Phishing
Ransomware
Rootkits
Supply chain attacks
Tech support scams
Trojans
Unwanted software
Worms
Malware authors are always looking for new ways to infect computers. Follow the tips below to stay protected
and minimize threats to your data and accounts.
We name the malware and unwanted software that we detect according to the Computer Antivirus Research
Organization (CARO) malware naming scheme. The scheme uses the following format:
When our analysts research a particular threat, they'll determine what each of the components of the name will
be.
Type
Describes what the malware does on your computer. Worms, viruses, trojans, backdoors, and ransomware are
some of the most common types of malware.
Adware
Backdoor
Behavior
BrowserModifier
Constructor
DDoS
Exploit
HackTool
Joke
Misleading
MonitoringTool
Program
Personal Web Server (PWS)
Ransom
RemoteAccess
Rogue
SettingsModifier
SoftwareBundler
Spammer
Spoofer
Spyware
Tool
Trojan
TrojanClicker
TrojanDownloader
TrojanNotifier
TrojanProxy
TrojanSpy
VirTool
Virus
Worm
Platforms
Platforms guide the malware to its compatible operating system (such as Windows, masOS X, and Android). The
platform's guidance is also used for programming languages and file formats.
Operating systems
AndroidOS: Android operating system
DOS: MS-DOS platform
EPOC: Psion devices
FreeBSD: FreeBSD platform
iPhoneOS: iPhone operating system
Linux: Linux platform
macOS: MAC 9.x platform or earlier
macOS_X: MacOS X or later
OS2: OS2 platform
Palm: Palm operating system
Solaris: System V-based Unix platforms
SunOS: Unix platforms 4.1.3 or lower
SymbOS: Symbian operating system
Unix: general Unix platforms
Win16: Win16 (3.1) platform
Win2K: Windows 2000 platform
Win32: Windows 32-bit platform
Win64: Windows 64-bit platform
Win95: Windows 95, 98 and ME platforms
Win98: Windows 98 platform only
WinCE: Windows CE platform
WinNT: WinNT
Scripting languages
ABAP: Advanced Business Application Programming scripts
ALisp: ALisp scripts
AmiPro: AmiPro script
ANSI: American National Standards Institute scripts
AppleScript: compiled Apple scripts
ASP: Active Server Pages scripts
AutoIt: AutoIT scripts
BAS: Basic scripts
BAT: Basic scripts
CorelScript: Corelscript scripts
HTA: HTML Application scripts
HTML: HTML Application scripts
INF: Install scripts
IRC: mIRC/pIRC scripts
Java: Java binaries (classes)
JS: JavaScript scripts
LOGO: LOGO scripts
MPB: MapBasic scripts
MSH: Monad shell scripts
MSIL: .NET intermediate language scripts
Perl: Perl scripts
PHP: Hypertext Preprocessor scripts
Python: Python scripts
SAP: SAP platform scripts
SH: Shell scripts
VBA: Visual Basic for Applications scripts
VBS: Visual Basic scripts
WinBAT: Winbatch scripts
WinHlp: Windows Help scripts
WinREG: Windows registry scripts
Macros
A97M: Access 97, 2000, XP, 2003, 2007, and 2010 macros
HE: macro scripting
O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and PowerPoint
PP97M: PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros
V5M: Visio5 macros
W1M: Word1Macro
W2M: Word2Macro
W97M: Word 97, 2000, XP, 2003, 2007, and 2010 macros
WM: Word 95 macros
X97M: Excel 97, 2000, XP, 2003, 2007, and 2010 macros
XF: Excel formulas
XM: Excel 95 macros
Other file types
ASX: XML metafile of Windows Media .asf files
HC: HyperCard Apple scripts
MIME: MIME packets
Netware: Novell Netware files
QT: Quicktime files
SB: StarBasic (StarOffice XML) files
SWF: Shockwave Flash files
TSQL: MS SQL server files
XML: XML files
Family
Grouping of malware based on common characteristics, including attribution to the same authors. Security
software providers sometimes use different names for the same malware family.
Variant letter
Used sequentially for every distinct version of a malware family. For example, the detection for the variant ".AF"
would have been created after the detection for the variant ".AE".
Suffixes
Provides extra detail about the malware, including how it's used as part of a multicomponent threat. In the
preceding example, "!lnk" indicates that the threat component is a shortcut file used by Trojan:Win32/Reveton.T.
.dam: damaged malware
.dll: Dynamic Link Library component of a malware
.dr: dropper component of a malware
.gen: malware that is detected using a generic signature
.kit: virus constructor
.ldr: loader component of a malware
.pak: compressed malware
.plugin: plug-in component
.remnants: remnants of a virus
.worm: worm component of that malware
!bit: an internal category used to refer to some threats
!cl: an internal category used to refer to some threats
!dha: an internal category used to refer to some threats
!pfn: an internal category used to refer to some threats
!plock: an internal category used to refer to some threats
!rfn: an internal category used to refer to some threats
!rootkit: rootkit component of that malware
@m: worm mailers
@mm: mass mailer worm
Coin miners
3/3/2022 • 2 minutes to read • Edit Online
Cybercriminals are always looking for new ways to make money. With the rise of digital currencies, also known
as cryptocurrencies, criminals see a unique opportunity to infiltrate an organization and secretly mine for coins
by reconfiguring malware.
Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware
can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security
safeguards to infect your device.
What exactly are fileless threats? The term "fileless" suggests that a threat doesn't come in a file, such as a
backdoor that lives only in the memory of a machine. However, there's no one definition for fileless malware.
The term is used broadly, and sometimes to describe malware families that do rely on files to operate.
Attacks involve several stages for functionalities like execution, persistence, or information theft. Some parts of
the attack chain may be fileless, while others may involve the file system in some form.
For clarity, fileless threats are grouped into different categories.
Macros are a powerful way to automate common tasks in Microsoft Office and can make people more
productive. However, macro malware uses this functionality to infect your device.
Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms
of electronic communication. They try to look like official communication from legitimate companies or
individuals.
Cybercriminals often attempt to steal usernames, passwords, credit card details, bank account information, or
other credentials. They use stolen information for malicious purposes, such as hacking, identity theft, or stealing
money directly from bank accounts and credit cards. The information can also be sold in cybercriminal
underground markets.
Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. Be
aware and never provide sensitive or personal information through email or unknown websites, or over the
phone. Remember, phishing emails are designed to appear legitimate.
There's a request for personal information such as social security numbers or bank or financial
information. Official communications won't generally request personal information from you in the form
of an email.
Items in the email address will be changed so that it is similar enough to a legitimate email address,
but has added numbers or changed letters.
The message is unexpected and unsolicited . If you suddenly receive an email from an entity or a
person you rarely deal with, consider this email suspect.
The message or the attachment asks you to enable macros, adjust security settings, or install
applications . Normal emails won't ask you to do this.
The message contains errors . Legitimate corporate messages are less likely to have typographic or
grammatical errors or contain wrong information.
The sender address doesn't match the signature on the message itself. For example, an email is
purported to be from Mary of Contoso Corp, but the sender address is [email protected].
There are multiple recipients in the “To” field and they appear to be random addresses. Corporate
messages are normally sent directly to individual recipients.
The greeting on the message itself doesn't personally address you . Apart from messages that
mistakenly address a different person, greetings that misuse your name or pull your name directly from
your email address tend to be malicious.
The website looks familiar but there are inconsistencies or things that aren't quite right . Warning
signs include outdated logos, typos, or ask users to give additional information that is not asked by
legitimate sign-in websites.
The page that opens is not a live page , but rather an image that is designed to look like the site you are
familiar with. A pop-up may appear that requests credentials.
If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate.
Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A
successful rootkit can potentially remain in place for years if it's undetected. During this time, it will steal
information and resources.
Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to
access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.
Tech support scams are an industry-wide issue where scammers use scare tactics to trick users into paying for
unnecessary technical support services that supposedly fix contrived device, platform, or software problems.
Trojans are a common type of malware which, unlike viruses, can’t spread on their own. This means they either
have to be downloaded manually or another malware needs to download and install them.
Trojans often use the same file names as real and legitimate apps. It is easy to accidentally download a trojan
thinking that it is a legitimate app.
Unwanted software are programs that alter the Windows experience without your consent or control. This can
take the form of modified browsing experience, lack of control over downloads and installation, misleading
messages, or unauthorized changes to Windows settings.
A worm is a type of malware that can copy itself and often spreads through a network by exploiting security
vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking
sites, network shares, removable drives, and software vulnerabilities.
Microsoft aims to provide a delightful and productive Windows experience by working to ensure you're safe and
in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing
software and online content. When you download, install, and run software, we check the reputation of
downloaded programs and ensure you're protected against known threats. You are also warned about software
that is unknown to us.
You can assist Microsoft by submitting unknown or suspicious software for analysis. This will help ensure that
unknown or suspicious software is scanned by our system to start establishing reputation. Learn more about
submitting files for analysis
The next sections provide an overview of the classifications we use for applications and the types of behaviors
that lead to that classification.
NOTE
New forms of malware and potentially unwanted applications are being developed and distributed rapidly. The following
list may not be comprehensive, and Microsoft reserves the right to adjust, expand, and update these without prior notice
or announcement.
Malware
Malware is the overarching name for applications and other code, like software, that Microsoft classifies more
granularly as malicious software or unwanted software.
Malicious software
Malicious software is an application or code that compromises user security. Malicious software may steal your
personal information, lock your device until you pay a ransom, use your device to send spam, or download
other malicious software. In general, malicious software wants to trick, cheat, or defrauds users, placing them in
vulnerable states.
Microsoft classifies most malicious software into one of the following categories:
Backdoor : A type of malware that gives malicious hackers remote access to and control of your device.
Command and Control: A type of malware that infects your device and establishes communication
with the hackers’ command-and-control server to receive instructions. Once communication is
established, hackers can send commands that can steal data, shut down and reboot the device, and
disrupt web services.
Downloader : A type of malware that downloads other malware onto your device. It must connect to the
internet to download files.
Dropper : A type of malware that installs other malware files onto your device.Unlike a downloader, a
dropper doesn't have to connect to the internet to drop malicious files. The dropped files are typically
embedded in the dropper itself.
Exploit: A piece of code that uses software vulnerabilities to gain access to your device and perform
other tasks, such as installing malware. See more information about exploits.
Hacktool: A type of tool that can be used to gain unauthorized access to your device.
Macro virus: A type of malware that spreads through infected documents, such as Microsoft Word or
Excel documents. The virus is run when you open an infected document.
Obfuscator : A type of malware that hides its code and purpose, making it more difficult for security
software to detect or remove.
Password stealer : A type of malware that gathers your personal information, such as usernames and
passwords. It often works along with a keylogger, which collects and sends information about the keys
you press and websites you visit.
Ransomware: A type of malware that encrypts your files or makes other modifications that can prevent
you from using your device. It then displays a ransom note that states you must pay money or perform
other actions before you can use your device again. See more information about ransomware.
Rogue security software: Malware that pretends to be security software but doesn't provide any
protection. This type of malware usually displays alerts about nonexistent threats on your device. It also
tries to convince you to pay for its services.
Trojan: A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't
spread by itself. Instead, it tries to look legitimate to tricks users into downloading and installing it. Once
installed, trojans perform various malicious activities such as stealing personal information, downloading
other malware, or giving attackers access to your device.
Trojan clicker : A type of trojan that automatically clicks buttons or similar controls on websites or
applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online
polls or other tracking systems and can even install applications on your device.
Worm: A type of malware that spreads to other devices. Worms can spread through email, instant
messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated
worms take advantage of software vulnerabilities to propagate.
Unwanted software
Microsoft believes that you should have control over your Windows experience. Software running on Windows
should keep you in control of your device through informed choices and accessible controls. Microsoft identifies
software behaviors that ensure you stay in control. We classify software that doesn't fully demonstrate these
behaviors as "unwanted software".
Lack of choice
You must be notified about what is happening on your device, including what software does and whether it's
active.
Software that exhibits lack of choice might:
Fail to provide prominent notice about the behavior of the software and its purpose and intent.
Fail to clearly indicate when the software is active. It might also attempt to hide or disguise its presence.
Install, reinstall, or remove software without your permission, interaction, or consent.
Install other software without a clear indication of its relationship to the primary software.
Circumvent user consent dialogs from the browser or operating system.
Falsely claim to be software from Microsoft.
Software must not mislead or coerce you into making decisions about your device. It is considered behavior that
limits your choices. In addition to the previous list, software that exhibits lack of choice might:
Display exaggerated claims about your device's health.
Make misleading or inaccurate claims about files, registry entries, or other items on your device.
Display claims in an alarming manner about your device's health and require payment or certain actions
in exchange for fixing the purported issues.
Software that stores or transmits your activities or data must:
Give you notice and get consent to do so. Software shouldn't include an option that configures it to hide
activities associated with storing or transmitting your data.
Lack of control
You must be able to control software on your device. You must be able to start, stop, or otherwise revoke
authorization to software.
Software that exhibits lack of control might:
Prevent or limit you from viewing or modifying browser features or settings.
Open browser windows without authorization.
Redirect web traffic without giving notice and getting consent.
Modify or manipulate webpage content without your consent.
Software that changes your browsing experience must only use the browser's supported extensibility model for
installation, execution, disabling, or removal. Browsers that don't provide supported extensibility models are
considered non-extensible and shouldn't be modified.
Installation and removal
You must be able to start, stop, or otherwise revoke authorization given to software. Software should obtain
your consent before installing, and it must provide a clear and straightforward way for you to install, uninstall,
or disable it.
Software that delivers poor installation experience might bundle or download other "unwanted software" as
classified by Microsoft.
Software that delivers poor removal experience might:
Present confusing or misleading prompts or pop-ups when you try to uninstall it.
Fail to use standard install/uninstall features, such as Add/Remove Programs.
Advertising and advertisements
Software that promotes a product or service outside of the software itself can interfere with your computing
experience. You should have clear choice and control when installing software that presents advertisements.
The advertisements that are presented by software must:
Include an obvious way for users to close the advertisement. The act of closing the advertisement must
not open another advertisement.
Include the name of the software that presented the advertisement.
The software that presents these advertisements must:
Provide a standard uninstall method for the software using the same name as shown in the advertisement it
presents.
Advertisements shown to you must:
Be distinguishable from website content.
Not mislead, deceive, or confuse.
Not contain malicious code.
Not invoke a file download.
Consumer opinion
Microsoft maintains a worldwide network of analysts and intelligence systems where you can submit software
for analysis. Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates
Security intelligence for software that meets the described criteria. This Security intelligence identifies the
software as malware and are available to all users through Microsoft Defender Antivirus and other Microsoft
antimalware solutions.
If you have a file that you suspect might be malware or is being incorrectly detected, you can submit it to us for
analysis. This page has answers to some common questions about submitting a file for analysis.
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply
download it and run a scan to find malware and try to reverse changes made by identified threats.
Download Microsoft Safety Scanner (32-bit)
Download Microsoft Safety Scanner (64-bit)
NOTE
Starting November 2019, Safety Scanner will be SHA-2 signed exclusively. Your devices must be updated to support SHA-
2 in order to run Safety Scanner. To learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and
WSUS.
Important information
The security intelligence update version of the Microsoft Safety Scanner matches the version described in
this web page.
Safety Scanner only scans when manually triggered and is available for use 10 days after being
downloaded. We recommend that you always download the latest version of this tool before each scan.
Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on
the desktop. Note where you saved this download.
This tool does not replace your antimalware product. For real-time protection with automatic updates,
use Microsoft Defender Antivirus on Windows 11, Windows 10, and Windows 8 or Microsoft Security
Essentials on Windows 7. These antimalware products also provide powerful malware removal
capabilities. If you are having difficulties removing malware with these products, you can refer to our help
on removing difficult threats.
System requirements
Safety Scanner helps remove malicious software from computers running Windows 11, Windows 10, Windows
10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows
Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows
Server 2008. For details, refer to the Microsoft Lifecycle Policy.
There are various industry-wide collaboration programs with different objectives and requirements, provided by
Microsoft. Enrolling in the right program can help you protect your customers, gain more insight into the
current threat landscape, or help disrupting the malware ecosystem.
The Virus Information Alliance (VIA) is a public anti-malware collaboration program for security software
providers, security service providers, anti-malware testing organizations, and other organizations involved in
fighting cyber crime.
Members of the VIA program collaborate by exchanging technical information on malicious software with
Microsoft. The goal is to improve protection for Microsoft customers.
The Microsoft Virus Initiative (MVI) helps organizations develop better-together security solutions that are
performant, reliable, and aligned with Microsoft technology and strategy.
Become a member
You can request membership if you're a representative for an organization that develops and produces
antimalware or antivirus technology.
To qualify for the MVI program, your organization must meet all the following requirements:
1. Your security solution either replaces or compliments Microsoft Defender Antivirus.
2. Your organization is responsible for both developing and distributing app updates to end-customers that
address compatibility with Windows.
3. Your organization must be active in the antimalware industry and have a positive reputation, as
evidenced by participation in industry conferences or being reviewed in an industry-standard report
such as AV-Comparatives, OPSWAT, or Gartner.
4. Your organization must sign a non-disclosure agreement (NDA) with Microsoft.
5. Your organization must sign a program license agreement. Maintaining this license agreement requires
that you adhere to all program requirements for antimalware apps. These requirements define the
behavior of antimalware apps necessary to ensure proper interaction with Windows.
6. You must submit your app to Microsoft for periodic performance testing and feature review.
7. Your solution must be certified through independent testing by at least one industry-standard
organization, and yearly certification must be maintained.
AV-Test Must pass tests for Windows. Achieve "AV-TEST Certified" (for home
Certifications for Mac and Linux aren't users) or "AV-TEST Approved” (for
accepted corporate users)
https://www.av-test.org/en/about-the-
institute/certification/
NSS Labs Advanced Endpoint Protection AEP “Neutral” rating from NSS
3.0, which covers automatic threat
prevention and threat event reporting
capabilities
https://www.nsslabs.com/tested-
technologies/advanced-endpoint-
protection/
SKD Labs Certification Requirements Product: SKD Labs Star Check Certification
Anti-virus or Antimalware Requirements Pass >= 98.5% with On
http://www.skdlabs.com/html/english/ Demand, On Access and Total
http://www.skdlabs.com/cert/ Detection tests
Apply now
If your organization meets these criteria and is interested in joining, apply for membership now.
Coordinated Malware Eradication
3/3/2022 • 2 minutes to read • Edit Online
Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries
together to change the game against malware. While the cybersecurity industry today is effective at disrupting
malware families through individual efforts, those disruptions rarely lead to eradication since malware authors
quickly adapt their tactics to survive.
CME calls for organizations to pool their tools, information, and actions to drive coordinated campaigns against
malware. The goal is to drive efficient and long-lasting results to better protect our communities, customers, and
businesses.
Concerned about the detection of your software? If you believe that your application or program has been
incorrectly detected by Microsoft security software, submit the relevant files for analysis.
Check out the following resources for information on how to submit and view submissions:
Submit files
View your submissions
Additional resources
Detection criteria
To objectively identify malware and unidentified software, Microsoft applies a set of criteria for evaluating
malicious or potentially harmful code.
Developer questions
Find more guidance about the file submission and detection dispute process in our FAQ for software developers.
Scan your software
Use Microsoft Defender Antivirus to check your software against the latest Security intelligence and cloud
protection from Microsoft.
Override Process Mitigation Options to help enforce
app-related security policies
3/3/2022 • 3 minutes to read • Edit Online
Applies to:
Windows 10, version 1607
Windows Server 2016
Windows 10 includes Group Policy-configurable “Process Mitigation Options” that add advanced protections
against memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system.
For example, malware might attempt to use buffer overruns to inject malicious executable code into memory,
but Process Mitigation Options can prevent the running of the malicious code.
IMPORTANT
We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere
with your organization’s required apps.
The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three
types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you
can configure additional protections. The types of process mitigations are:
Data Execution Prevention (DEP) is a system-level memory protection feature that enables the
operating system to mark one or more pages of memory as non-executable, preventing code from being
run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code
from being run from data pages such as the default heap, stacks, and memory pools. For more
information, see Data Execution Prevention.
Structured Exception Handling Over write Protection (SEHOP) is designed to block exploits that
use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is
provided at run-time, it helps to protect apps regardless of whether they have been compiled with the
latest improvements. For more information, see Structured Exception Handling Overwrite Protection.
Address Space Layout Randomization (ASLR) loads DLLs into random memory addresses at boot
time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs
are expected to be loaded. For more information, see Address Space Layout Randomization. To find
additional ASLR protections in the table below, look for IMAGES or ASLR .
The following procedure describes how to use Group Policy to override individual Process Mitigation
Options settings.
To modify Process Mitigation Options
1. Open your Group Policy editor and go to the Administrative Templates\System\Mitigation
Options\Process Mitigation Options setting.
2. Click Enabled , and then in the Options area, click Show to open the Show Contents box, where you’ll
be able to add your apps and the appropriate bit flag values, as shown in the Setting the bit field and
Example sections of this topic.
Impor tant
For each app you want to include, you must include:
Value name. The app file name, including the extension. For example, iexplore.exe.
Value. A bit field with a series of bit flags in particular positions. Bits can be set to 0 (where the
setting is forced off), 1 (where the setting is forced on), or ? (where the setting retains the previous,
existing value).
Note
Setting bit flags in positions not specified here to anything other than ? might cause undefined
behavior.
Setting the bit field
Here’s a visual representation of the bit flag locations for the various Process Mitigation Options settings:
Where the bit flags are read from right to left and are defined as:
C 2 Turns on Structured
PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE
(0x00000004) Exception Handler
Overwrite Protection
(SEHOP) for child processes.
SEHOP helps to block
exploits that use the
Structured Exception
Handler (SEH) overwrite
technique.
Example
If you want to turn on the PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and
PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON settings, turn off
the PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF setting, and leave
everything else as the default values, you’d want to type a value of ???????????????0???????1???????1 .
Use Windows Event Forwarding to help with
intrusion detection
3/3/2022 • 25 minutes to read • Edit Online
Applies to
Windows 10
Windows Server
Learn about an approach to collect events from devices in your organization. This article talks about events in
both normal operations and when an intrusion is suspected.
Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your
organization and forwards the events you choose to a Windows Event Collector (WEC) server.
To accomplish this functionality, there are two different subscriptions published to client devices - the Baseline
subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and
a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects
more events to help build context for system activity and can quickly be updated to accommodate new events
and/or scenarios as needed without impacting baseline operations.
This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to
devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a
MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the
Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they
are largely used for host forensic analysis.
An SEM’s strength lies in being able to inspect, correlate events, and generate alerts for known patterns manner
and alert security staff at machine speed.
A MapReduce system has a longer retention time (years versus months for an SEM), larger ingress ability
(hundreds of terabytes per day), and the ability to perform more complex operations on the data like statistical
and trend analysis, pattern clustering analysis, or apply Machine Learning algorithms.
Here's an approximate scaling guide for WEF events:
Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF
implementation, including enabling of disabled event logs and setting channel permissions. For more info, see
Appendix C - Event channel settings (enable and channel access) methods. This condition is because WEF is a
passive system regarding the event log. It cannot change the size of event log files, enable disabled event
channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for
existing events. Additionally, having event generation already occurring on a device allows for more complete
event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO
and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern
devices, enabling additional event channels and expanding the size of event log files hasn't resulted in noticeable
performance differences.
For the minimum recommended audit policy and registry system ACL settings, see Appendix A - Minimum
recommended minimum audit policy and Appendix B - Recommended minimum registry system ACL policy.
Note: These are only minimum values need to meet what the WEF subscription selects.
From a WEF subscription management perspective, the event queries provided should be used in two separate
subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the
targeted subscription, this access would be determined by an algorithm or an analysts’ direction. All devices
should have access to the Baseline subscription.
This system of dual subscription means you would create two base subscriptions:
Baseline WEF subscription . Events collected from all hosts; these events include some role-specific events,
which will only be emitted by those machines.
Targeted WEF subscription . Events collected from a limited set of hosts due to unusual activity and/or
heightened awareness for those systems.
Each using the respective event query below. For the Targeted subscription enabling the “read existing events”
option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions
will only forward events generated after the WEF subscription was received by the client.
In Appendix E – Annotated Baseline Subscription Event Query and Appendix F – Annotated Suspect Subscription
Event Query, the event query XML is included when creating WEF subscriptions. These subscriptions are
annotated for query purpose and clarity. Individual <Query> element can be removed or edited without
affecting the rest of the query.
Common WEF questions
This section addresses common questions from IT pros and customers.
Will the user notice if their machine is enabled for WEF or if WEF encounters an error?
The short answer is: No.
The longer answer is: The Eventlog-for wardingPlugin/Operational event channel logs the success, warning,
and error events related to WEF subscriptions present on the device. Unless the user opens Event Viewer and
navigates to that channel, they won't notice WEF either through resource consumption or Graphical User
Interface pop-ups. Even if there is an issue with the WEF subscription, there is no user interaction or
performance degradation. All success, warning, and failure events are logged to this operational event channel.
Is WEF Push or Pull?
A WEF subscription can be configured to be push or pull, but not both. The simplest, most flexible IT deployment
with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are
configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the
subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events
are to be selected. Those clients are to be configured ahead of time to allow the credentials used in the
subscription to access their event logs remotely (normally by adding the credential to the Event Log Readers
built-in local security group.) A useful scenario: closely monitoring a specific set of machines.
Will WEF work over VPN or RAS?
WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and send any accumulated backlog
of events when the connection to the WEF Collector is re-established.
How is client progress tracked?
The WEC server maintains in its registry the bookmark information and last heartbeat time for each event
source for each WEF subscription. When an event source reconnects to a WEC server, the last bookmark position
is sent to the device to use as a starting point to resume forwarding events. If a WEF client has no events to
send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This
heartbeat value can be individually configured for each subscription.
Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment?
Yes. WEF is transport agnostic and will work over IPv4 or IPv6.
Are WEF events encrypted? I see an HTTP/HTTPS option!
In a domain setting, the connection used to transmit WEF events is encrypted using Kerberos, by default (with
NTLM as a fallback option, which can be disabled by using a GPO). Only the WEF collector can decrypt the
connection. Additionally, the connection between WEF client and WEC server is mutually authenticated
regardless of authentication type (Kerberos or NTLM.) There are GPO options to force Authentication to use
Kerberos Only.
This authentication and encryption is performed regardless if HTTP or HTTPS is selected.
The HTTPS option is available if certificate based authentication is used, in cases where the Kerberos based
mutual authentication isn't an option. The SSL certificate and provisioned client certificates are used to provide
mutual authentication.
Do WEF Clients have a separate buffer for events?
The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost.
To increase the “buffer size”, increase the maximum file size of the specific event log file where events are being
selected. For more info, see Appendix C – Event Channel Settings (enable and Channel Access) methods.
When the event log overwrites existing events (resulting in data loss if the device isn't connected to the Event
Collector), there is no notification sent to the WEF collector that events are lost from the client. Neither is there
an indicator that there was a gap encountered in the event stream.
What format is used for forwarded events?
WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description
of the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled
depending on the size of the rendered description. The alternative mode is “Events” (also sometimes referred to
as “Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the
evtx file.) This is very compact and can more than double the event volume a single WEC server can
accommodate.
A subscription “testSubscription” can be configured to use the Events format through the WECUTIL utility:
Minimize bandwidth This option ensures that the use of network bandwidth for
event delivery is strictly controlled. It is an appropriate
choice if you want to limit the frequency of network
connections made to deliver events. It uses push delivery
mode and sets a batch timeout of 6 hours. In addition, it
uses a heartbeat interval of 6 hours.
Minimize latency This option ensures that events are delivered with minimal
delay. It is an appropriate choice if you are collecting alerts
or critical events. It uses push delivery mode and sets a
batch timeout of 30 seconds.
For more info about delivery options, see Configure Advanced Subscription Settings.
The primary difference is in the latency which events are sent from the client. If none of the built-in options meet
your requirements you can set Custom event delivery options for a given subscription from an elevated
command prompt:
Subscription information
Below lists all of the items that each subscription collects, the actual subscription XML is available in an
Appendix. These are separated out into Baseline and Targeted. The intent is to subscribe all hosts to Baseline, and
then enroll (and remove) hosts on an as needed basis to the Targeted subscription.
Baseline subscription
While this appears to be the largest subscription, it really is the lowest volume on a per-device basis. (Exceptions
should be allowed for unusual devices – a device performing complex developer related tasks can be expected
to create an unusually high volume of process create and AppLocker events.) This subscription doesn't require
special configuration on client devices to enable event channels or modify channel permissions.
The subscription is essentially a collection of query statements applied to the Event Log. This means that it is
modular in nature and a given query statement can be removed or changed without impacting other query
statement in the subscription. Additionally, suppress statements which filter out specific events, only apply
within that query statement and aren't to the entire subscription.
Baseline subscription requirements
To gain the most value out of the baseline subscription we recommend to have the following requirements set
on the device to ensure that the clients are already generating the required events to be forwarded off the
system.
Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more
info, see Appendix A – Minimum Recommended minimum Audit Policy. This ensures that the security
event log is generating the required events.
Apply at least an Audit-Only AppLocker policy to devices.
If you are already allowing or restricting events by using AppLocker, then this requirement is met.
AppLocker events contain extremely useful information, such as file hash and digital signature
information for executables and scripts.
Enable disabled event channels and set the minimum size for modern event files.
Currently, there is no GPO template for enabling or setting the maximum size for the modern event files.
This must be done by using a GPO. For more info, see Appendix C – Event Channel Settings (enable and
Channel Access) methods.
The annotated event query can be found in the following. For more info, see Appendix F – Annotated Suspect
Subscription Event Query.
Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any
given anti-malware product easily if it writes to the Windows event log.
Security event log Process Create events.
AppLocker Process Create events (EXE, script, packaged App installation and execution).
Registry modification events. For more info, see Appendix B – Recommended minimum Registry System
ACL Policy.
OS startup and shutdown
Startup events include operating system version, service pack level, QFE version, and boot mode.
Service install
Includes what the name of the service, the image path, and who installed the service.
Certificate Authority audit events
This is only applicable on systems with the Certificate Authority role installed.
Logs certificate requests and responses.
User profile events
Use of a temporary profile or unable to create a user profile may indicate an intruder is interactively
logging into a device but not wanting to leave a persistent profile behind.
Service start failure
Failure codes are localized, so you have to check the message DLL for values.
Network share access events
Filter out IPC$ and /NetLogon file shares, which are expected and noisy.
System shutdown initiate requests
Find out what initiated the restart of a device.
User initiated interactive logoff event
Remote Desktop Services sessions connect, reconnect, or disconnect.
EMET events, if EMET is installed.
Event forwarding plugin events
For monitoring WEF subscription operations, particularly Partial Success events. This is useful for
diagnosing deployment issues.
Network share creation and deletion
Enables detection of unauthorized share creation.
Logon sessions
Logon success for interactive (local and Remote Interactive/Remote Desktop)
Logon success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on.
Logon success for batch sessions
Logon session close, which is logoff events for non-network sessions.
Windows Error Reporting (Application crash events only)
This can help detect early signs of intruder not familiar with enterprise environment using targeted
malware.
Event log service events
Errors, start events, and stop events for the Windows Event Log service.
Event log cleared (including the Security Event Log)
This could indicate an intruder that is covering their tracks.
Special privileges assigned to new logon
This indicates that at the time of logon a user is either an Administrator or has the sufficient access to
make themselves Administrator.
Outbound Remote Desktop Services session attempts
Visibility into potential beachhead for intruder
System time changed
SMB Client (mapped drive connections)
Account credential validation
Local accounts or domain accounts on domain controllers
A user was added or removed from the local Administrators security group.
Crypto API private key accessed
Associated with signing objects using the locally stored private key.
Task Scheduler task creation and delete
Task Scheduler allows intruders to run code at specified times as LocalSystem.
Logon with explicit credentials
Detect credential use changes by intruders to access more resources.
Smartcard card holder verification events
This detects when a smartcard is being used.
Suspect subscription
This adds some possible intruder-related activity to help analyst further refine their determinations about the
state of the device.
Logon session creation for network sessions
Enables time-series analysis of network graphs.
RADIUS and VPN events
Useful if you use a Microsoft IAS RADIUS/VPN implementation. It shows user-> IP address
assignment with remote IP address connecting to the enterprise.
Crypto API X509 object and build chain events
Detects known bad certificate, CA, or sub-CA
Detects unusual process use of CAPI
Groups assigned to local logon
Gives visibility to groups which enable account-wide access
Allows better planning for remediation efforts
Excludes well known, built-in system accounts.
Logon session exit
Specific for network logon sessions.
Client DNS lookup events
Returns what process performed a DNS query and the results returned from the DNS server.
Process exit
Enables checking for processes terminating unexpectedly.
Local credential validation or logon with explicit credentials
Generated when the local SAM is authoritative for the account credentials being authenticated.
Noisy on domain controllers
On client devices this is only generated when local accounts log on.
Registry modification audit events
Only when a registry value is being created, modified, or deleted.
Wireless 802.1x authentication
Detect wireless connection with a peer MAC address
Windows PowerShell logging
Covers Windows PowerShell 2.0 and later and includes the Windows PowerShell 5.0 logging
improvements for in-memory attacks using Windows PowerShell.
Includes Windows PowerShell remoting logging
User Mode Driver Framework “Driver Loaded” event
Can possibly detect a USB device loading multiple device drivers. For example, a USB_STOR device
loading the keyboard or network driver.
</QueryList>
Applies to:
Windows 10
Learn more about what features and functionality are supported in each Windows edition at Compare
Windows 10 Editions.
To help protect your company from attacks which may originate from untrusted or attacker-controlled font files,
we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that
stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto
your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted
fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the
font file-parsing process.
NOTE
If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not
loading untrusted fonts causes any usability or compatibility issues.
Exclude apps to load untrusted fonts. You can exclude specific apps, allowing them to load untrusted
fonts, even while this feature is turned on. For instructions, see Fix apps having problems because of
blocked fonts.
IMPORTANT
Your existing MitigationOptions values should be saved during your update. For example, if the current
value is 1000, your updated value should be 1000000001000.
NOTE
Because the FontType is Memory, there’s no associated FontPath .
NOTE
Because the FontType is File, there’s also an associated FontPath .
NOTE
In Audit mode, the problem is recorded, but the font isn’t blocked.
For example, if you want to exclude Microsoft Word processes, you’d use
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Winword.exe
.
2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts
feature on, using the steps in Turn on and use the Blocking Untrusted Fonts feature, earlier in this article.
Related content
Dropping the “Untrusted Font Blocking” setting
Protect your enterprise data using Windows
Information Protection (WIP)
3/3/2022 • 13 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
Learn more about what features and functionality are supported in each Windows edition at Compare
Windows 10 Editions.
With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data
leak through apps and services, like email, social media, and the public cloud, which are outside of the
enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal
email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public
cloud storage.
Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect
against this potential data leakage without otherwise interfering with the employee experience. WIP also helps
to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal
devices that employees bring to work without requiring changes to your environment or other apps. Finally,
another data protection technology, Azure Rights Management also works alongside WIP to extend data
protection for data that leaves the device, such as when email attachments are sent from an enterprise aware
version of a rights management mail client.
IMPORTANT
While WIP can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from
removing enterprise data. For more details about the benefits WIP provides, see Why use WIP? later in this topic.
Prerequisites
You’ll need this software to run WIP in your enterprise:
O P ERAT IN G SY ST EM M A N A GEM EN T SO L UT IO N
O P ERAT IN G SY ST EM M A N A GEM EN T SO L UT IO N
-OR-
-OR-
Benefits of WIP
WIP provides:
Obvious separation between personal and corporate data, without requiring employees to switch
environments or apps.
Additional data protection for existing line-of-business apps without a need to update the apps.
Ability to wipe corporate data from Intune MDM enrolled devices while leaving personal data alone.
Use of audit reports for tracking issues and remedial actions.
Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration
Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage
WIP for your company.
NOTE
For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint
Configuration Manager.
Microsoft Endpoint Manager also allows you to revoke enterprise data. However, it does it by performing a
factory reset of the device.
You can set your WIP policy to use 1 of 4 protection and management modes:
M O DE DESC RIP T IO N
Block WIP looks for inappropriate data sharing practices and stops
the employee from completing the action. This can include
sharing enterprise data to non-enterprise-protected apps in
addition to sharing enterprise data between apps or
attempting to share outside of your organization’s network.
Off WIP is turned off and doesn't help to protect or audit your
data.
After you turn off WIP, an attempt is made to decrypt
any WIP-tagged files on the locally attached drives. Be
aware that your previous decryption and policy info isn’t
automatically reapplied if you turn WIP protection back
on.
Next steps
After deciding to use WIP in your enterprise, you need to:
Create a Windows Information Protection (WIP) policy
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to
this topic, see Editing Windows IT professional documentation.
Create a Windows Information Protection (WIP)
policy using Microsoft Intune
3/3/2022 • 2 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy, including letting you
choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
In this section
TO P IC DESC RIP T IO N
Create a Windows Information Protection (WIP) policy using Details about how to use the Azure portal for Microsoft
the Azure portal for Microsoft Intune Intune to create and deploy your WIP policy with MDM
(Mobile Device Management), including letting you choose
your protected apps, your WIP-protection level, and how to
find enterprise data on the network.
Create and verify an Encrypting File System (EFS) Data Steps to create, verify, and perform a quick recovery using a
Recovery Agent (DRA) certificate Encrypting File System (EFS) Data Recovery Agent (DRA)
certificate.
Determine the Enterprise Context of an app running in Use the Task Manager to determine whether an app is
Windows Information Protection (WIP) considered work, personal or exempt by Windows
Information Protection (WIP).
Create a Windows Information Protection (WIP)
policy using the Azure portal for Microsoft Intune
3/3/2022 • 20 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can
choose which apps to protect, the level of protection, and how to find enterprise data on the network. The
devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application
Management (MAM), where Intune manages only the apps on a user's personal device.
Prerequisites
Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure
Active Directory (Azure AD). MAM requires an Azure Active Directory (Azure AD) Premium license. An Azure AD
Premium license is also required for WIP auto-recovery, where a device can re-enroll and regain access to
protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which
requires device auto-enrollment with MDM.
3. In the App policy screen, select Add a policy , and then fill out the fields:
Name. Type a name (required) for your new policy.
Description. Type an optional description.
Platform. Choose Windows 10 .
Enrollment state. Choose Without enrollment for MAM or With enrollment for MDM.
4. Select Protected apps and then select Add apps .
NOTE
An application might return access denied errors after removing it from the list of protected apps. Rather than remove it
from the list, uninstall and reinstall the application or exempt it from WIP policy.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file
that includes the publisher and product name values. For example, run
https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata , where
9nblgggzlxn1 is replaced with your ID value.
The API runs and opens a text editor with the app details.
{
"packageIdentityName": "Microsoft.MicrosoftPowerBIForWindows",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond,
S=Washington, C=US"
}
4. Copy the publisherCertificateName value into the Publisher box and copy the packageIdentityName
value into the Name box of Intune.
IMPORTANT
The JSON file might also return a windowsPhoneLegacyId value for both the Publisher Name and Product
Name boxes. This means that you have an app that’s using a XAP package and that you must set the Product
Name as windowsPhoneLegacyId , and set the Publisher Name as CN= followed by the
windowsPhoneLegacyId .
For example:
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
F IEL D M A N A GES
F IEL D M A N A GES
All fields marked as “*” All files signed by any publisher. (Not recommended and may
not work)
Publisher only If you only fill out this field, you’ll get all files signed by the
named publisher. This might be useful if your company is the
publisher and signer of internal line-of-business apps.
Publisher and Name only If you only fill out these fields, you’ll get all files for the
specified product, signed by the named publisher.
Publisher, Name, and File only If you only fill out these fields, you’ll get any version of the
named file or package for the specified product, signed by
the named publisher.
Publisher, Name, File, and Min version only If you only fill out these fields, you’ll get the specified version
or newer releases of the named file or package for the
specified product, signed by the named publisher. This
option is recommended for enlightened apps that weren't
previously enlightened.
Publisher, Name, File, and Max version only If you only fill out these fields, you’ll get the specified version
or older releases of the named file or package for the
specified product, signed by the named publisher.
All fields completed If you fill out all fields, you’ll get the specified version of the
named file or package for the specified product, signed by
the named publisher.
To add another Desktop app, select the ellipsis … . After you’ve entered the info into the fields, select OK .
If you’re unsure about what to include for the publisher, you can run this PowerShell command:
Where "<path_of_the_exe>" goes to the location of the app on the device. For example:
Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"
Path Publisher
---- ---------
%PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Where O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US is the Publisher name and WORDPAD.EXE is the
File name.
Regarding to how to get the Product Name for the Apps you wish to Add, contact the Windows Support Team to
request the guidelines
Import a list of apps
This section covers two examples of using an AppLocker XML file to the Protected apps list. You’ll use this
option if you want to add multiple apps at the same time.
Create a Packaged App rule for Store apps
Create an Executable rule for unsigned apps
For more info about AppLocker, see the AppLocker content.
Create a Packaged App rule for Store apps
1. Open the Local Security Policy snap-in (SecPol.msc).
2. Expand Application Control Policies , expand AppLocker , and then select Packaged App Rules .
3. Right-click in the right side, and then select Create New Rule .
The Create Packaged app Rules wizard appears.
4. On the Before You Begin page, select Next .
5. On the Permissions page, make sure the Action is set to Allow and the User or group is set to
Ever yone , and then select Next .
6. On the Publisher page, choose Select from the Use an installed packaged app as a reference area.
7. In the Select applications box, pick the app that you want to use as the reference for your rule, and then
select OK . For this example, we’re using Microsoft Dynamics 365.
10. Review the Local Security Policy snap-in to make sure your rule is correct.
11. On the left, right-click on AppLocker , and then select Expor t policy .
The Expor t policy box opens, letting you export and save your new policy as XML.
12. In the Expor t policy box, browse to where the policy should be stored, give the policy a name, and then
select Save .
The policy is saved and you’ll see a message that says one rule was exported from the policy.
Example XML file
This is the XML file that AppLocker creates for Microsoft Dynamics 365.
<?xml version="1.0"?>
<AppLockerPolicy Version="1">
<RuleCollection EnforcementMode="NotConfigured" Type="Appx">
<FilePublisherRule Action="Allow" UserOrGroupSid="S-1-1-0" Description=""
Name="Microsoft.MicrosoftDynamicsCRMforWindows10, version 3.2.0.0 and above, from Microsoft
Corporation" Id="3da34ed9-aec6-4239-88ba-0afdce252ab4">
<Conditions>
<FilePublisherCondition BinaryName="*"
ProductName="Microsoft.MicrosoftDynamicsCRMforWindows10" PublisherName="CN=Microsoft Corporation,
O=Microsoft Corporation, L=Redmond, S=Washington, C=US">
<BinaryVersionRange HighSection="*" LowSection="3.2.0.0"/>
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
<RuleCollection EnforcementMode="NotConfigured" Type="Dll"/>
<RuleCollection EnforcementMode="NotConfigured" Type="Exe"/>
<RuleCollection EnforcementMode="NotConfigured" Type="Msi"/>
<RuleCollection EnforcementMode="NotConfigured" Type="Script"/>
</AppLockerPolicy>
13. After you’ve created your XML file, you need to import it by using Microsoft Intune.
2. Browse to your exported AppLocker policy file, and then select Open .
The file imports and the apps are added to your Protected apps list.
Exempt apps from a WIP policy
If your app is incompatible with WIP, but still needs to be used with enterprise data, then you can exempt the app
from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor
your network restrictions. It also means that your exempted apps might leak.
1. In Client apps - App protection policies , select Exempt apps .
2. In Exempt apps , select Add apps .
When you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data.
3. Fill out the rest of the app info, based on the type of app you’re adding:
Add Recommended apps
Add Store apps
Add Desktop apps
Import apps
4. Select OK .
Off (not recommended) WIP is turned off and doesn't help to protect or audit
your data.
2. Select Save .
3. To add domains, such your email domain names, select Configure Advanced settings > Add network
boundar y and select Protected domains .
Personal applications can access a cloud resource that has a blank space or an invalid character, such as a trailing
dot in the URL.
To add a subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example, to add all
subdomains within Office.com, use ".office.com" (without the quotation marks).
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t
tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case,
Windows blocks the connection by default. To stop Windows from automatically blocking these connections,
you can add the /*AppCompat*/ string to the setting. For example:
When you use this string, we recommend that you also turn on Azure Active Directory Conditional Access, using
the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud
resources that are protected by conditional access.
Value format with proxy:
contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,contoso.internalproxy2.com
Protected domains
Specify the domains used for identities in your environment. All traffic to the fully qualified domains appearing
in this list will be protected. Separate multiple domains with the "|" delimiter.
exchange.contoso.com|contoso.com|region.contoso.com
Network domains
Specify the DNS suffixes used in your environment. All traffic to the fully qualified domains appearing in this list
will be protected. Separate multiple resources with the "," delimiter.
corp.contoso.com,region.contoso.com
Proxy servers
Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type
indicates that the cloud resources you’re connecting to are enterprise resources.
This list shouldn’t include any servers listed in your Internal proxy servers list. Proxy servers must be used only
for non-WIP-protected (non-enterprise) traffic. Separate multiple resources with the ";" delimiter.
proxy.contoso.com:80;proxy2.contoso.com:443
contoso.internalproxy1.com;contoso.internalproxy2.com
IPv4 ranges
Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your
Network domain names, define your corporate network boundaries. Classless Inter-Domain Routing (CIDR)
notation isn’t supported.
Separate multiple ranges with the "," delimiter.
Star ting IPv4 Address: 3.4.0.1
Ending IPv4 Address: 3.4.255.254
Custom URI: 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254
IPv6 ranges
Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your network
domain names, define your corporate network boundaries. Classless Inter-Domain Routing (CIDR) notation isn’t
supported.
Separate multiple ranges with the "," delimiter.
Star ting IPv6 Address: 2a01:110::
Ending IPv6 Address: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
Custom URI: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Neutral resources
Specify your authentication redirection endpoints for your company. These locations are considered enterprise
or personal, based on the context of the connection before the redirection. Separate multiple resources with the
"," delimiter.
sts.contoso.com,sts.contoso2.com
IMPORTANT
Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export
your data recovery certificate, see Data Recovery and Encrypting File System (EFS). For more info about creating and
verifying your EFS DRA certificate, see Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA)
certificate.
Revoke encr yption keys on unenroll. Determines whether to revoke a user’s local encryption keys from a
device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no
longer has access to encrypted corporate data. The options are:
On, or not configured (recommended). Revokes local encryption keys from a device during
unenrollment.
Off. Stop local encryption keys from being revoked from a device during unenrollment. For example, if
you’re migrating between Mobile Device Management (MDM) solutions.
Show the enterprise data protection icon. Determines whether the Windows Information Protection icon
overlay appears on corporate files in the Save As and File Explorer views. The options are:
On. Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As
and File Explorer views. Also, for unenlightened but protected apps, the icon overlay also appears on the
app tile and with Managed text on the app name in the Star t menu.
Off, or not configured (recommended). Stops the Windows Information Protection icon overlay from
appearing on corporate files or unenlightened, but protected apps. Not configured is the default option.
Use Azure RMS for WIP. Determines whether WIP uses Microsoft Azure Rights Management to apply EFS
encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely
shared with employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS
encryption to files when they're copied to removable drives. You must already have Azure Rights Management
set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that
template can read it from the removable drive. WIP can also integrate with Azure RMS by using the
AllowAzureRMSForEDP and the RMSTemplateIDForEDP MDM settings in the EnterpriseDataProtection
CSP.
On. Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who
can access the Azure Rights Management protected files, and for how long. The RMS template is only
applied to the files on removable media, and is only used for access control—it doesn’t actually apply
Azure Information Protection to the files.
If you don’t specify an RMS template, it’s a regular EFS file using a default RMS template that all users can
access.
Off, or not configured. Stops WIP from encrypting Azure Rights Management files that are copied to a
removable drive.
NOTE
Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders.
Allow Windows Search Indexer to search encr ypted files. Determines whether to allow the Windows
Search Indexer to index items that are encrypted, such as WIP protected files.
On. Starts Windows Search Indexer to index encrypted files.
Off, or not configured. Stops Windows Search Indexer from indexing encrypted files.
Related articles
How to collect Windows Information Protection (WIP) audit event logs
General guidance and best practices for Windows Information Protection (WIP)
What is Azure Rights Management?
Create a Windows Information Protection (WIP) protection policy using Microsoft Intune
Intune MAM Without Enrollment
Azure RMS Documentation Update for May 2016
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to
this topic, see Editing Windows IT professional documentation.
Deploy your Windows Information Protection (WIP)
policy using the Azure portal for Microsoft Intune
3/3/2022 • 2 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your
organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to
use your managed apps and to sync with your managed content and information.
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to
this topic, see Editing Windows IT professional documentation.
Related topics
General guidance and best practices for Windows Information Protection (WIP)
Associate and deploy a VPN policy for Windows
Information Protection (WIP) using Endpoint
Manager
3/3/2022 • 2 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft
Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to
this topic, see Editing Windows IT professional documentation.
Create and verify an Encrypting File System (EFS)
Data Recovery Agent (DRA) certificate
3/3/2022 • 5 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before
you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your
organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be
replaced with anything that makes sense to you.
IMPORTANT
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current
EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to
deploy DRA certificates, see the Security Watch Deploying EFS: Part 1 article on TechNet. For more general info about EFS
protection, see Protecting Data by Using EFS to Encrypt Hard Drives.
If your DRA certificate has expired, you won't be able to encrypt your files with it. To fix this, you'll need to create a new
certificate, using the steps in this topic, and then deploy it through policy.
cipher /r:EFSRA
Where EFSRA is the name of the .cer and .pfx files that you want to create.
3. When prompted, type and confirm a password to help protect your new Personal Information Exchange
(.pfx) file.
The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
IMPORTANT
Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them
accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong
protection for normal use and master copies in a secured physical location.
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or
Microsoft Endpoint Configuration Manager.
NOTE
This certificate can be used in Intune for policies both with device enrollment (MDM) and without device
enrollment (MAM).
cipher /c filename
Recover your data using the EFS DRA certificate in a test environment
1. Copy your WIP-encrypted file to a location where you have admin access.
2. Install the EFSDRA.pfx file, using its password.
3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this
command:
cipher /d encryptedfile.extension
Where encryptedfile.extension is the name of your encrypted file. For example, corporatedata.docx .
IMPORTANT
To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this
process after the employee has re-enrolled the device.
1. Have the employee sign in to the unenrolled device, open an elevated command prompt, and type:
Where "new_location" is in a different directory. This can be on the employee's device or on a shared
folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while
you're logged in as a data recovery agent.
To start Robocopy in S mode, open Task Manager. Click File > Run new task , type the command, and
click Create this task with administrative privileges .
If the employee performed a clean installation and there is no user profile, you need to recover the keys
from the System Volume folder in each drive. Type:
2. Sign in to a different device with administrator credentials that have access to your organization's DRA
certificate, and perform the file decryption and recovery by typing:
cipher.exe /D "new_location"
After signing in, the necessary WIP key info is automatically downloaded and employees are able to access the
files again.
To test what the employee sees during the WIP key recovery process
1. Attempt to open a work file on an unenrolled device.
The Connect to Work to access work files box appears.
2. Click Connect .
The Access work or school settings page appears.
3. Sign-in to Azure AD as the employee and verify that the files now open
Related topics
Security Watch Deploying EFS: Part 1
Protecting Data by Using EFS to Encrypt Hard Drives
Create a Windows Information Protection (WIP) policy using Microsoft Intune
Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager
Creating a Domain-Based Recovery Agent
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to
this topic, see Contributing to this article.
Determine the Enterprise Context of an app running
in Windows Information Protection (WIP)
3/3/2022 • 2 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
Learn more about what features and functionality are supported in each Windows edition at Compare
Windows 10 Editions.
Use Task Manager to check the context of your apps while running in Windows Information Protection (WIP) to
make sure that your organization's policies are applied and running correctly.
3. Scroll down and check the Enterprise Context option, and then click OK to close the box.
The Enterprise Context column should now be available in Task Manager.
Review the Enterprise Context
The Enterprise Context column shows you what each app can do with your enterprise data:
Domain. Shows the employee's work domain (such as, corp.contoso.com). This app is considered work-
related and can freely touch and open work data and resources.
Personal. Shows the text, Personal. This app is considered non-work-related and can't touch any work
data or resources.
Exempt. Shows the text, Exempt. WIP policies don't apply to these apps (such as, system components).
IMPORTANT
Enlightened apps can change between Work and Personal, depending on the data being touched. For example,
Microsoft Word 2016 shows as Personal when an employee opens a personal letter, but changes to Work when
that same employee opens the company financials.
Create a Windows Information Protection (WIP)
policy using Microsoft Endpoint Configuration
Manager
3/3/2022 • 2 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including
letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the
network.
In this section
TO P IC DESC RIP T IO N
Create and deploy a Windows Information Protection (WIP) Microsoft Endpoint Manager helps you create and deploy
policy using Microsoft Endpoint Configuration Manager your WIP policy, including letting you choose your protected
apps, your WIP-protection level, and how to find enterprise
data on the network.
Create and verify an Encrypting File System (EFS) Data Steps to create, verify, and perform a quick recovery using a
Recovery Agent (DRA) certificate Encrypting File System (EFS) Data Recovery Agent (DRA)
certificate.
Determine the Enterprise Context of an app running in Use the Task Manager to determine whether an app is
Windows Information Protection (WIP) considered work, personal or exempt by Windows
Information Protection (WIP).
Create and deploy a Windows Information
Protection (WIP) policy using Microsoft Endpoint
Configuration Manager
3/3/2022 • 20 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
Microsoft Endpoint Configuration Manager
Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy,
including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data
on the network.
TIP
Review the Limitations while using Windows Information Protection (WIP) article before creating a new configuration item
to avoid common issues.
6. On the Device Settings screen, click Windows Information Protection , and then click Next .
The Configure Windows Information Protection settings page appears, where you'll configure your policy
for your organization.
IMPORTANT
Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid
encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and
WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause
data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding
it to your App rules list. If you don't get this statement, it's possible that you could experience app compat issues due to
an app losing the ability to access a necessary file after revocation.
2. Add a friendly name for your app into the Title box. In this example, it's Microsoft OneNote.
3. Click Allow from the Windows Information Protection mode drop-down list.
Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP
restrictions. If you want to exempt an app, you can follow the steps in the Exempt apps from WIP
restrictions section.
4. Pick Store App from the Rule template drop-down list.
The box changes to show the store app rule options.
5. Type the name of the app and the name of its publisher, and then click OK . For this UWP app example, the
Publisher is CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US and the
Product name is Microsoft.Office.OneNote .
If you don't know the publisher or product name, you can find them for both desktop devices by following these
steps.
To find the Publisher and Product Name values for Store apps without installing them
1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
NOTE
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in
to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in
Add an AppLocker policy file in this article.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is
https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, 9wzdncrfhvjl
.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file
that includes the publisher and product name values. For example, run
https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where
9wzdncrfhvjl is replaced with your ID value.
The API runs and opens a text editor with the app details.
{
"packageIdentityName": "Microsoft.Office.OneNote",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond,
S=Washington, C=US"
}
4. Copy the publisherCertificateName value and paste them into the Publisher Name box, copy the
packageIdentityName value into the Product Name box of Intune.
IMPORTANT
The JSON file might also return a windowsPhoneLegacyId value for both the Publisher Name and Product
Name boxes. This means that you have an app that's using a XAP package and that you must set the Product
Name as windowsPhoneLegacyId , and set the Publisher Name as "CN=" followed by the
windowsPhoneLegacyId .
For example:
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
O P T IO N M A N A GES
All fields left as "*" All files signed by any publisher. (Not recommended.)
Publisher and Product Name selected All files for the specified product, signed by the named
publisher.
Publisher , Product Name , and Binar y name selected Any version of the named file or package for the
specified product, signed by the named publisher.
Publisher , Product Name , Binar y name , and File Specified version or newer releases of the named file or
Version, and above , selected package for the specified product, signed by the named
publisher.This option is recommended for enlightened
apps that weren't previously enlightened.
Publisher , Product Name , Binar y name , and File Specified version or older releases of the named file or
Version, And below selected package for the specified product, signed by the named
publisher.
O P T IO N M A N A GES
Publisher , Product Name , Binar y name , and File Specified version of the named file or package for the
Version, Exactly selected specified product, signed by the named publisher.
If you're unsure about what to include for the publisher, you can run this PowerShell command:
Where "<path of the exe>"goes to the location of the app on the device. For example,
Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe" .
Path Publisher
---- ---------
%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON,
C=US\INTERNET EXPLOR...
Where the text, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US is the publisher name to enter in the
Publisher Name box.
Add an AppLocker policy file
For this example, we're going to add an AppLocker XML file to the App Rules list. You'll use this option if you
want to add multiple apps at the same time. For more info about AppLocker, see the AppLocker content.
To create an app rule and xml file using the AppLocker tool
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, expand Application Control Policies , expand AppLocker , and then click Packaged
App Rules .
3. Right-click in the right-hand pane, and then click Create New Rule .
The Create Packaged app Rules wizard appears.
4. On the Before You Begin page, click Next .
5. On the Permissions page, make sure the Action is set to Allow and the User or group is set to
Ever yone , and then click Next .
6. On the Publisher page, click Select from the Use an installed packaged app as a reference area.
7. In the Select applications box, pick the app that you want to use as the reference for your rule, and then
click OK . For this example, we're using Microsoft Photos.
9. Review the Local Security Policy snap-in to make sure your rule is correct.
10. In the left pane, right-click on AppLocker , and then click Expor t policy .
The Expor t policy box opens, letting you export and save your new policy as XML.
11. In the Expor t policy box, browse to where the policy should be stored, give the policy a name, and then
click Save .
The policy is saved and you'll see a message that says 1 rule was exported from the policy.
Example XML file
This is the XML file that AppLocker creates for Microsoft Photos.
<AppLockerPolicy Version="1">
<RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Script" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Appx" EnforcementMode="NotConfigured">
<FilePublisherRule Id="5e0c752b-5921-4f72-8146-80ad5f582110" Name="Microsoft.Windows.Photos,
version 16.526.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft
Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Photos" BinaryName="*">
<BinaryVersionRange LowSection="16.526.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
</AppLockerPolicy>
12. After you've created your XML file, you need to import it by using Configuration Manager.
To impor t your Applocker policy file app rule using Configuration Manager
1. From the App rules area, click Add .
The Add app rule box appears.
2. Add a friendly name for your app into the Title box. In this example, it's Allowed app list.
3. Click Allow from the Windows Information Protection mode drop-down list.
Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP
restrictions. If you want to exempt an app, you can follow the steps in the Exempt apps from WIP
restrictions section.
4. Pick the AppLocker policy file from the Rule template drop-down list.
The box changes to let you import your AppLocker XML policy file.
5. Click the ellipsis (...) to browse for your AppLocker XML file, click Open , and then click OK to close the
Add app rule box.
The file is imported and the apps are added to your App Rules list.
Exempt apps from WIP restrictions
If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used
with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include
auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps
might leak.
To exempt a store app, a desktop app, or an AppLocker policy file app rule
1. From the App rules area, click Add .
The Add app rule box appears.
2. Add a friendly name for your app into the Title box. In this example, it's Exempt apps list.
3. Click Exempt from the Windows Information Protection mode drop-down list.
Be aware that when you exempt apps, they're allowed to bypass the WIP restrictions and access your
corporate data. To allow apps, see Add app rules to your policy in this article.
4. Fill out the rest of the app rule info, based on the type of rule you're adding:
Store app. Follow the Publisher and Product name instructions in the Add a store app rule to
your policy section of this topic.
Desktop app. Follow the Publisher , Product name , Binar y name , and Version instructions in
the Add a desktop app rule to your policy section of this topic.
AppLocker policy file. Follow the Impor t instructions in the Add an AppLocker policy file
section of this topic, using a list of exempted apps.
5. Click OK .
NOTE
For info about how to collect your audit log files, see How to collect Windows Information Protection (WIP) audit event
logs.
M O DE DESC RIP T IO N
Block WIP looks for inappropriate data sharing practices and stops
the employee from completing the action. This can include
sharing info across non-enterprise-protected apps in
addition to sharing enterprise data between other people
and devices outside of your enterprise.
Off (not recommended) WIP is turned off and doesn't help to protect or audit your
data.
After you turn off WIP, an attempt is made to decrypt
any WIP-tagged files on the locally attached drives. Be
aware that your previous decryption and policy info isn't
automatically reapplied if you turn WIP protection back
on.
IMPORTANT
Every WIP policy should include policy that defines your enterprise network locations.
Classless Inter-Domain Routing (CIDR) notation isn't supported for WIP configurations.
To define where your protected apps can find and send enterprise data on you network
1. Add additional network locations your apps can access by clicking Add .
The Add or edit corporate network definition box appears.
2. Type a name for your corporate network element into the Name box, and then pick what type of network
element it is, from the Network element drop-down box. This can include any of the options in the
following table.
Enterprise Cloud Resources : Specify the cloud resources to be treated as corporate and
protected by WIP.
For each cloud resource, you may also optionally specify a proxy server from your Internal proxy
servers list to route traffic for this cloud resource. Be aware that all traffic routed through your
Internal proxy servers is considered enterprise.
If you have multiple resources, you must separate them using the | delimiter. If you don't use
proxy servers, you must also include the , delimiter just before the | . For example: URL
<,proxy>|URL <,proxy> .
Format examples :
With proxy :
contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,contoso.internalproxy2.com
IMPORTANT
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows
can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this
case, Windows blocks the connection by default. To stop Windows from automatically blocking these
connections, you can add the /AppCompat/ string to the setting. For example: URL <,proxy>|URL
<,proxy>|/AppCompat/.
Enterprise Network Domain Names (Required) : Specify the DNS suffixes used in your
environment. All traffic to the fully-qualified domains appearing in this list will be protected.
This setting works with the IP ranges settings to detect whether a network endpoint is enterprise
or personal on private networks.
If you have multiple resources, you must separate them using the "," delimiter.
Format examples : corp.contoso.com,region.contoso.com
Proxy ser vers : Specify the proxy servers your devices will go through to reach your cloud
resources. Using this server type indicates that the cloud resources you're connecting to are
enterprise resources.
This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy
servers must be used only for WIP-protected (enterprise) traffic.
If you have multiple resources, you must separate them using the ";" delimiter.
Format examples : proxy.contoso.com:80;proxy2.contoso.com:443
Internal proxy ser vers : Specify the internal proxy servers your devices will go through to reach
your cloud resources. Using this server type indicates that the cloud resources you're connecting
to are enterprise resources.
This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used
only for non-WIP-protected (non-enterprise) traffic.
If you have multiple resources, you must separate them using the ";" delimiter.
Format examples : contoso.internalproxy1.com;contoso.internalproxy2.com
Enterprise IPv4 Range (Required) : Specify the addresses for a valid IPv4 value range within
your intranet. These addresses, used with your Enterprise Network Domain Names, define your
corporate network boundaries.
If you have multiple ranges, you must separate them using the "," delimiter.
Format examples :
Star ting IPv4 Address: 3.4.0.1
Ending IPv4 Address: 3.4.255.254
Custom URI: 3.4.0.1-3.4.255.254, 10.0.0.1-10.255.255.254
Enterprise IPv6 Range : Specify the addresses for a valid IPv6 value range within your intranet.
These addresses, used with your Enterprise Network Domain Names, define your corporate
network boundaries.
If you have multiple ranges, you must separate them using the "," delimiter.
Format examples :
Star ting IPv6 Address: 2a01:110::
Ending IPv6 Address: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
Custom URI:
2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Neutral Resources : Specify your authentication redirection endpoints for your company. These
locations are considered enterprise or personal, based on the context of the connection before the
redirection.
If you have multiple resources, you must separate them using the "," delimiter.
Format examples : sts.contoso.com,sts.contoso2.com
Related topics
How to collect Windows Information Protection (WIP) audit event logs
General guidance and best practices for Windows Information Protection (WIP)
Limitations while using Windows Information Protection (WIP)
Create and verify an Encrypting File System (EFS)
Data Recovery Agent (DRA) certificate
3/3/2022 • 5 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before
you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your
organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be
replaced with anything that makes sense to you.
IMPORTANT
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current
EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to
deploy DRA certificates, see the Security Watch Deploying EFS: Part 1 article on TechNet. For more general info about EFS
protection, see Protecting Data by Using EFS to Encrypt Hard Drives.
If your DRA certificate has expired, you won't be able to encrypt your files with it. To fix this, you'll need to create a new
certificate, using the steps in this topic, and then deploy it through policy.
cipher /r:EFSRA
Where EFSRA is the name of the .cer and .pfx files that you want to create.
3. When prompted, type and confirm a password to help protect your new Personal Information Exchange
(.pfx) file.
The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
IMPORTANT
Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them
accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong
protection for normal use and master copies in a secured physical location.
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or
Microsoft Endpoint Configuration Manager.
NOTE
This certificate can be used in Intune for policies both with device enrollment (MDM) and without device
enrollment (MAM).
cipher /c filename
Recover your data using the EFS DRA certificate in a test environment
1. Copy your WIP-encrypted file to a location where you have admin access.
2. Install the EFSDRA.pfx file, using its password.
3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this
command:
cipher /d encryptedfile.extension
Where encryptedfile.extension is the name of your encrypted file. For example, corporatedata.docx .
IMPORTANT
To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this
process after the employee has re-enrolled the device.
1. Have the employee sign in to the unenrolled device, open an elevated command prompt, and type:
Where "new_location" is in a different directory. This can be on the employee's device or on a shared
folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while
you're logged in as a data recovery agent.
To start Robocopy in S mode, open Task Manager. Click File > Run new task , type the command, and
click Create this task with administrative privileges .
If the employee performed a clean installation and there is no user profile, you need to recover the keys
from the System Volume folder in each drive. Type:
2. Sign in to a different device with administrator credentials that have access to your organization's DRA
certificate, and perform the file decryption and recovery by typing:
cipher.exe /D "new_location"
After signing in, the necessary WIP key info is automatically downloaded and employees are able to access the
files again.
To test what the employee sees during the WIP key recovery process
1. Attempt to open a work file on an unenrolled device.
The Connect to Work to access work files box appears.
2. Click Connect .
The Access work or school settings page appears.
3. Sign-in to Azure AD as the employee and verify that the files now open
Related topics
Security Watch Deploying EFS: Part 1
Protecting Data by Using EFS to Encrypt Hard Drives
Create a Windows Information Protection (WIP) policy using Microsoft Intune
Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager
Creating a Domain-Based Recovery Agent
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to
this topic, see Contributing to this article.
Determine the Enterprise Context of an app running
in Windows Information Protection (WIP)
3/3/2022 • 2 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
Learn more about what features and functionality are supported in each Windows edition at Compare
Windows 10 Editions.
Use Task Manager to check the context of your apps while running in Windows Information Protection (WIP) to
make sure that your organization's policies are applied and running correctly.
3. Scroll down and check the Enterprise Context option, and then click OK to close the box.
The Enterprise Context column should now be available in Task Manager.
Review the Enterprise Context
The Enterprise Context column shows you what each app can do with your enterprise data:
Domain. Shows the employee's work domain (such as, corp.contoso.com). This app is considered work-
related and can freely touch and open work data and resources.
Personal. Shows the text, Personal. This app is considered non-work-related and can't touch any work
data or resources.
Exempt. Shows the text, Exempt. WIP policies don't apply to these apps (such as, system components).
IMPORTANT
Enlightened apps can change between Work and Personal, depending on the data being touched. For example,
Microsoft Word 2016 shows as Personal when an employee opens a personal letter, but changes to Work when
that same employee opens the company financials.
Mandatory tasks and settings required to turn on
Windows Information Protection (WIP)
3/3/2022 • 2 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
This list provides all of the tasks and settings that are required for the operating system to turn on Windows
Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
TA SK DESC RIP T IO N
Add at least one app to the Protected apps list in your You must have at least one app added to your Protected
WIP policy. apps list. For more info about where this area is and how to
add apps, see the Add apps to your Protected apps list
section of the policy creation topics.
Choose your WIP protection level. You must choose the level of protection you want to apply
to your WIP-protected content, including Allow Overrides ,
Silent , or Block . For more info about where this area is and
how to decide on your protection level, see the Manage the
WIP protection mode for your enterprise data section of the
policy creation topics. For info about how to collect your
audit log files, see How to collect Windows Information
Protection (WIP) audit event logs.
Specify your corporate identity. This field is automatically filled out for you by Microsoft
Intune. However, you must manually correct it if it’s incorrect
or if you need to add additional domains. For more info
about where this area is and what it means, see the Define
your enterprise-managed corporate identity section
of the policy creation topics.
Specify your network domain names. Starting with Windows 10, version 1703, this field is
optional.
Specify your enterprise IPv4 or IPv6 ranges. Starting with Windows 10, version 1703, this field is
optional.
Include your Data Recovery Agent (DRA) certificate. Starting with Windows 10, version 1703, this field is
optional. But we strongly recommend that you add a
certificate.
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to
this topic, see Editing Windows IT professional documentation.
Testing scenarios for Windows Information
Protection (WIP)
3/3/2022 • 6 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
We've come up with a list of suggested testing scenarios that you can use to test Windows Information
Protection (WIP) in your company.
Testing scenarios
You can try any of the processes included in these scenarios, but you should focus on the ones that you might
encounter in your organization.
IMPORTANT
If any of these scenarios does not work, first take note of whether WIP has been revoked. If it has, unenlightened apps
will have to be uninstalled and re-installed since their settings files will remain encrypted.
2. In File Explorer, right-click the same document, and then click Personal from the File Ownership
menu.
Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the
General tab, and then verifying that the Details button is unavailable.
Create work documents in enterprise-allowed apps : Start an unenlightened but allowed app, such
as a line-of-business app, and then create a new document, saving your changes.
Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and
require you to close and re-open the file.
IMPORTANT
Certain file types like .exe and .dll , along with certain file paths, such as %windir% and %programfiles%
are excluded from automatic encryption.
For more info about your Enterprise Identity and adding apps to your allowed apps list, see either Create
a Windows Information Protection (WIP) policy using Microsoft Intune or Create a Windows Information
Protection (WIP) policy using Microsoft Endpoint Configuration Manager, based on your deployment
system.
Block enterprise data from non-enterprise apps :
1. Start an app that doesn't appear on your allowed apps list, and then try to open a work-encrypted
file.
The app shouldn't be able to access the file.
2. Try double-clicking or tapping on the work-encrypted file. If your default app association is an app
not on your allowed apps list, you should get an Access Denied error message.
Copy and paste from enterprise apps to non-enterprise apps :
1. Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the
content into an app that doesn't appear on your allowed apps list.
You should see a WIP-related warning box, asking you to click either Change to personal or
Keep at work .
2. Click Keep at work . The content isn't pasted into the non-enterprise app.
3. Repeat Step 1, but this time click Change to personal , and try to paste the content again.
The content is pasted into the non-enterprise app.
4. Try copying and pasting content between apps on your allowed apps list. The content should copy
and paste between apps without any warning messages.
Drag and drop from enterprise apps to non-enterprise apps :
1. Drag content from an app on your allowed apps list, and then try to drop the content into an app
that doesn't appear on your allowed apps list.
You should see a WIP-related warning box, asking you to click either Keep at work or Change to
personal .
2. Click Keep at work . The content isn't dropped into the non-enterprise app.
3. Repeat Step 1, but this time click Change to personal , and try to drop the content again.
The content is dropped into the non-enterprise app.
4. Try dragging and dropping content between apps on your allowed apps list. The content should
move between the apps without any warning messages.
Share between enterprise apps and non-enterprise apps :
1. Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app
that doesn't appear on your allowed apps list, like Facebook.
You should see a WIP-related warning box, asking you to click either Keep at work or Change to
personal .
2. Click Keep at work . The content isn't shared into Facebook.
3. Repeat Step 1, but this time click Change to personal , and try to share the content again.
The content is shared into Facebook.
4. Try sharing content between apps on your allowed apps list. The content should share between the
apps without any warning messages.
Verify that Windows system components can use WIP :
1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
Make sure that all of the files you worked with are encrypted to your configured Enterprise
Identity. In some cases, you might need to close the file and wait a few moments for it to be
automatically encrypted.
2. Open File Explorer and make sure your modified files are appearing with a Lock icon.
3. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps
that appear both on and off the allowed apps list.
NOTE
Most Windows-signed components like File Explorer (when running in the user's context), should have
access to enterprise data.
A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and
Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
NOTE
Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is
automatically marked as Work .
Verify your Vir tual Private Network (VPN) can be auto-triggered :
1. Set up your VPN network to start based on the WIPModeID setting. For specific info, see Create
and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune.
2. Start an app from your allowed apps list. The VPN network should automatically start.
3. Disconnect from your network and then start an app that isn't on your allowed apps list.
The VPN shouldn't start and the app shouldn't be able to access your enterprise network.
Unenroll client devices from WIP : Unenroll a device from WIP by going to Settings , click Accounts ,
click Work , click the name of the device you want to unenroll, and then click Remove .
The device should be removed and all of the enterprise content for that managed account should be
gone.
IMPORTANT
On client devices, the data isn't removed and can be recovered. So, you must make sure the content is marked as
Revoked and that access is denied for the employee.
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute, see
Editing Windows IT professional documentation.
Limitations while using Windows Information
Protection (WIP)
3/3/2022 • 8 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
This following list provides info about the most common problems you might encounter while running WIP in
your organization.
Limitation : Your enterprise data on USB drives might be tied to the device it was protected on, based on
your Azure RMS configuration.
How it appears :
If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on
computers running Windows 10, version 1703.
If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes
inaccessible on other devices and for other users. For example, the file won't open or the file
opens, but doesn't contain readable text.
Workaround : Share files with fellow employees through enterprise file servers or enterprise
cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will
be audited.
We strongly recommend educating employees about how to limit or eliminate the need for this
decryption.
Limitation : Direct Access is incompatible with WIP.
How it appears : Direct Access might experience problems with how WIP enforces app behavior
and data movement because of how WIP determines what is and isn’t a corporate network
resource.
Workaround : We recommend that you use VPN for client access to your intranet resources.
NOTE
VPN is optional and isn’t required by WIP.
Limitation : NetworkIsolation Group Policy setting takes precedence over MDM Policy settings.
How it appears : The NetworkIsolation Group Policy setting can configure network settings that
can also be configured by using MDM. WIP relies on these policies being correctly configured.
Workaround : If you use both Group Policy and MDM to configure your NetworkIsolation settings,
you must make sure that those same settings are deployed to your organization using both Group
Policy and MDM.
Limitation : Cortana can potentially allow data leakage if it’s on the allowed apps list.
How it appears : If Cortana is on the allowed list, some files might become unexpectedly encrypted
after an employee performs a search using Cortana. Your employees will still be able to use Cortana
to search and provide results on enterprise documents and locations, but results might be sent to
Microsoft.
Workaround : We don’t recommend adding Cortana to your allowed apps list. However, if you wish
to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana
an Exempt app.
Limitation : WIP is designed for use by a single user per device.
How it appears : A secondary user on a device might experience app compatibility issues when
unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled
user’s content can be revoked during the unenrollment process.
Workaround : We recommend only having one user per managed device.
Limitation : Installers copied from an enterprise network file share might not work properly.
How it appears : An app might fail to properly install because it can’t read a necessary configuration
or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.
Workaround : To fix this, you can:
Start the installer directly from the file share.
OR
Decrypt the locally copied files needed by the installer.
OR
Mark the file share with the installation media as “personal”. To do this, you’ll need to set the
Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or
you’ll need to put the file server on the Enterprise Proxy Server list.
Limitation : Changing your primary Corporate Identity isn’t supported.
How it appears : You might experience various instabilities, including but not limited to network and
file access failures, and potentially granting incorrect access.
Workaround : Turn off WIP for all devices before changing the primary Corporate Identity (first entry
in the list), restarting, and finally redeploying.
Limitation : Redirected folders with Client-Side Caching are not compatible with WIP.
How it appears : Apps might encounter access errors while attempting to read a cached, offline
file.
Workaround : Migrate to use another file synchronization method, such as Work Folders or
OneDrive for Business.
NOTE
For more info about Work Folders and Offline Files, see the Work Folders and Offline Files support for
Windows Information Protection blog. If you're having trouble opening files offline while using Offline Files
and WIP, see Can't open files offline when you use Offline Files and Windows Information Protection.
Limitation : An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-
managed device.
How it appears :
Data copied from the WIP-managed device is marked as Work .
Data copied to the WIP-managed device is not marked as Work .
Local Work data copied to the WIP-managed device remains Work data.
Work data that is copied between two apps in the same session remains ** data.
Workaround : Disable RDP to prevent access because there is no way to restrict access to only
devices managed by WIP. RDP is disabled by default.
Limitation : You can't upload an enterprise file to a personal location using Microsoft Edge or Internet
Explorer.
How it appears : A message appears stating that the content is marked as Work and the user isn't
given an option to override to Personal .
Workaround : Open File Explorer and change the file ownership to Personal before you upload.
Limitation : ActiveX controls should be used with caution.
How it appears : Webpages that use ActiveX controls can potentially communicate with other
outside processes that aren’t protected by using WIP.
Workaround : We recommend that you switch to using Microsoft Edge, the more secure and safer
browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of
Internet Explorer 11 to only those line-of-business apps that require legacy technology.
For more info, see Out-of-date ActiveX control blocking.
Limitation : Resilient File System (ReFS) isn't currently supported with WIP.
How it appears :Trying to save or transfer WIP files to ReFS will fail.
Workaround : Format drive for NTFS, or use a different drive.
Limitation : WIP isn’t turned on if any of the following folders have the
MakeFolderAvailableOfflineDisabled option set to False :
AppDataRoaming
Desktop
StartMenu
Documents
Pictures
Music
Videos
Favorites
Contacts
Downloads
Links
Searches
SavedGames
How it appears : WIP isn’t turned on for employees in your organization. Error code 0x807c0008
will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.
Workaround : Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of
the specified folders. You can configure this parameter, as described Disable Offline Files on
individual redirected folders.
If you currently use redirected folders, we recommend that you migrate to a file synchronization
solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you
apply redirected folders after WIP is already in place, you might be unable to open your files
offline.
For more info about these potential access errors, see Can't open files offline when you use Offline
Files and Windows Information Protection.
Limitation : Only enlightened apps can be managed without device enrollment
How it appears : If a user enrolls a device for Mobile Application Management (MAM) without
device enrollment, only enlightened apps will be managed. This is by design to prevent personal
files from being unintentionally encrypted by unenlighted apps.
Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or
managed by using MDM with device enrollment.
Workaround : If all apps need to be managed, enroll the device for MDM.
Limitation : By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted
because they need to be accessed by any user. If a file in the Windows directory gets encrypted by one
user, other users can't access it.
How it appears : Any attempt to encrypt a file in the Windows directory will return a file access
denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain
encryption to honor the intent of the owner.
Workaround : If you need to save an encrypted file in the Windows directory, create and encrypt the
file in a different directory and copy it.
Limitation : OneNote notebooks on OneDrive for Business must be properly configured to work with
WIP.
How it appears : OneNote might encounter errors syncing a OneDrive for Business notebook and
suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote
Online in the browser will show an error and unable to view it.
Workaround : OneNote notebooks that are newly copied into the OneDrive for Business folder
from File Explorer should get fixed automatically. To do this, follow these steps:
1. Close the notebook in OneNote.
2. Move the notebook folder via File Explorer out of the OneDrive for Business folder to another
location, such as the Desktop.
3. Copy the notebook folder and Paste it back into the OneDrive for Business folder.
Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder
should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook
in the browser, which can then be opened in the OneNote client by using the “Open in app” button.
Limitation : Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files,
and are therefore not protected.
How it appears : If Microsoft Office Outlook is set to work in cached mode (default setting), or if
some emails are stored in a local PST file, the data is unprotected.
Workaround : It is recommended to use Microsoft Office Outlook in Online mode, or to use
encryption to protect OST and PST files manually.
NOTE
When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it
and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer
will not work for encrypted files.
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to
contribute to this topic, see Contributing to our content.
How to collect Windows Information Protection
(WIP) audit event logs
3/3/2022 • 6 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
Windows Information Protection (WIP) creates audit events in the following situations:
If an employee changes the File ownership for a file from Work to Personal .
If data is marked as Work , but shared to a personal app or webpage. For example, through copying and
pasting, dragging and dropping, sharing a contact, uploading to a personal webpage, or if the user grants
a personal app provides temporary access to a work file.
If an app has custom audit events.
NOTE
The Data element in the response includes the requested audit logs in an XML-encoded format.
Note
Reserved for future use to collect the
user justification for changing from
Work to Personal.
Examples
Here are a few examples of responses from the Reporting CSP.
File ownership on a file is changed from work to personal
<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd>
<Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd>
<Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd>
<Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source>
<LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta>
<Format xmlns="syncml:metinf">xml</Format></Meta><Data><?xml version="1.0" encoding="utf-8"?>
<Reporting Version="com.contoso/2.0/MDM/Reporting">
<User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
<Log ProviderType="EDPAudit" LogType="ProtectionRemoved" TimeStamp="131357166318347527">
<Policy>Protection removed</Policy>
<Justification>NULL</Justification>
<FilePath>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</FilePath>
</Log>
</User>
</Reporting></Data></Item></Results><Final/></SyncBody></SyncML>
<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd>
<Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd>
<Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd>
<Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source>
<LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta>
<Format xmlns="syncml:metinf">xml</Format></Meta><Data><?xml version="1.0" encoding="utf-8"?>
<Reporting Version="com.contoso/2.0/MDM/Reporting">
<User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
<Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357192409318534">
<Policy>CopyPaste</Policy>
<Justification>NULL</Justification>
<SourceApplicationName>NULL</SourceApplicationName>
<DestinationEnterpriseID>NULL</DestinationEnterpriseID>
<DestinationApplicationName>mail.contoso.com</DestinationApplicationName>
<DataInfo>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</DataInfo>
</Log>
</User>
</Reporting></Data></Item></Results><Final/></SyncBody></SyncML>
<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd>
<Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd>
<Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd>
<Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source>
<LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta>
<Format xmlns="syncml:metinf">xml</Format></Meta><Data><?xml version="1.0" encoding="utf-8"?>
<Reporting Version="com.contoso/2.0/MDM/Reporting">
<User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
<Log ProviderType="EDPAudit" LogType="ApplicationGenerated" TimeStamp="131357194991209469">
<Policy>NULL</Policy>
<Justification></Justification>
<Object>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</Object>
<Action>1</Action>
<SourceName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING
SYSTEM\WORDPAD.EXE\10.0.15063.2</SourceName>
<DestinationEnterpriseID>Personal</DestinationEnterpriseID>
<DestinationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING
SYSTEM\WORDPAD.EXE\10.0.15063.2</DestinationName>
<Application>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING
SYSTEM\WORDPAD.EXE\10.0.15063.2</Application>
</Log>
</User>
</Reporting></Data></Item></Results><Final/></SyncBody></SyncML>
Microsoft-Windows-EDP-Application-Learning/Admin
Microsoft-Windows-EDP-Audit-TCB/Admin
NOTE
If using Windows Events Logs, the event log names can be found under Properties of the event in the Events
folder (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB).
Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More
information on Workspace ID and Primary key can be found in Log Analytics > Advanced Settings .
5. To deploy MSI via Intune, in installation parameters add:
/q /norestart NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0
OPINSIGHTS_WORKSPACE_ID=<WORKSPACE_ID> OPINSIGHTS_WORKSPACE_KEY=<WORKSPACE_KEY>
AcceptEndUserLicenseAgreement=1
NOTE
Replace <WORKSPACE_ID> & <WORKSPACE_KEY> received from step 5. In installation parameters, don't place
<WORKSPACE_ID> & <WORKSPACE_KEY> in quotes ("" or '').
6. After the agent is deployed, data will be received within approximately 10 minutes.
7. To search for logs, go to Log Analytics workspace > Logs , and type Event in search.
Example
Additional resources
How to deploy app via Intune
How to create Log workspace
How to use Microsoft Monitoring Agents for Windows
General guidance and best practices for Windows
Information Protection (WIP)
3/3/2022 • 2 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
This section includes info about the enlightened Microsoft apps, including how to add them to your allowed
apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with
Windows Information Protection (WIP).
In this section
TO P IC DESC RIP T IO N
Enlightened apps for use with Windows Information Learn the difference between enlightened and unenlightened
Protection (WIP) apps, and then review the list of enlightened apps provided
by Microsoft along with the text you will need to use to add
them to your allowed apps list.
Unenlightened and enlightened app behavior while using Learn the difference between enlightened and unenlightened
Windows Information Protection (WIP) app behaviors.
Recommended Enterprise Cloud Resources and Neutral Recommended additions for the Enterprise Cloud Resources
Resources network settings with Windows Information and Neutral Resources network settings, when used with
Protection (WIP) Windows Information Protection (WIP).
Using Outlook on the web with Windows Information Options for using Outlook on the web with Windows
Protection (WIP) Information Protection (WIP).
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to
this topic, see Editing Windows IT professional documentation.
List of enlightened Microsoft apps for use with
Windows Information Protection (WIP)
3/3/2022 • 4 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps
provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
NOTE
Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to
be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined
and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop
functioning.
You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the
Publisher name , Product or File name , and App Type info for both Microsoft Intune and Microsoft
Endpoint Configuration Manager.
P RO DUC T N A M E A P P IN F O
OneNote Publisher :
CN=Microsoft Corporation, O=Microsoft Corporation,
L=Redmond, S=Washington, C=US
Product Name: Microsoft.Office.OneNote
App Type: Universal app
Microsoft 365 Apps for enterprise and Office 2019 Microsoft 365 Apps for enterprise and Office 2019
Professional Plus Professional Plus apps are set up as a suite. You must use
the O365 ProPlus - Allow and Exempt AppLocker policy files
(.zip files) to turn the suite on for WIP.
We don't recommend setting up Office by using individual
paths or publisher rules.
IE11 Publisher :
O=Microsoft Corporation, L=Redmond, S=Washington,
C=US
Binar y Name: iexplore.exe
App Type: Desktop app
Notepad Publisher :
O=Microsoft Corporation, L=Redmond, S=Washington,
C=US
Binar y Name: notepad.exe
App Type: Desktop app
Microsoft To Do Publisher :
O=Microsoft Corporation, L=Redmond, S=Washington,
C=US
Product Name: Microsoft.Todos
App Type: Store app
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to
this topic, see Editing Windows IT professional documentation.
Unenlightened and enlightened app behavior while
using Windows Information Protection (WIP)
3/3/2022 • 3 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
Windows Information Protection (WIP) classifies apps into two categories: enlightened and unenlightened.
Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect
based on internal policies. Corporate data is encrypted on the managed device and attempts to copy/paste or
share this information with non-corporate apps or people will fail. Unenlightened apps, when marked as
corporate-managed, consider all data corporate and encrypt everything by default.
To avoid the automatic encryption of data, developers can enlighten apps by adding and compiling code using
the Windows Information Protection application programming interfaces. The most likely candidates for
enlightenment are apps that:
Don’t use common controls for saving files.
Don’t use common controls for text boxes.
Simultaneously work on personal and corporate data (for example, contact apps that display personal and
corporate data in a single view or a browser that displays personal and corporate web pages on tabs within a
single instance).
We strongly suggest that the only unenlightened apps you add to your allowed apps list are Line-of-Business
(LOB) apps.
IMPORTANT
After revoking WIP, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain
encrypted. For more info about creating enlightened apps, see the Windows Information Protection (WIP) topic in the
Windows Dev Center.
Not required. App connects to enterprise cloud resources Name-based policies, without the /*AppCompat*/
directly, using an IP address. string:
App is entirely blocked from both personal and enterprise
cloud resources.
No encryption is applied.
App can’t access local Work files.
Not required. App connects to enterprise cloud resources, App is blocked from accessing enterprise cloud resources,
using a hostname. but can access other network resources.
No encryption is applied.
App can’t access local Work files.
Allow. App connects to enterprise cloud resources, using an App can access both personal and enterprise cloud
IP address or a hostname. resources.
Auto-encryption is applied.
App can access local Work files.
Exempt. App connects to enterprise cloud resources, using App can access both personal and enterprise cloud
an IP address or a hostname. resources.
No encryption is applied.
App can access local Work files.
N ET W O RK IN G P O L IC Y C O N F IGURAT IO N F O R N A M E- B A SED
P O L IC IES, P O SSIB LY USIN G T H E / *A P P C O M PAT */ ST RIN G,
A P P RUL E SET T IN G O R P RO XY - B A SED P O L IC IES
Not required. App connects to enterprise cloud resources, App is blocked from accessing enterprise cloud resources,
using an IP address or a hostname. but can access other network resources.
No encryption is applied.
App can't access local Work files.
Allow. App connects to enterprise cloud resources, using an App can access both personal and enterprise cloud
IP address or a hostname. resources.
App protects work data and leaves personal data
unprotected.
App can access local Work files.
Exempt. App connects to enterprise cloud resources, using App can access both personal and enterprise cloud
an IP address or a hostname. resources.
App protects work data and leaves personal data
unprotected.
App can access local Work files.
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to
this topic, see Editing Windows IT professional documentation.
Recommended Enterprise Cloud Resources and
Neutral Resources network settings with Windows
Information Protection (WIP)
3/3/2022 • 2 minutes to read • Edit Online
Applies to:
Windows 10, version 1607 and later
Learn more about what features and functionality are supported in each Windows edition at Compare
Windows 10 Editions.
We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources
network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added
automatically.
Yammer - www.yammer.com
- yammer.com
- persona.yammer.com
Power BI contoso.powerbi.com
You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe
file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to
add both.
For Office 365 endpoints, see Office 365 URLs and IP address ranges. Office 365 endpoints are updated
monthly. Allow the domains listed in section number 46 Allow Required and add also add the apps. Note that
apps from officeapps.live.com can also store personal data.
When multiple files are selected from SharePoint Online or OneDrive, the files are aggregated and the URL can
change. In this case, add a entry for a second-level domain and use a wildcard such as .svc.ms.
Applies to:
Windows 10, version 1607 and later
Learn more about what features and functionality are supported in each Windows edition at Compare
Windows 10 Editions.
Because Outlook on the web can be used both personally and as part of your organization, you have the
following options to configure it with Windows Information Protection (WIP):
O P T IO N O UT LO O K O N T H E W EB B EH AVIO R
Don't configure outlook.office.com in any of your networking All mailboxes are automatically marked as personal. This
settings. means employees attempting to copy work content into
Outlook on the web receive prompts and that files
downloaded from Outlook on the web aren't automatically
protected as corporate data.
Add outlook.office.com and outlook.office365.com to the All mailboxes are automatically marked as corporate. This
Cloud resources network element in your WIP policy. means any personal inboxes hosted on Office 365 are also
automatically marked as corporate data.
NOTE
These limitations don’t apply to Outlook 2016, the Mail for Windows 10 app, or the Calendar for Windows 10 app. These
apps will work properly, marking an employee’s mailbox as corporate data, regardless of how you’ve configured
outlook.office.com in your network settings.
Fine-tune Windows Information Protection (WIP)
with WIP Learning
3/3/2022 • 3 minutes to read • Edit Online
Applies to:
Windows 10, version 1703 and later
With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help
reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The App
learning repor t and the Website learning repor t . Both reports can be accessed from Microsoft Azure
Intune.
The App learning repor t monitors your apps, not in policy, that attempt to access work data. You can identify
these apps using the report and add them to your WIP policies to avoid productivity disruption before fully
enforcing WIP with “Block” mode. Frequent monitoring of the report will help you continuously identify access
attempts so you can update your policy accordingly.
In the Website learning repor t , you can view a summary of the devices that have shared work data with
websites. You can use this information to determine which websites should be added to group and user WIP
policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which
ones are cloud or personal, and add them to the resource list.
3. Select either App learning repor t for Windows Information Protection or Website learning
repor t for Windows Information Protection .
Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether
to add them to your app protection policies.
In the steps below, you separate the WipAppId by back slashes into the PUBLISHER , PRODUCT NAME ,
and FILE fields.
2. In Intune, click App protection policies and then choose the app policy you want to add an application
to.
3. Click Protected apps , and then click Add Apps .
4. In the Recommended apps drop down menu, choose either Store apps or Desktop apps , depending
on the app you've chosen (for example, an executable (EXE) is a desktop app).
5. In NAME (optional), type the name of the app, and then in PUBLISHER (required), paste the publisher
information that you copied in step 1 above.
For example, if the WipAppId is
O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108
6. Type the name of the product in PRODUCT NAME (required) (this will probably be the same as what
you typed for NAME ).
For example, if the WipAppId is
O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108
the text between the first and second back slashes is the product name:
GOOGLE CHROME
7. Copy the name of the executable (for example, snippingtool.exe) and paste it in FILE (required).
For example, if the WipAppId is
O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108
the text between the second and third back slashes is the file:
CHROME.EXE
8. Type the version number of the app into MIN VERSION in Intune (alternately, you can specify the max
version, but one or the other is required), and then select the ACTION : Allow or Deny
When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with Silent or
Allow overrides while verifying with a small group that you have the right apps on your allowed apps list.
After you're done, you can change to your final enforcement policy, Block . For more information about WIP
modes, see: Protect enterprise data using WIP: WIP-modes
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to
this topic, see Editing Windows IT professional documentation.
Windows application security
3/3/2022 • 2 minutes to read • Edit Online
Cyber-criminals regularly gain access to valuable data by hacking applications. This can include “code injection”
attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application
may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate
information may leave sensitive data exposed. Windows protects your valuable data with layers of application
security.
The following table summarizes the Windows security features and capabilities for apps:
Windows Defender Application Control Application control is one of the most effective security
controls to prevent unwanted or malicious code from
running. It moves away from an application trust model
where all code is assumed trustworthy to one where apps
must earn trust to run. Learn more: Application Control for
Windows
Microsoft Defender Application Guard Application Guard uses chip-based hardware isolation to
isolate untrusted websites and untrusted Office files,
seamlessly running untrusted websites and files in an
isolated Hyper-V-based container, separate from the
desktop operating system, and making sure that anything
that happens within the container remains isolated from the
desktop. Learn more Microsoft Defender Application Guard
overview.
Email Security With Windows S/MIME email security, users can encrypt
outgoing messages and attachments, so only intended
recipients with digital identification (ID)—also called a
certificate—can read them. Users can digitally sign a
message, which verifies the identity of the sender and
ensures the message has not been tampered with.Configure
S/MIME for Windows 10
Applies to
Windows 10
Windows Server 2016
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises
to "lock down" Windows 10 systems so they behave more like mobile devices. In this configuration, Windows
Defender Application Control (WDAC) is used to restrict devices to run only approved apps, while the OS is
hardened against kernel memory attacks using hypervisor-protected code integrity (HVCI).
WDAC policies and HVCI are powerful protections that can be used separately. However, when these two
technologies are configured to work together, they present a strong protection capability for Windows 10
devices.
Using WDAC to restrict devices to only authorized apps has these advantages over other solutions:
1. WDAC policy is enforced by the Windows kernel itself, and the policy takes effect early in the boot sequence
before nearly all other OS code and before traditional antivirus solutions run.
2. WDAC lets you set application control policy for code that runs in user mode, kernel mode hardware and
software drivers, and even code that runs as part of Windows.
3. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the
policy. To change signed policy requires both administrative privilege and access to the organization’s digital
signing process. This makes it difficult for an attacker, including one who has managed to gain administrative
privilege, to tamper with WDAC policy.
4. You can protect the entire WDAC enforcement mechanism with HVCI. Even if a vulnerability exists in kernel
mode code, HVCI greatly reduces the likelihood that an attacker could successfully exploit it. This is important
because an attacker that compromises the kernel could normally disable most system defenses, including
those enforced by WDAC or any other application control solution.
Related articles
Windows Defender Application Control
Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender
Driver compatibility with Windows Defender in Windows 10
Code integrity
Application Control for Windows
3/3/2022 • 2 minutes to read • Edit Online
Applies to:
Windows 10
Windows 11
Windows Server 2016 and above
NOTE
Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more
about the Windows Defender Application Control feature availability.
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—
signature-based detection to fight against malware—provides an inadequate defense against new attacks.
In most organizations, information is the most valuable asset, and ensuring that only approved users have
access to that information is imperative. However, when a user runs a process, that process has the same level of
access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of
the organization if a user knowingly or unknowingly runs malicious software.
Application control can help mitigate these types of security threats by restricting the applications that users are
allowed to run and the code that runs in the System Core (kernel). Application control policies can also block
unsigned scripts and MSIs, and restrict Windows PowerShell to run in Constrained Language Mode.
Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it
has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from
an application trust model where all applications are assumed trustworthy to one where applications must earn
trust in order to run. Many organizations, like the Australian Signals Directorate, understand this and frequently
cite application control as one of the most effective means for addressing the threat of executable file-based
malware (.exe, .dll, etc.).
NOTE
Although application control can significantly harden your computers against malicious code, we recommend that you
continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
Windows 10 and Windows 11 include two technologies that can be used for application control depending on
your organization's specific scenarios and requirements:
Windows Defender Application Control ; and
AppLocker
In this section
A RT IC L E DESC RIP T IO N
A RT IC L E DESC RIP T IO N
WDAC and AppLocker Overview This article describes the decisions you need to make to
establish the processes for managing and maintaining
WDAC policies.
WDAC and AppLocker Feature Availability This article lists the design questions, possible answers, and
ramifications of the decisions when you plan a deployment
of application control policies.
Related articles
WDAC design guide
WDAC deployment guide
AppLocker overview
Microsoft Defender Application Guard overview
3/3/2022 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging
attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to
destroy the playbook that attackers use by making current attack methods obsolete.
Related articles
A RT IC L E DESC RIP T IO N
System requirements for Microsoft Defender Application Specifies the prerequisites necessary to install and use
Guard Application Guard.
Prepare and install Microsoft Defender Application Guard Provides instructions about determining which mode to use,
either Standalone or Enterprise-managed, and how to install
Application Guard in your organization.
Configure the Group Policy settings for Microsoft Defender Provides info about the available Group Policy and MDM
Application Guard settings.
Testing scenarios using Microsoft Defender Application Provides a list of suggested testing scenarios that you can
Guard in your business or organization use to test Application Guard in your organization.
Microsoft Defender Application Guard Extension for web Describes the Application Guard extension for Chrome and
browsers Firefox, including known issues, and a troubleshooting guide
Microsoft Defender Application Guard for Microsoft Office Describes Application Guard for Microsoft Office, including
minimum hardware requirements, configuration, and a
troubleshooting guide
Frequently asked questions - Microsoft Defender Application Provides answers to frequently asked questions about
Guard Application Guard features, integration with the Windows
operating system, and general configuration.
Use a network boundary to add trusted sites on Windows Network boundary, a feature that helps you protect your
devices in Microsoft Intune environment from sites that aren't trusted by your
organization.
Windows Sandbox
3/3/2022 • 2 minutes to read • Edit Online
Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software
installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host
machine.
A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-
new instance of the sandbox every time you open the application.
Software and applications installed on the host aren't directly available in the sandbox. If you need specific
applications available inside the Windows Sandbox environment, they must be explicitly installed within the
environment.
Windows Sandbox has the following properties:
Par t of Windows : Everything required for this feature is included in Windows 10 Pro and Enterprise.
There's no need to download a VHD.
Pristine : Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
Disposable : Nothing persists on the device. Everything is discarded when the user closes the application.
Secure : Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a
separate kernel that isolates Windows Sandbox from the host.
Efficient: Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
The following video provides an overview of Windows Sandbox.
Prerequisites
Windows 10 Pro, Enterprise or Education build 18305 or Windows 11 (Windows Sandbox is currently not
supported on Windows Home edition)
AMD64 architecture
Virtualization capabilities enabled in BIOS
At least 4 GB of RAM (8 GB recommended)
At least 1 GB of free disk space (SSD recommended)
At least two CPU cores (four cores with hyperthreading recommended)
Installation
1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or Windows 11.
2. Enable virtualization on the machine.
If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
If you're using a virtual machine, run the following PowerShell command to enable nested
virtualization:
NOTE
To enable Sandbox using PowerShell, open PowerShell as Administrator and run Enable-
WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online .
4. Locate and select Windows Sandbox on the Start menu to run it for the first time.
Usage
1. Copy an executable file (and any other files needed to run the application) from the host and paste them
into the Windows Sandbox window.
2. Run the executable file or installer inside the sandbox.
3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content
will be discarded and permanently deleted. Select Ok .
4. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows
Sandbox.
Windows Sandbox architecture
3/3/2022 • 2 minutes to read • Edit Online
Windows Sandbox benefits from new container technology in Windows to achieve a combination of security,
density, and performance that isn't available in traditional VMs.
Memory management
Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs
have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the
host to dynamically determine how host resources are allocated. This method is similar to how processes
normally compete for memory on the host. If the host is under memory pressure, it can reclaim memory from
the container much like it would with a process.
Memory sharing
Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the
same physical memory pages as the host for operating system binaries via a technology referred to as "direct
map." For example, when ntdll.dll is loaded into memory in the sandbox, it uses the same physical pages as
those of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a
smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled
like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the
Sandbox. This means that the most important work will be prioritized, whether it's on the host or in the
container.
Battery pass-through
Windows Sandbox is also aware of the host's battery state, which allows it to optimize its power consumption.
This functionality is critical for technology that is used on laptops, where battery life is often critical.
Windows Sandbox configuration
3/3/2022 • 6 minutes to read • Edit Online
Windows Sandbox supports simple configuration files, which provide a minimal set of customization
parameters for Sandbox. This feature can be used with Windows 10 build 18342 or Windows 11. Windows
Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension.
A configuration file enables the user to control the following aspects of Windows Sandbox:
vGPU (vir tualized GPU) : Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use
Windows Advanced Rasterization Platform (WARP).
Networking : Enable or disable network access within the sandbox.
Mapped folders : Share folders from the host with read or write permissions. Note that exposing host
directories may allow malicious software to affect the system or steal data.
Logon command : A command that's executed when Windows Sandbox starts.
Audio input : Shares the host's microphone input into the sandbox.
Video input : Shares the host's webcam input into the sandbox.
Protected client : Places increased security settings on the RDP session to the sandbox.
Printer redirection : Shares printers from the host into the sandbox.
Clipboard redirection : Shares the host clipboard with the sandbox so that text and files can be pasted back
and forth.
Memor y in MB : The amount of memory, in megabytes, to assign to the sandbox.
<Configuration>
</Configuration>
3. Add appropriate configuration text between the two lines. For details, see the correct syntax and the
examples below.
4. Save the file with the desired name, but make sure its filename extension is .wsb . In Notepad, you
should enclose the filename and the extension inside double quotation marks, e.g. "My config file.wsb" .
C:\Temp> MyConfigFile.wsb
Supported values:
Enable: Enables vGPU support in the sandbox.
Disable: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering,
which may be slower than virtualized GPU.
Default This is the default value for vGPU support. Currently this means vGPU is disabled.
NOTE
Enabling virtualized GPU can potentially increase the attack surface of the sandbox.
Networking
Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface
exposed by the sandbox.
<Networking>value</Networking>
Supported values:
Disable: Disables networking in the sandbox.
Default: This is the default value for networking support. This value enables networking by creating a virtual
switch on the host and connects the sandbox to it via a virtual NIC.
NOTE
Enabling networking can expose untrusted applications to the internal network.
Mapped folders
An array of folders, each representing a location on the host machine that will be shared into the sandbox at the
specified path. At this time, relative paths are not supported. If no path is specified, the folder will be mapped to
the container user's desktop.
<MappedFolders>
<MappedFolder>
<HostFolder>absolute path to the host folder</HostFolder>
<SandboxFolder>absolute path to the sandbox folder</SandboxFolder>
<ReadOnly>value</ReadOnly>
</MappedFolder>
<MappedFolder>
...
</MappedFolder>
</MappedFolders>
HostFolder: Specifies the folder on the host machine to share into the sandbox. Note that the folder must
already exist on the host, or the container will fail to start.
SandboxFolder: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it will be
created. If no sandbox folder is specified, the folder will be mapped to the container desktop.
ReadOnly: If true, enforces read-only access to the shared folder from within the container. Supported values:
true/false. Defaults to false.
NOTE
Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
Logon command
Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox
are run under the container user account.
<LogonCommand>
<Command>command to be invoked</Command>
</LogonCommand>
Command: A path to an executable or script inside the container that will be executed after login.
NOTE
Although very simple commands will work (such as launching an executable or script), more complicated scenarios
involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared
folder, and then executed via the LogonCommand directive.
Audio input
Enables or disables audio input to the sandbox.
<AudioInput>value</AudioInput>
Supported values:
Enable: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input
from the user. Applications that use a microphone may require this capability.
Disable: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from
the user. Applications that use a microphone may not function properly with this setting.
Default: This is the default value for audio input support. Currently this means audio input is enabled.
NOTE
There may be security implications of exposing host audio input to the container.
Video input
Enables or disables video input to the sandbox.
<VideoInput>value</VideoInput>
Supported values:
Enable: Enables video input in the sandbox.
Disable: Disables video input in the sandbox. Applications that use video input may not function properly in
the sandbox.
Default: This is the default value for video input support. Currently this means video input is disabled.
Applications that use video input may not function properly in the sandbox.
NOTE
There may be security implications of exposing host video input to the container.
Protected client
Applies additional security settings to the sandbox Remote Desktop client, decreasing its attack surface.
<ProtectedClient>value</ProtectedClient>
Supported values:
Enable: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra
security mitigations enabled.
Disable: Runs the sandbox in standard mode without extra security mitigations.
Default: This is the default value for Protected Client mode. Currently, this means the sandbox doesn't run in
Protected Client mode.
NOTE
This setting may restrict the user's ability to copy/paste files in and out of the sandbox.
Printer redirection
Enables or disables printer sharing from the host into the sandbox.
<PrinterRedirection>value</PrinterRedirection>
Supported values:
Enable: Enables sharing of host printers into the sandbox.
Disable: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from
the host.
Default: This is the default value for printer redirection support. Currently this means printer redirection is
disabled.
Clipboard redirection
Enables or disables sharing of the host clipboard with the sandbox.
<ClipboardRedirection>value</ClipboardRedirection>
Supported values:
Disable: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the
sandbox will be restricted.
Default: This is the default value for clipboard redirection. Currently copy/paste between the host and
sandbox are permitted under Default.
Memory in MB
Specifies the amount of memory that the sandbox can use in megabytes (MB).
<MemoryInMB>value</MemoryInMB>
If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required
minimum amount.
Example 1
The following config file can be used to easily test downloaded files inside the sandbox. To achieve this,
networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder.
For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
Downloads.wsb
<Configuration>
<VGpu>Disable</VGpu>
<Networking>Disable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\Public\Downloads</HostFolder>
<SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads</SandboxFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Downloads</Command>
</LogonCommand>
</Configuration>
Example 2
The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated
LogonCommand setup.
Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which will
install and run Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that
the developer wants to modify using Visual Studio Code.
With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can
reference it.
VSCodeInstall.cmd
VSCode.wsb
<Configuration>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\SandboxScripts</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
<MappedFolder>
<HostFolder>C:\CodingProjects</HostFolder>
<ReadOnly>false</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>C:\Users\WDAGUtilityAccount\Desktop\SandboxScripts\VSCodeInstall.cmd</Command>
</LogonCommand>
</Configuration>
Microsoft Defender SmartScreen
3/3/2022 • 3 minutes to read • Edit Online
Applies to:
Windows 10
Windows 11
Microsoft Edge
Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the
downloading of potentially malicious files.
Microsoft Defender Smar tScreen determines whether a site is potentially malicious by:
Analyzing visited webpages looking for indications of suspicious behavior. If Microsoft Defender
SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If
it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site
might be malicious.
Microsoft Defender Smar tScreen determines whether a downloaded app or app installer is
potentially malicious by:
Checking downloaded files against a list of reported malicious software sites and programs known to be
unsafe. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the
site might be malicious.
Checking downloaded files against a list of files that are well known and downloaded by many Windows
users. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution.
IMPORTANT
SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal
locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as Event 1035 - Anti-
Phishing.
NOTE
For information on how to use the Event Viewer, see Windows Event Viewer.
Related topics
SmartScreen Frequently Asked Questions
Threat protection
Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
Configure S/MIME for Windows
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for
email sent to and from an Exchange ActiveSync (EAS) account. S/MIME lets users encrypt outgoing messages
and attachments so that only intended recipients who have a digital identification (ID), also known as a
certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify
the identity of the sender and that the message hasn't been tampered with.
Prerequisites
S/MIME is enabled for Exchange accounts (on-premises and Office 365). Users can’t use S/MIME signing
and encryption with a personal account such as Outlook.com.
Valid Personal Information Exchange (PFX) certificates are installed on the device.
How to Create PFX Certificate Profiles in Configuration Manager
Enable access to company resources using certificate profiles with Microsoft Intune
4. In Select an account , select the account for which you want to configure S/MIME options.
5. Make a certificate selection for digital signature and encryption.
Select Automatically to let the app choose the certificate.
Select Manually to specify the certificate yourself from the list of valid certificates on the device.
6. (Optional) Select Always sign with S/MIME , Always encr ypt with S/MIME , or both, to automatically
digitally sign or encrypt all outgoing messages.
NOTE
The option to sign or encrypt can be changed for individual messages, unless EAS policies prevent it.
7. Tap the back arrow.
Applies to
Windows 10
This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded
from the Microsoft Download Center. This guide explains how credential theft attacks occur and the strategies
and countermeasures you can implement to mitigate them, following these security stages:
Identify high-value assets
Protect against known and unknown threats
Detect pass-the-hash and related attacks
Respond to suspicious activity
Recover from a breach
Malicious actors launch millions of password attacks every day. Weak passwords, password spraying, and
phishing are the entry point for many attacks. Knowing that the right user is accessing the right device and the
right data is critical to keeping your business, family, and self, safe and secure. Windows Hello, Windows Hello
for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA).
MFA can reduce the risk of compromise in organizations.
Securing user identity with Windows Hello Windows Hello and Windows Hello for Business replace
password-based authentication with a stronger
authentication model to sign into your device using a
passcode (PIN) or other biometric based authentication. This
PIN or biometric based authentication is only valid on the
device that you registered it for and cannot be used on
another deviceLearn more: Windows Hello for Business
Windows Defender Credential Guard and Remote Credential Windows Defender Credential Guard helps protects your
Guard systems from credential theft attack techniques (pass-the-
hash or pass-the-ticket) as well as helping prevent malware
from accessing system secrets even if the process is running
with admin privileges. Windows Defender Remote Credential
Guard helps you protect your credentials over a Remote
Desktop connection by redirecting Kerberos requests back
to the device that's requesting the connection. It also
provides single sign-on experiences for Remote Desktop
sessions. Learn more: Protect derived domain credentials
with Windows Defender Credential Guard and Protect
Remote Desktop credentials with Windows Defender Remote
Credential Guard
FIDO Alliance Fast Identity Online (FIDO) defined protocols are becoming
the open standard for providing strong authentication that
helps prevent phishing and are user-friendly and privacy-
respecting. Windows 11 supports the use of device sign-in
with FIDO 2 security keys, and with Microsoft Edge or other
modern browsers, supports the use of secure FIDO-backed
credentials to keep user accounts protected. Learn more
about the FIDO Alliance.
Applies to
Windows 10
This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded
from the Microsoft Download Center. This guide explains how credential theft attacks occur and the strategies
and countermeasures you can implement to mitigate them, following these security stages:
Identify high-value assets
Protect against known and unknown threats
Detect pass-the-hash and related attacks
Respond to suspicious activity
Recover from a breach
Applies to
Windows 10
Enterprise certificate pinning is a Windows feature for remembering, or pinning a root issuing certificate
authority or end entity certificate to a given domain name. Enterprise certificate pinning helps reduce man-in-
the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted
certificates or to fraudulently issued certificates.
NOTE
External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not
ideal for enterprise certificate pinning.
Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site’s
chain that authenticates servers matches a restricted set of certificates. These restrictions are encapsulated in a
Pin Rules Certificate Trust List (CTL) that is configured and deployed to Windows 10 computers. Any site
certificate that triggers a name mismatch causes Windows to write an event to the CAPI2 event log and prevents
the user from navigating to the web site using Microsoft Edge or Internet Explorer.
NOTE
Enterprise Certificate Pinning feature triggering doesn't cause clients other than Microsoft Edge or Internet Explorer to
block the connection.
Deployment
To deploy enterprise certificate pinning, you need to:
Create a well-formatted certificate pinning rule XML file
Create a pin rules certificate trust list file from the XML file
Apply the pin rules certificate trust list file to a reference administrative computer
Deploy the registry configuration on the reference computer using Group Policy Management Console
(GPMC), which is included in the Remote Server Administration Tools (RSAT).
Create a Pin Rules XML file
The XML-based pin rules file consists of a sequence of PinRule elements. Each PinRule element contains a
sequence of one or more Site elements and a sequence of zero or more Certificate elements.
<PinRules ListIdentifier="PinRulesExample" Duration="P28D">
</PinRules>
PinRules Element
The PinRules element can have the following attributes. For help with formatting Pin Rules, see Representing a
Date in XML or Representing a Duration in XML.
Duration or NextUpdate Specifies when the Pin Rules will expire. Required? Yes. At least one is
Either is required. NextUpdate takes required.
precedence if both are specified.
Duration , represented as an XML
TimeSpan data type, doesn't allow
years and months. You represent the
NextUpdate attribute as an XML
DateTime data type in UTC.
PinRule Element
The PinRule element can have the following attributes.
AT T RIB UT E DESC RIP T IO N REQ UIRED
Certificate element
The Cer tificate element can have the following attributes.
File Path to a file containing one or more Yes (File, Directory, or Base64 must be
certificates. Where the certificate(s) can present).
be encoded as:
- single certificate
- p7b
- sst
These files can also be Base64
formatted. All Site elements included
in the same PinRule element can
match any of these certificates.
Director y Path to a directory containing one or Yes (File, Directory, or Base64 must be
more of the above certificate files. present).
Skips any files not containing any
certificates.
AT T RIB UT E DESC RIP T IO N REQ UIRED
Base64 Base64 encoded certificate(s). Where Yes (File, Directory, or Base64 must be
the certificate(s) can be encoded as: present).
- single certificate
- p7b
- sst
This allows the certificates to be
included in the XML file without a file
directory dependency.
Note:
You can use cer tutil -encode to
convert a .cer file into base64. You can
then use Notepad to copy and paste
the base64 encoded certificate into the
pin rule.
Site element
The Site element can have the following attributes.
Options:
-f -- Force overwrite
-v -- Verbose operation
The same certificate(s) can occur in multiple PinRule elements. The same domain can occur in multiple
PinRule elements. Certutil coalesces these in the resultant pin rules certificate trust list.
Certutil.exe doesn't strictly enforce the XML schema definition. It does perform the following to enable other
tools to add/consume their own specific elements and attributes:
Skips elements before and after the PinRules element.
Skips any element not matching Cer tificate or Site within the PinRules element.
Skips any attributes not matching the above names for each element type.
Use the cer tutil command with the generatePinRulesCTL argument along with your XML file that contains
your certificate pinning rules. Lastly, provide the name of an output file that will include your certificate pinning
rules in the form of a certificate trust list.
NAME VA L UE
Key HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingTy
pe0\CertDllCreateCertificateChainEngine\Config
Name PinRules
Value Binary contents from the certificate pin rules certificate trust
list file
12. Close the Group Policy Management Editor to save your settings.
13. Link the Enterprise Cer tificate Pinning Rules Group Policy object to apply to computers that run
Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy,
the registry information configured in the Group Policy object is applied to the computer.
NAME VA L UE
Key HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingTy
pe0\CertDllCreateCertificateChainEngine\Config
NAME VA L UE
Name PinRulesLogDir
set PinRulesLogDir=c:\PinRulesLog
mkdir %PinRulesLogDir%
icacls %PinRulesLogDir% /grant *S-1-15-2-1:(OI)(CI)(F)
icacls %PinRulesLogDir% /grant *S-1-1-0:(OI)(CI)(F)
icacls %PinRulesLogDir% /grant *S-1-5-12:(OI)(CI)(F)
icacls %PinRulesLogDir% /inheritance:e /setintegritylevel (OI)(CI)L
Whenever an application verifies a TLS/SSL certificate chain that contains a server name matching a DNS name
in the server certificate, Windows writes a .p7b file consisting of all the certificates in the server’s chain to one of
three child folders:
AdminPinRules Matched a site in the enterprise certificate pinning rules.
AutoUpdatePinRules Matched a site in the certificate pinning rules managed by Microsoft.
NoPinRules Didn’t match any site in the certificate pin rules.
The output file name consists of the leading eight ASCII hex digits of the root’s SHA1 thumbprint followed by the
server name. For example:
D4DE20D0_xsi.outlook.com.p7b
DE28F4A4_www.yammer.com.p7b
If there's either an enterprise certificate pin rule or a Microsoft certificate pin rule mismatch, then Windows
writes the .p7b file to the MismatchPinRules child folder. If the pin rules have expired, then Windows writes
the .p7b to the ExpiredPinRules child folder.
2015-05-11T07:00:00.2655691Z
2015-05-11T07:00:00Z
Applies to
Windows 10
Windows 11
Windows Server 2016
Windows Server 2019
Introduced in Windows 10 Enterprise and Windows Server 2016, Windows Defender Credential Guard uses
virtualization-based security to isolate secrets so that only privileged system software can access them.
Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-
Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes,
Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
By enabling Windows Defender Credential Guard, the following features and solutions are provided:
Hardware security NTLM, Kerberos, and Credential Manager take advantage of platform security features,
including Secure Boot and virtualization, to protect credentials.
Vir tualization-based security Windows NTLM and Kerberos derived credentials and other secrets run in a
protected environment that is isolated from the running operating system.
Better protection against advanced persistent threats When Credential Manager domain credentials,
NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft
attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating
system with administrative privileges cannot extract secrets that are protected by virtualization-based
security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will
likely shift to new attack techniques and you should also incorporate other security strategies and
architectures.
Related topics
Isolated User Mode in Windows 10 with Dave Probert (Channel 9)
Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)
More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)
Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)
Protecting network passwords with Windows Defender Credential Guard
Enabling Strict KDC Validation in Windows Kerberos
What's New in Kerberos Authentication for Windows Server 2012
Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide
Trusted Platform Module
How Windows Defender Credential Guard works
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016
Windows Server 2019
Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous
versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored
secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled,
the LSA process in the operating system talks to a new component called the isolated LSA process that stores
and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based
security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to
communicate with the isolated LSA process.
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small
subset of operating system binaries that are needed for security and nothing else. All of these binaries are
signed with a certificate that is trusted by virtualization-based security and these signatures are validated before
launching the file in the protected environment.
When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use
the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can
prompt for credentials or use credentials stored in the Windows Vault, which are not protected by Windows
Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the
sign-in credentials, are not to be used with any of these protocols. If these protocols must be used by domain or
Azure AD users, secondary credentials should be provisioned for these use cases.
When Windows Defender Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos
delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
Here's a high-level overview on how the LSA is isolated by using Virtualization-based security:
See also
Related videos
What is Virtualization-based security?
Windows Defender Credential Guard: Requirements
3/3/2022 • 8 minutes to read • Edit Online
Applies to
Windows 11
Windows 10
Windows Server 2019
Windows Server 2016
For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet
certain baseline hardware, firmware, and software requirements, which we will refer to as Hardware and
software requirements. Additionally, Windows Defender Credential Guard blocks specific authentication
capabilities, so applications that require such capabilities will break. We will refer to these requirements as
Application requirements. Beyond these requirements, computers can meet additional hardware and firmware
qualifications, and receive additional protections. Those computers will be more hardened against certain
threats. For detailed information on baseline protections, plus protections for improved security that are
associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in Security
Considerations.
Application requirements
When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so
applications that require such capabilities will break. Applications should be tested prior to deployment to
ensure compatibility with the reduced functionality.
WARNING
Enabling Windows Defender Credential Guard on domain controllers is not supported. The domain controller hosts
authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled,
causing crashes.
NOTE
Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security
Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is
enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
Security considerations
All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender
Credential Guard. Computers that meet additional qualifications can provide additional protections to further
reduce the attack surface. The following tables describe baseline protections, plus protections for improved
security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
NOTE
Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new
shipping computers.
If you are an OEM, see PC OEM requirements for Windows Defender Credential Guard.
Baseline protections
B A SEL IN E P ROT EC T IO N S DESC RIP T IO N SEC URIT Y B EN EF IT S
Hardware: CPU vir tualization Requirements : VBS provides isolation of secure kernel
extensions , plus extended page - These hardware features are required from normal operating system.
tables for VBS: One of the following
virtualization extensions: - VT-x (Intel) Vulnerabilities and Day 0s in normal
or - AMD-V And: - Extended page operating system cannot be exploited
tables, also called Second Level because of this isolation.
Address Translation (SLAT).
Firmware: UEFI firmware version Requirements : UEFI Secure Boot helps ensure that the
2.3.1.c or higher with UEFI - See the following Windows Hardware device boots only authorized code, and
Secure Boot Compatibility Program requirement: can prevent boot kits and root kits
System.Fundamentals.Firmware.UEFISe from installing and persisting across
cureBoot reboots.
Firmware: Secure firmware update Requirements : UEFI firmware just like software can
process - UEFI firmware must support secure have security vulnerabilities that, when
firmware update found under the found, need to be patched through
following Windows Hardware firmware updates. Patching helps
Compatibility Program requirement: prevent root kits from getting
System.Fundamentals.Firmware.UEFISe installed.
cureBoot.
Software: Qualified Windows Requirement : Support for VBS and for management
operating system - At least Windows 10 Enterprise or features that simplify configuration of
Windows Server 2016. Windows Defender Credential Guard.
IMPORTANT
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
IMPORTANT
The following tables list additional qualifications for improved security. We strongly recommend meeting the additional
qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.
2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016
Technical Preview 4
P ROT EC T IO N S F O R IM P RO VED SEC URIT Y DESC RIP T IO N
Security benefits :
- An IOMMU can enhance system resiliency against memory
attacks. For more information, see Advanced Configuration
and Power Interface (ACPI) description tables
2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
IMPORTANT
The following tables list additional qualifications for improved security. Systems that meet these additional qualifications
can provide more protections.
P ROT EC T IO N S F O R IM P RO VED
SEC URIT Y DESC RIP T IO N SEC URIT Y B EN EF IT S
Firmware: Hardware Rooted Trust Requirements : Boot Integrity (Platform Secure Boot)
Platform Secure Boot - Boot Integrity (Platform Secure Boot) from Power-On provides protections
must be supported. See the Windows against physically present attackers,
Hardware Compatibility Program and defense-in-depth against malware.
requirements under - HSTI provides additional security
System.Fundamentals.Firmware.CS.UEF assurance for correctly secured silicon
ISecureBoot.ConnectedStandby and platform.
- The Hardware Security Test Interface
(HSTI) must be implemented. See
Hardware Security Testability
Specification.
2017 Additional security qualifications starting with Windows 10, version 1703
The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding
qualifications.
P ROT EC T IO N S F O R IM P RO VED
SEC URIT Y DESC RIP T IO N SEC URIT Y B EN EF IT S
IMPORTANT
Regarding VBS enablement of NX protection for UEFI runtime ser vices :
This only applies to UEFI runtime service memory, and not UEFI boot service memory.
This protection is applied by VBS on OS page tables.
Please also note the following:
Do not use sections that are both writable and executable
Do not attempt to directly modify executable system memory
Do not use dynamic code
Manage Windows Defender Credential Guard
3/3/2022 • 9 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016
Windows Server 2019
NOTE
It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable
Credential Guard remotely, enable it without UEFI lock.
TIP
You can also configure Credential Guard by using an account protection profile in endpoint security. See Account
protection policy settings for endpoint security in Intune.
NOTE
If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through
Control Panel or DISM are not required. Group Policy will install Windows features for you.
Add the vir tualization-based security features by using Programs and Features
1. Open the Programs and Features control panel.
2. Click Turn Windows feature on or off .
3. Go to Hyper-V -> Hyper-V Platform , and then select the Hyper-V Hyper visor check box.
4. Select the Isolated User Mode check box at the top level of the feature selection.
5. Click OK .
Add the vir tualization-based security features to an offline image by using DISM
1. Open an elevated command prompt.
2. Add the Hyper-V Hypervisor by running the following command:
3. Add the Isolated User Mode feature by running the following command:
NOTE
In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core
operating system. Running the command in step 3 above is therefore no longer required.
TIP
You can also add these features to an online image by using either DISM or Configuration Manager.
NOTE
You can also enable Windows Defender Credential Guard by setting the registry entries in the FirstLogonCommands
unattend setting.
Enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard
hardware readiness tool
You can also enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential
Guard hardware readiness tool.
IMPORTANT
When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating
system, within the script, change $OSArch = $(gwmi win32_operatingsystem).OSArchitecture to be
$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower() instead, in order for the tool to work.
You can also check that Windows Defender Credential Guard is running by using the HVCI and Windows
Defender Credential Guard hardware readiness tool.
DG_Readiness_Tool_v3.6.ps1 -Ready
IMPORTANT
When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating
system, within the script, change *$OSArch = $(gwmi win32_operatingsystem).OSArchitecture to be
$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower() instead, in order for the tool to work.
NOTE
For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is
enabled for other features.
We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If
Windows Defender Credential Guard is enabled after domain join, the user and device secrets may
already be compromised. In other words, enabling Credential Guard will not help to secure a device or
identity that has already been compromised, which is why we recommend turning on Credential Guard
as early as possible.
You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled.
This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
Event ID 13 Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA
credentials.
Event ID 14 Windows Defender Credential Guard (LsaIso.exe) configuration: [0x0 | 0x1 | 0x2 ], 0
The first variable: 0x1 or 0x2 means that Windows Defender Credential Guard is
configured to run. 0x0 means that it's not configured to run.
The second variable: 0 means that it's configured to run in protect mode. 1 means that it's
configured to run in test mode. This variable should always be 0 .
Event ID 15 Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel
is not running; continuing without Windows Defender Credential Guard.
Event ID 16 Windows Defender Credential Guard (LsaIso.exe) failed to launch: [error code]
Event ID 17 Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration:
[error code]
You can also verify that TPM is being used for key protection by checking Event ID 51 in the
Microsoft -> Windows -> Kernel-Boot event source. If you are running with a TPM, the TPM
PCR mask value will be something other than 0.
Event ID 51 VSM Master Encryption Key Provisioning. Using cached copy status: 0x0 . Unsealing
cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1 . TPM PCR mask: 0x0 .
You can use Windows PowerShell to determine whether credential guard is running on a client computer.
On the computer in question, open an elevated PowerShell window and run the following command:
NOTE
Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for
determining whether Windows Defender Credential Guard is running.
IMPORTANT
If you manually remove these registry settings, make sure to delete them all. If you don't remove them all,
the device might go into BitLocker recovery.
4. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated
command prompt, type the following commands:
mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
NOTE
The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted
with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run
the following bcdedit commands after turning off all virtualization-based security Group Policy and registry
settings:
For more info on virtualization-based security and HVCI, see Enable virtualization-based protection of code
integrity.
NOTE
Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with
Gen 2 VMs only.
Disable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool
You can also disable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential
Guard hardware readiness tool.
IMPORTANT
When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating
system, within the script, change *$OSArch = $(gwmi win32_operatingsystem).OSArchitecture to be
$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower() instead, in order for the tool to work.
Applies to:
Windows 10
Windows 11
Windows Server 2016
Windows Server 2019
Windows Server 2022
$path = "C:\DGLogs\"
$LogFile = $path + "DeviceGuardCheckLog.txt"
$Sys32Path = "$env:windir\system32"
$DriverPath = "$env:windir\system32\drivers"
$HSTITest_Encoded =
"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGh
pcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADxXZfstTz5v7U8+b+1PPm/2GH4vrc8+b+8RGq/ojz5v9h
h+r63PPm/2GH9vr48+b+1PPi/qjz5v9hh+b60PPm/2GHwvrc8+b/YYfu+tDz5v1JpY2i1PPm/AAAAAAAAAABQRQAAZIYFAGt3EVgAAAAAAAA
AAPAAIiALAg4AABIAAAAaAAAAAAAAkBsAAAAQAAAAAACAAQAAAAAQAAAAAgAACgAAAAoAAAAKAAAAAAAAAABwAAAABAAAxcwAAAMAYEEAAAQ
AAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAEDkAAGQAAAB0OQAABAEAAAAAAAAAAAAAAFAAACABAAAAAAAAAAAAAABgAAA
YAAAAwDUAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQMAAA0AAAAAAAAAAAAAAA4DAAAEgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAudGV4dAAAAMURAAAAEAAAABIAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAB4DwAAADAAAAAQAAAAFgAAAAAAAAAAAAAAAAAAQAA
AQC5kYXRhAAAAwAUAAABAAAAAAgAAACYAAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAACABAAAAUAAAAAIAAAAoAAAAAAAAAAAAAAAAAABAAAB
ALnJlbG9jAAAYAAAAAGAAAAACAAAAKgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIiVwkCFVWV0FWQVd
Ii+xIg+wwM/9IjUU4TIv5iX1ISI1NSIl9QEUzyYl9OEyNRUBIiUQkIDPS6AwJAACL2D1XAAeAD4WrAAAAi0VASGnYDCIAAP8V/yAAAI13CEy
Lw0iLyIvW/xX2IAAATIvwSIXAdQe7DgAHgOtxi104/xXWIAAARIvDi9ZIi8j/FdAgAABIi/BIhcB1B7sOAAeA6x5IjUU4TIvOTI1FQEiJRCQ
gSYvWSI1NSOiNCAAAi9j/FZUgAABNi8Yz0kiLyP8VlyAAAEiF9nQU/xV8IAAATIvGM9JIi8j/FX4gAAA5fUhAD5THQYk/i8NIi1wkYEiDxDB
BX0FeX15dw8zMzMzMzMzMzOkzCAAAzMzMzMzMzEiJXCQYSIl0JCBXSIHscAEAAEiLBbsuAABIM8RIiYQkYAEAAA8QBRkhAACL8kiL+TPSSI1
MJGBBuPQAAADzD39EJFDo6g4AAEiDZCQwAEiNTCRQg2QkQABFM8nHRCQogAAAALoAAABAx0QkIAMAAABFjUEB/xWSHwAASIvYSIP4/3RGQbk
CAAAARTPAM9JIi8j/FX0fAACD+P90HkiDZCQgAEyNTCRARIvGSIvXSIvL/xVmHwAAhcB1Bv8VPB8AAEiLy/8VYx8AAEiLjCRgAQAASDPM6As
LAABMjZwkcAEAAEmLWyBJi3MoSYvjX8PMzMzMzMxIg+woM9JMi8lIhcl0Hrr///9/M8BEi8I4AXQJSP/BSYPoAXXzTYXAdSEz0rhXAAeAM8m
FwEgPScp4C41RAUmLyejG/v//SIPEKMNJK9Dr4czMzMzMzMzMSIlcJAhIiXQkEFdIg+wgQYvZSYv4SIvy6Iv///+L00iLz+iN/v//SIvOSIt
cJDBIi3QkOEiDxCBf6Wr////MzMzMzMyJVCQQSIPsKAkRSI0Nsx8AAOhO////ugQAAABIjUwkOOhL/v//SI0NqB8AAOgz////SIPEKMPMzMz
MzMxAVVNWV0FUQVVBVkFXSI1sJOFIgeyYAAAASIsF6CwAAEgzxEiJRQ9FM/ZIiVXnM9JIiU3vRIl1p0GL3kiJXbdJi8BIiUXXTYvpRIl1r0G
L/kSJdfdFi+ZIiVX7RYv+SIlVA0yJdc9IhckPhBEFAABIhcAPhAgFAABNhckPhP8EAABBgzkBdBHHRaeAAAAAvwJAAIDp7QQAAEiNDQkfAAD
ohP7//0WLfQREiX2/SWnfDCIAAP8Vtx0AAEyLw7oIAAAASIvI/xWuHQAATIvgSIXAdShIjQ3vHgAA6Er+////FUwdAAAPt/iBzwAAB4CFwA9
O+EmL3umLBAAASI0N9x4AAOgi/v//RIl1s0WF/w+EiwIAAEmNXQhIiV3HSY20JAwCAABIjQ32HgAA6Pn9//+LQwiJhvT9//+FwHktPbsAAMB
1EUiNDe4eAADo2f3//+kaAgAASI0N/R4AAOjI/f//g02nQOkFAgAAixtJA92DOwN0Gw+6bacIugEAAABIjY78/f//6Dv+///p4AEAAEyNhgD
+//+6BAAAAEmLwEiNSwgPEAFIjYmAAAAADxEASI2AgAAAAA8QSZAPEUiQDxBBoA8RQKAPEEmwDxFIsA8QQcAPEUDADxBJ0A8RSNAPEEHgDxF
A4A8QSfAPEUjwSIPqAXWuQbkAAgAASI0VgB4AAEiNDYEeAADodP3//4uLCAIAALoAEAAAQYv+TI0ES0iBwQwCAABMA8FIi85MK8ZIjYL+7/9
/SIXAdBdBD7cECGaFwHQNZokBSIPBAkiD6gF13UiF0nUJSIPpAr96AAeAZkSJMUiNFSYeAABIjQ0nHgAAQbkAIAAATIvG6AH9//9MjXMEQYs
OjUH/g/gDD4fDAAAA/0SN90iNFQMeAACJjvj9//9BuQQAAABIjQ34HQAATYvG6Mj8//9BiwaDfIX3AXZESI2O/P3//7oEAAAA6PH8//9Biw6
D6QF0JYPpAXQag+kBdA+D+QEPhaIAAACDTacI63eDTacE63GDTacC62uDTacB62WD+AF1YIuDCAIAAEyNRa9BuQQAAACJRa9IjRWTHQAASI0
NrB0AAOhP/P//RTP2RDl1r3UOD7ptpwlBjVYI6TX+//9IjYMMAgAASIlFz+sZD7ptpwlIjY78/f//ugIAAADoWfz//0Uz9otFs0iBxgwiAAB
Ig0XHDP/AiUWzQTvHcxdIi13H6ZP9//+/BUAAgEiLXbfp5wEAAEQ5dad0DkiNDU0dAADoePv//+vji12v/xW1GgAARIvDuggAAABIi8j/Faw
aAABIiUW3SIvYSIXAdRZIjQ1JHQAA6ET7//+/FwAA0OmXAQAASI0NYx0AAOgu+///i0WvRI2wBgEAAEaNNHBEiXWzRYX/D4TFAAAASY1cJAh
JjXUISI0N+xsAAOj++v//gXv4uwAAwHUOSI0N/hsAAOjp+v//63xEOXYEcxS6EAAAAA+6bacJSIvL6Gv7///rYosOSQPNi4EIAgAAO0WvdAe
6CAAAAOvaRTPATI0MQUyNFAhEOUWvdjpMi3W3Qw+2jBAMAgAA99FDhIwIDAIAAHQID7ptpwmDCyBDioQIDAIAAEMIBDBB/8BEO0Wvcs5Ei3W
zSIPGDEiBwwwiAABJg+8BD4VM////RIt9v0iLXbdFM/ZEOXWndBFIjQ0OHAAA6Dn6///pkQAAAEGL9kQ5da8PhoQAAABMi3W3TIttz0iNDYg
cAADoE/r//4vGTI1Fq0G5AQAAAEiNFZgcAABCigwwSo0cKCILiE2rSI0NlBwAAOg/+v//QbkBAAAASI0VkhwAAEyLw0iNDZgcAADoI/r//4o
DOEWrdBBIjQ2dHAAA6Lj5//+DTacg/8Y7da9yjuly+///v1cAB4BIjQ2sHAAA6Jf5//9BuQQAAABMjUWnSI0VphwAAEiNDa8cAADo0vn//02
F5HRdTIt150iLdddNhfZ0NEQ5PnIvSI0NnBwAAOhX+f//QYvHSYvUTGnADCIAAEmLzuh0BwAASI0NmxwAAOg2+f//6wW/VwAHgESJPv8Vbhg
AAE2LxDPSSIvI/xVwGAAASIXbdBT/FVUYAABMi8Mz0kiLyP8VVxgAAEiLRe9IhcB0BYtNp4kIi8dIi00PSDPM6NMDAABIgcSYAAAAQV9BXkF
AAE2LxDPSSIvI/xVwGAAASIXbdBT/FVUYAABMi8Mz0kiLyP8VVxgAAEiLRe9IhcB0BYtNp4kIi8dIi00PSDPM6NMDAABIgcSYAAAAQV9BXkF
dQVxfXltdw8zMzMzMzMxIi8RIiVgISIloEEiJcBhXQVZBV0iD7DCDYNgATYvxSYv4TI1I2EiL8kyL+UUzwDPSuaYAAAD/FWwYAACL2D0EAAD
AdAkPuusc6dkAAACDfCQgFHMKuwVAAIDpyAAAAItcJCD/FacXAABEi8O6CAAAAEiLyP8VnhcAAEiL6EiFwHUKuw4AB4DpmwAAAESLRCQgRTP
JSIvQuaYAAAD/FQYYAACL2IXAeQYPuusc6zdIjQ2TGwAA6A74//+LVCQgSIvN6A73//9IjQ2LGwAA6Pb3//9Mi81Mi8dIi9ZJi8/ovfj//4v
YSIt8JHCLdCQgSIX/dBk5N3IVTYX2dBBEi8ZIi9VJi87o8AUAAOsFu1cAB4CJN/8V9xYAAEyLxTPSSIvI/xX5FgAASItsJFiLw0iLXCRQSIt
0JGBIg8QwQV9BXl/DzMzMzMzMSIlcJAhXSIPsIIP6AXU8SI0VmhcAAEiNDYsXAADoaAMAAIXAdAczwOmjAAAASI0VbBcAAEiNDV0XAADoVgM
AAP8FKiUAAOmAAAAAhdJ1fDkVUyUAAHRtSIsNGiUAAOgxAgAASIsNFiUAAEiL+OgiAgAASI1Y+OsXSIsL6BQCAABIhcB0Bv8VBRcAAEiD6wh
IO99z5IM9DSUAAAR2FP8VJRYAAEyLxzPSSIvI/xUnFgAA6O4BAABIiQXDJAAASIkFtCQAAIMlpSQAAAC4AQAAAEiLXCQwSIPEIF/DzMzMzMz
MzMzMzMzMzMzMzMzMzMzMSIlcJAhIiXQkEFdIg+wgSYv4i9pIi/GD+gF1BeijAQAATIvHi9NIi85Ii1wkMEiLdCQ4SIPEIF/pBwAAAMzMzMz
MzMxMiUQkGIlUJBBIiUwkCFNWV0iB7JAAAACL+kiL8cdEJCABAAAAhdJ1EzkVDSQAAHULM9uJXCQg6d8AAACNQv+D+AF3MkyLhCTAAAAA6Hv
+//+L2IlEJCDrFTPbiVwkIIu8JLgAAABIi7QksAAAAIXbD4SlAAAATIuEJMAAAACL10iLzujoAQAAi9iJRCQg6xUz24lcJCCLvCS4AAAASIu
0JLAAAACD/wF1SIXbdURFM8Az0kiLzui1AQAA6xOLvCS4AAAASIu0JLAAAACLXCQgRTPAM9JIi87o7/3//+sTi7wkuAAAAEiLtCSwAAAAi1w
kIIX/dAWD/wN1IEyLhCTAAAAAi9dIi87ov/3//4vYiUQkIOsGM9uJXCQgi8NIgcSQAAAAX15bw8zMzMzMzMzMzMxmZg8fhAAAAAAASDsN6SI
AAHUQSMHBEGb3wf//dQHDSMHJEOmSAQAAzMzMzMzMSP8ltRQAAMzMzMzMzMzMzDPJSP8lmxQAAMzMzMzMzMxIiVwkIFVIi+xIg+wgSINlGAB
IuzKi3y2ZKwAASIsFiSIAAEg7ww+FjwAAAEiNTRj/FU4UAABIi0UYSIlFEP8VABQAAIvASDFFEP8V/BMAAIvASDFFEP8VIBQAAIvASMHgGEg
xRRD/FRAUAACLwEiNTRBIM0UQSDPBSI1NIEiJRRD/FeUTAACLRSBIuf///////wAASMHgIEgzRSBIM0UQSCPBSLkzot8tmSsAAEg7w0gPRMF
IiQXxIQAASItcJEhI99BIiQXqIQAASIPEIF3DzMzMzMzM/yXYEgAAzMzMzMzM/yXEEgAAzMzMzMzMzMxIg+wog/oBdQb/FTUTAAC4AQAAAEi
DxCjDzMzMzMzMzMzMzMzMzMzMzMzMzMIAAMzMzMzMzMzMzEBTSIPsIEiL2TPJ/xWTEgAASIvL/xWCEgAA/xUUEwAASIvIugkEAMBIg8QgW0j
/JfgSAADMzMzMzMzMzMzMzMzMzMzMSIlMJAhIgeyIAAAASI0NHSIAAP8VLxMAAEiLBQgjAABIiUQkSEUzwEiNVCRQSItMJEj/FSATAABIiUQ
kQEiDfCRAAHRCSMdEJDgAAAAASI1EJFhIiUQkMEiNRCRgSIlEJChIjQXHIQAASIlEJCBMi0wkQEyLRCRISItUJFAzyf8VyxIAAOsjSIsFOiI
AAEiLAEiJBZAiAABIiwUpIgAASIPACEiJBR4iAABIiwV3IgAASIkF6CAAAEiLhCSQAAAASIkF6SEAAMcFvyAAAAkEAMDHBbkgAAABAAAAxwX
DIAAAAwAAALgIAAAASGvAAEiNDbsgAABIxwQBAgAAALgIAAAASGvAAUiNDaMgAABIixUsIAAASIkUAbgIAAAASGvAAkiNDYggAABIixUZIAA
ASIkUAbgIAAAASGvAAEiLDf0fAABIiUwEaLgIAAAASGvAAUiLDfAfAABIiUwEaEiNDdwPAADoU/7//0iBxIgAAADDzMzMzMzMzMzMzMzMzMz
MzMzMzMzM/yWUEAAAzMzMzMzM/yWQEAAAzMzMzMzM/yWMEAAAzMzMzMzMzMxIg+woTYtBOEiLykmL0egRAAAAuAEAAABIg8Qow8zMzMzMzMx
AU0WLGEiL2kGD4/hMi8lB9gAETIvRdBNBi0AITWNQBPfYTAPRSGPITCPRSWPDSosUEEiLQxCLSAhIA0sI9kEDD3QMD7ZBA4Pg8EiYTAPITDP
KSYvJW+kl/P//zMzMzMzMzMzMzMxmZg8fhAAAAAAA/+DMzMzMzMxAVUiD7CBIi+pIiU04SIsBixCJVSRIiU1AM8BIg8QgXcPMQFVIg+wgSIv
qSIlNSEiLAYsQiVUoSIlNUDPASIPEIF3DzEBVSIPsIEiL6kiJTVhIiwGLEIlVLEiJTWAzwEiDxCBdw8xAVUiD7CBIi+pIiU1oSIsBixCJVTB
IiU1wM8BIg8QgXcPMQFVIg+wgSIvqSIlNeEiLAYsQiVU0SImNgAAAADPASIPEIF3DzEBVSIPsIEiL6kiDxCBdw8wAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBAAIABAAAA8EAAgAEAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAgAEAAAAAAAAAAAA
AAAAAAAAAAAAAKDIAgAEAAAAwMgCAAQAAAFgyAIABAAAABQAAAAAAAAAANQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAeD4AAAAAAABkPwAAAAAAAG4/AAAAAAAAAAAAAAAAAADOOwAAAAAAAMA7AAAAAAAAAAAAAAAAAAA
QPQAAAAAAACw9AAAAAAAA6j4AAAAAAAAAAAAAAAAAAPo+AAAAAAAA2D4AAAAAAADMPgAAAAAAAAAAAAAAAAAACD8AAAAAAAAAAAAAAAAAAFI
8AAAAAAAAFj8AAAAAAABGPAAAAAAAAAAAAAAAAAAA9DwAAAAAAAAAAAAAAAAAAJ48AAAAAAAAtDwAAAAAAABePQAAAAAAAEo9AAAAAAAAAAA
AAAAAAACEPAAAAAAAAAAAAAAAAAAA5DwAAAAAAADKPAAAAAAAAAAAAAAAAAAAZDwAAAAAAAB0PAAAAAAAAAAAAAAAAAAAsD4AAAAAAAD6OwA
AAAAAACg8AAAAAAAADjwAAAAAAAAAAAAAAAAAAHAeAIABAAAAACEAgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAAA
gEQAAkBsAAHAeAADAHgAAAAAAAC5caHN0aXRyYWNlLmxvZwAgUHJvdmlkZXJFcnJvcjoAOlByb3ZpZGVyRXJyb3IgAERldGVybWluaW5nIEN
vdW50LiAAAAAAAAAAAAAAAAAAICEhISBFcnJvciBidWZmZXIgZmFpbGVkIGFsbG9jYXRpb24gISEhIAAAAAAAAAAARGV0ZXJtaW5lIFNlY3V
yaXR5RmVhdHVyZXNTaXplLiAAAAAAAAAAAExvb3AuLi4gAAAAAAAAAAAAAAAAAAAAACBVbnN1cHBvcnRlZCBBSVAgaWdub3JlZCAAAAAAAAA
AICEhISBVRUZJIFByb3RvY29sIEVycm9yIERldGVjdGVkICEhISAAADpJRCAAAAAAIElEOgAAAAA6RVJST1IgACBFUlJPUjoAOlJPTEUgAAA
gUk9MRToAAAAAAAAAAAAAOnNlY3VyaXR5RmVhdHVyZXNTaXplIAAAAAAAAAAAAAAgc2VjdXJpdHlGZWF0dXJlc1NpemU6AAAAAAAAAAAAACA
hISEgRXJyb3IgZGV0ZWN0ZWQsIGJhaWxpbmcgb3V0ICEhISAAAAAAAAAAAAAAAFZlcmlmaWVkIGJ1ZmZlciBhbGxvY2F0aW9uIGZhaWxlZC4
AAAAAAAAAAAAAAAAAAExvb3Bpbmcgb24gcHJvdmlkZXJzIHRvIGFjY3VtdWxhdGUgaW1wbGVtZW50ZWQgYW5kIHZlcmlmaWVkLgAAAABDb21
wYXJpbmcgcmVxdWlyZWQgYnl0ZSB0byB2ZXJpZmllZC4uLgAAOlZFUklGSUVEIAAAAAAAACBWRVJJRklFRDoAAAAAAAA6UkVRVUlSRUQgAAA
AAAAAIFJFUVVJUkVEOgAAAAAAAAAAAAAAAAAAISEhIHZlcmlmaWVkIGJ5dGUgZG9lcyBub3QgbWF0Y2ggcmVxdWlyZWQgISEhAAAAQ0xFQU5
VUCAAAAAAAAAAADpPVkVSQUxMAAAAAAAAAABPVkVSQUxMOgAAAAAAAAAAUHJvdmlkZXIgRXJyb3JzIGNvcHkgc3RhcnQAAAAAAABQcm92aWR
lciBFcnJvcnMgY29weSBlbmQAAAAAAAAAAEJMT0IgU3RhcnQ6AAAAAAA6QkxPQiBFbmQgIAAAAAAAAAAAAGt3EVgAAAAAAgAAACUAAAD4NQA
A+BsAAAAAAABrdxFYAAAAAA0AAACgAQAAIDYAACAcAABSU0RT1J4Ttoijw0G4zY0uYG3g7wEAAABIc3RpVGVzdC5wZGIAAAAAR0NUTAAQAAD
wEAAALnRleHQkbW4AAAAA8CAAABIAAAAudGV4dCRtbiQwMAACIQAAwwAAAC50ZXh0JHgAADAAAOAAAAAucmRhdGEkYnJjAADgMAAASAEAAC5
pZGF0YSQ1AAAAACgyAAAQAAAALjAwY2ZnAAA4MgAACAAAAC5DUlQkWENBAAAAAEAyAAAIAAAALkNSVCRYQ1oAAAAASDIAAAgAAAAuQ1JUJFh
JQQAAAABQMgAACAAAAC5DUlQkWElaAAAAAFgyAAAYAAAALmNmZ3VhcmQAAAAAcDIAAIgDAAAucmRhdGEAAPg1AADIAQAALnJkYXRhJHp6emR
iZwAAAMA3AABQAQAALnhkYXRhAAAQOQAAZAAAAC5lZGF0YQAAdDkAAPAAAAAuaWRhdGEkMgAAAABkOgAAFAAAAC5pZGF0YSQzAAAAAHg6AAB
IAQAALmlkYXRhJDQAAAAAwDsAALgDAAAuaWRhdGEkNgAAAAAAQAAAEAAAAC5kYXRhAAAAEEAAALAFAAAuYnNzAAAAAABQAAAgAQAALnBkYXR
hAAABEwgAEzQMABNSDPAK4AhwB2AGUBkkBwASZDMAEjQyABIBLgALcAAAbCAAAGABAAABBAEABEIAAAEPBgAPZAcADzQGAA8yC3ABCAEACEI
AABknCgAZARMADfAL4AnQB8AFcARgAzACUGwgAACIAAAAARgKABhkDAAYVAsAGDQKABhSFPAS4BBwGRgFABgBEgARcBBgDzAAAEYgAAAGAAA
AGBwAAC0cAAAIIQAALRwAAEocAABkHAAAKiEAAGQcAACCHAAAkRwAAEwhAACRHAAApBwAALMcAABuIQAAsxwAAM8cAADpHAAAkCEAAOkcAAD
5GwAA7xwAALUhAAAAAAAAAQYCAAYyAlABCgQACjQGAAoyBnAAAAAAAQAAAAENBAANNAkADTIGUAEGAgAGMgIwAQwCAAwBEQABAAAAAQIBAAI
wAAAAAAAAAAAAAAAAAAAAAAAAd24RWAAAAABMOQAAAQAAAAIAAAACAAAAODkAAEA5AABIOQAAEBAAACARAABZOQAAYzkAAAAAAQBIU1RJVEV
TVC5kbGwAUXVlcnlIU1RJAFF1ZXJ5SFNUSWRldGFpbHMAmDoAAAAAAAAAAAAA2jsAAAAxAACYOwAAAAAAAAAAAAA8PAAAADIAAAA7AAAAAAA
AAAAAAHI9AABoMQAAgDsAAAAAAAAAAAAAkj0AAOgxAABYOwAAAAAAAAAAAACyPQAAwDEAADA7AAAAAAAAAAAAANY9AACYMQAAaDsAAAAAAAA
AAAAAAD4AANAxAAAgOwAAAAAAAAAAAAAkPgAAiDEAALA6AAAAAAAAAAAAAE4+AAAYMQAAeDoAAAAAAAAAAAAAkD4AAOAwAADQOgAAAAAAAAA
AAAAiPwAAODEAAPA6AAAAAAAAAAAAAEI/AABYMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4PgAAAAAAAGQ/AAAAAAAAbj8AAAAAAAAAAAAAAAA
AAM47AAAAAAAAwDsAAAAAAAAAAAAAAAAAABA9AAAAAAAALD0AAAAAAADqPgAAAAAAAAAAAAAAAAAA+j4AAAAAAADYPgAAAAAAAMw+AAAAAAA
AAAAAAAAAAAAIPwAAAAAAAAAAAAAAAAAAUjwAAAAAAAAWPwAAAAAAAEY8AAAAAAAAAAAAAAAAAAD0PAAAAAAAAAAAAAAAAAAAnjwAAAAAAAC
0PAAAAAAAAF49AAAAAAAASj0AAAAAAAAAAAAAAAAAAIQ8AAAAAAAAAAAAAAAAAADkPAAAAAAAAMo8AAAAAAAAAAAAAAAAAABkPAAAAAAAAHQ
8AAAAAAAAAAAAAAAAAACwPgAAAAAAAPo7AAAAAAAAKDwAAAAAAAAOPAAAAAAAAAAAAAAAAAAABwBfaW5pdHRlcm1fZQAGAF9pbml0dGVybQB
hcGktbXMtd2luLWNvcmUtY3J0LWwyLTEtMC5kbGwAANACUnRsQ2FwdHVyZUNvbnRleHQAjQRSdGxMb29rdXBGdW5jdGlvbkVudHJ5AAC3BVJ
0bFZpcnR1YWxVbndpbmQAAG50ZGxsLmRsbAAGAEhlYXBGcmVlAAAAAEdldFByb2Nlc3NIZWFwAAAEAEVuY29kZVBvaW50ZXIAAQBEZWNvZGV
Qb2ludGVyAAAAUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIADQBHZXRDdXJyZW50UHJvY2Vzc0lkABEAR2V0Q3VycmVudFRocmVhZElkAAAUAEd
ldFN5c3RlbVRpbWVBc0ZpbGVUaW1lABgAR2V0VGlja0NvdW50AAABAERpc2FibGVUaHJlYWRMaWJyYXJ5Q2FsbHMAEQBVbmhhbmRsZWRFeGN
ldFN5c3RlbVRpbWVBc0ZpbGVUaW1lABgAR2V0VGlja0NvdW50AAABAERpc2FibGVUaHJlYWRMaWJyYXJ5Q2FsbHMAEQBVbmhhbmRsZWRFeGN
lcHRpb25GaWx0ZXIAAA8AU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAwAR2V0Q3VycmVudFByb2Nlc3MATQBUZXJtaW5hdGVQcm9jZXN
zAABhcGktbXMtd2luLWNvcmUtaGVhcC1sMS0yLTAuZGxsAGFwaS1tcy13aW4tY29yZS11dGlsLWwxLTEtMC5kbGwAYXBpLW1zLXdpbi1jb3J
lLXByb2ZpbGUtbDEtMS0wLmRsbAAAYXBpLW1zLXdpbi1jb3JlLXByb2Nlc3N0aHJlYWRzLWwxLTEtMi5kbGwAYXBpLW1zLXdpbi1jb3JlLXN
5c2luZm8tbDEtMi0xLmRsbAAAYXBpLW1zLXdpbi1jb3JlLWxpYnJhcnlsb2FkZXItbDEtMi0wLmRsbAAAYXBpLW1zLXdpbi1jb3JlLWVycm9
yaGFuZGxpbmctbDEtMS0xLmRsbAAAAABfX0Nfc3BlY2lmaWNfaGFuZGxlcgAAYXBpLW1zLXdpbi1jb3JlLWNydC1sMS0xLTAuZGxsAADbAU5
0UXVlcnlTeXN0ZW1JbmZvcm1hdGlvbgAAWQBXcml0ZUZpbGUAUwBTZXRGaWxlUG9pbnRlcgAABQBHZXRMYXN0RXJyb3IAAAUAQ3JlYXRlRml
sZUEAAABDbG9zZUhhbmRsZQACAEhlYXBBbGxvYwBhcGktbXMtd2luLWNvcmUtZmlsZS1sMS0yLTEuZGxsAGFwaS1tcy13aW4tY29yZS1oYW5
kbGUtbDEtMS0wLmRsbAAzAG1lbWNweQAANwBtZW1zZXQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAyot8tmSsAAM1dINJm1P//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAAAXEQAAwDcAACwRAAAaEgAA1DcAACASAABwEgAA8DcAAHgSAAC2EgAA+Dc
AALwSAADyEgAACDgAAPgSAABRGQAAEDgAAFgZAACaGgAAMDgAAKAaAAB7GwAAyDgAAJAbAADNGwAA+DcAANQbAAD8HAAASDgAABAdAAAuHQA
A2DgAAFQdAAAkHgAA3DgAAEQeAABdHgAA8DcAAHweAACwHgAA6DgAAMAeAAAxIAAA8DgAAGwgAACJIAAA8DcAAJAgAADrIAAA/DgAAAAhAAA
CIQAA+DgAAAghAAAqIQAAwDgAACohAABMIQAAwDgAAEwhAABuIQAAwDgAAG4hAACQIQAAwDgAAJAhAAC1IQAAwDgAALUhAADFIQAAwDgAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAABgAAAAAoAigaKCAoIigkKA
oojCiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA="
function Log($message)
{
$message | Out-File $LogFile -Append -Force
}
function LogAndConsole($message)
{
Write-Host $message
Log $message
}
function LogAndConsoleWarning($message)
{
Write-Host $message -foregroundcolor "Yellow"
Log $message
}
function LogAndConsoleSuccess($message)
{
Write-Host $message -foregroundcolor "Green"
Log $message
}
function LogAndConsoleError($message)
{
Write-Host $message -foregroundcolor "Red"
Log $message
}
function CheckExemption($_ModName)
{
$mod1 = Get-ChildItem $Sys32Path $_ModName
$mod2 = Get-ChildItem $DriverPath $_ModName
if($mod1)
{
Log "NonDriver module" + $mod1.FullName
return IsExempted($mod1)
}
elseif($mod2)
{
Log "Driver Module" + $mod2.FullName
return IsExempted($mod2)
}
$FailingStat = ""
foreach( $stat in $stats)
{
$_t =$stat.Split(":")
if($_t.Count -eq 2 -and $_t[1].trim() -ne "0")
{
$Result = "FAIL"
$FailingStat = $stat
break
}
}
if($Result.Contains("PASS"))
{
$CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null
}
elseif($FailingStat.Trim().Contains("execute-write"))
{
$FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " +
$FailingStat.Trim() ) | Out-Null
}
else
{
$FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) |
Out-Null
}
Log "Result: " $Result
}
function ListDrivers($str)
{
$_tempStr= $str
$separator = "module:",""
$option = [System.StringSplitOptions]::RemoveEmptyEntries
$index1 = $_tempStr.IndexOf("MODULE:".ToLower())
if($index1 -lt 0)
{
return
}
$_tempStr = $_tempStr.Substring($Index1)
$_SplitStr = $_tempStr.Split($separator,$option)
Log $_SplitStr.Count
LogAndConsole "Verifying each module please wait ... "
foreach($ModuleDetail in $_Splitstr)
{
#LogAndConsole $Module
$Index2 = $ModuleDetail.IndexOf("(")
if($Index2 -eq -1)
{
"Skipping .."
continue
}
$ModName = $ModuleDetail.Substring(0,$Index2-1)
Log "Driver: " $ModName
Log "Processing module: " $ModName
ListCIStats $ModName $ModuleDetail
}
$DriverScanCompletedMessage = "Completed scan. List of Compatible Modules can be found at " + $LogFile
LogAndConsole $DriverScanCompletedMessage
LogAndConsoleError $FailingExecuteWriteCheck.ToString()
if($HLK)
{
LogAndConsoleError $FailingModules.ToString()
}
else
{
LogAndConsoleWarning $FailingModules.ToString()
}
if($FailingModules.Length -ne 0 -or $FailingExecuteWriteCheck.Length -ne 0 )
{
if($HLK)
{
$DGVerifyCrit.AppendLine($WarningMessage) | Out-Null
}
else
{
$DGVerifyWarn.AppendLine($WarningMessage) | Out-Null
}
}
}
else
{
LogAndConsoleSuccess "No Incompatible Drivers found"
}
}
function ListSummary()
{
if($DGVerifyCrit.Length -ne 0 )
{
LogAndConsoleError "Machine is not Device Guard / Credential Guard compatible because of the
following:"
LogAndConsoleError $DGVerifyCrit.ToString()
LogAndConsoleWarning $DGVerifyWarn.ToString()
if(!$HVCI -and !$DG)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\"
/v "CG_Capable" /t REG_DWORD /d 0 /f '
}
if(!$CG)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\"
/v "DG_Capable" /t REG_DWORD /d 0 /f '
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\"
/v "HVCI_Capable" /t REG_DWORD /d 0 /f '
}
}
elseif ($DGVerifyWarn.Length -ne 0 )
{
LogAndConsoleSuccess "Device Guard / Credential Guard can be enabled on this machine.`n"
LogAndConsoleWarning "The following additional qualifications, if present, can enhance the security
of Device Guard / Credential Guard on this system:"
LogAndConsoleWarning $DGVerifyWarn.ToString()
if(!$HVCI -and !$DG)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\"
/v "CG_Capable" /t REG_DWORD /d 1 /f '
}
if(!$CG)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\"
/v "DG_Capable" /t REG_DWORD /d 1 /f '
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\"
/v "HVCI_Capable" /t REG_DWORD /d 1 /f '
}
}
else
{
LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n"
if(!$HVCI -and !$DG)
if(!$HVCI -and !$DG)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\"
/v "CG_Capable" /t REG_DWORD /d 2 /f '
}
if(!$CG)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\"
/v "DG_Capable" /t REG_DWORD /d 2 /f '
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\"
/v "HVCI_Capable" /t REG_DWORD /d 2 /f '
}
}
}
function Instantiate-Kernel32 {
try
{
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
"@
}
catch
{
Log $_.Exception.Message
LogAndConsole "Instantiate-Kernel32 failed"
}
}
function Instantiate-HSTI {
try
{
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Net;
[FlagsAttribute]
public enum HstiProviderErrors : int
{
None = 0x00000000,
VersionMismatch = 0x00000001,
RoleUnknown = 0x00000002,
RoleDuplicated = 0x00000004,
SecurityFeatureSizeMismatch = 0x00000008,
SizeTooSmall = 0x00000010,
VerifiedMoreThanImplemented = 0x00000020,
VerifiedNotMatchImplemented = 0x00000040
}
[FlagsAttribute]
public enum HstiOverallError : int
{
None = 0x00000000,
RoleTooManyPlatformReference = 0x00000001,
RoleTooManyIbv = 0x00000002,
RoleTooManyOem = 0x00000004,
RoleTooManyOdm = 0x00000008,
RoleMissingPlatformReference = 0x00000010,
VerifiedIncomplete = 0x00000020,
ProtocolErrors = 0x00000040,
BlobVersionMismatch = 0x00000080,
PlatformSecurityVersionMismatch = 0x00000100,
ProviderError = 0x00000200
}
}
"@
$LibHandle = [Kernel32]::LoadLibrary("C:\Windows\System32\hstitest.dll")
$FuncHandle = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTIdetails")
$FuncHandle2 = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTI")
if ([System.IntPtr]::Size -eq 8)
{
#assuming 64 bit
Log "`nKernel32::LoadLibrary 64bit --> 0x$("{0:X16}" -f $LibHandle.ToInt64())"
Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())"
}
else
{
return
}
$overallError = New-Object HstiTest3+HstiOverallError
$providerErrorDupleCount = New-Object int
$blobByteSize = New-Object int
$hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount,
$null, [ref] $blobByteSize)
}
catch
{
LogAndConsoleError $_.Exception.Message
LogAndConsoleError "Instantiate-HSTI failed"
}
}
function CheckDGRunning($_val)
{
$DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard
for($i=0; $i -lt $DGObj.SecurityServicesRunning.length; $i++)
{
if($DGObj.SecurityServicesRunning[$i] -eq $_val)
{
return 1
}
}
return 0
}
function CheckDGFeatures($_val)
{
$DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard
Log "DG_obj $DG_obj"
Log "DG_obj.AvailableSecurityProperties.length $DG_obj.AvailableSecurityProperties.length"
for($i=0; $i -lt $DGObj.AvailableSecurityProperties.length; $i++)
{
if($DGObj.AvailableSecurityProperties[$i] -eq $_val)
{
return 1
}
}
return 0
}
}
function PrintConfigCIDetails($_ConfigCIState)
{
$_ConfigCIRunning = "Config-CI is enabled and running."
$_ConfigCIDisabled = "Config-CI is not running."
$_ConfigCIMode = "Not Enabled"
switch ($_ConfigCIState)
{
0 { $_ConfigCIMode = "Not Enabled" }
1 { $_ConfigCIMode = "Audit mode" }
2 { $_ConfigCIMode = "Enforced mode" }
default { $_ConfigCIMode = "Not Enabled" }
}
if($_ConfigCIState -ge 1)
{
LogAndConsoleSuccess "$_ConfigCIRunning ($_ConfigCIMode)"
}
else
{
LogAndConsoleWarning "$_ConfigCIDisabled ($_ConfigCIMode)"
}
}
function PrintHVCIDetails($_HVCIState)
{
$_HvciRunning = "HVCI is enabled and running."
$_HvciDisabled = "HVCI is not running."
if($_HVCIState)
{
LogAndConsoleSuccess $_HvciRunning
}
else
{
LogAndConsoleWarning $_HvciDisabled
}
}
if($_CGState)
{
LogAndConsoleSuccess $_CGRunning
}
else
{
LogAndConsoleWarning $_CGDisabled
}
}
if(![IO.Directory]::Exists($path))
{
New-Item -ItemType directory -Path $path
}
else
{
#Do Nothing!!
}
function IsRedstone
{
$_osVersion = [environment]::OSVersion.Version
Log $_osVersion
#Check if build Major is Windows 10
if($_osVersion.Major -lt 10)
if($_osVersion.Major -lt 10)
{
return 0
}
#Check if the build is post Threshold2 (1511 release) => Redstone
if($_osVersion.Build -gt 10586)
{
return 1
}
#default return False
return 0
}
function ExecuteCommandAndLog($_cmd)
{
try
{
Log "Executing: $_cmd"
$CmdOutput = Invoke-Expression $_cmd | Out-String
Log "Output: $CmdOutput"
}
catch
{
Log "Exception while exectuing $_cmd"
Log $_.Exception.Message
}
function PrintRebootWarning
{
LogAndConsoleWarning "Please reboot the machine, for settings to be applied."
}
function AutoRebootHelper
{
if($AutoReboot)
{
LogAndConsole "PC will restart in 30 seconds"
ExecuteCommandAndLog 'shutdown /r /t 30'
}
else
{
PrintRebootWarning
}
function VerifierReset
{
$verifier_state = verifier /query | Out-String
if(!$verifier_state.ToString().Contains("No drivers are currently verified."))
{
ExecuteCommandAndLog 'verifier.exe /reset'
}
AutoRebootHelper
}
function PrintHardwareReq
{
LogAndConsole "###########################################################################"
LogAndConsole "OS and Hardware requirements for enabling Device Guard and Credential Guard"
LogAndConsole " 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education and
Enterprise IoT"
LogAndConsole " 2. Hardware: Recent hardware that supports virtualization extension with SLAT"
LogAndConsole "To learn more please visit: https://aka.ms/dgwhcr"
LogAndConsole "########################################################################### `n"
}
function CheckDriverCompat
{
$_HVCIState = CheckDGRunning(2)
if($_HVCIState)
{
LogAndConsoleWarning "HVCI is already enabled on this machine, driver compat list might not be
complete."
LogAndConsoleWarning "Please disable HVCI and run the script again..."
}
$verifier_state = verifier /query | Out-String
if($verifier_state.ToString().Contains("No drivers are currently verified."))
{
LogAndConsole "Enabling Driver verifier"
verifier.exe /flags 0x02000000 /all /bootmode oneboot /log.code_integrity
# For running HLK tests only, professional SKU's are marked as supported.
if($HLK)
{
if($osname.ToString().Contains($HLKAllowed.ToLower()))
{
$_SKUSupported = 1
}
}
$_isDomainController = IsDomainController
if($_SKUSupported)
{
LogAndConsoleSuccess "This PC edition is Supported for DeviceGuard";
if(($_isDomainController -eq 1) -and !$HVCI -and !$DG)
{
LogAndConsoleError "This PC is configured as a Domain Controller, Credential Guard is not
supported on DC."
}
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v
"OSSKU" /t REG_DWORD /d 2 /f '
}
else
{
LogAndConsoleError "This PC edition is Unsupported for Device Guard"
$DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v
"OSSKU" /t REG_DWORD /d 0 /f '
}
}
function CheckOSArchitecture
{
$OSArch = $(Get-WmiObject win32_operatingsystem).OSArchitecture.ToLower()
Log $OSArch
if($OSArch -match ("^64\-?\s?bit"))
{
LogAndConsoleSuccess "64 bit architecture"
}
elseif($OSArch -match ("^32\-?\s?bit"))
{
LogAndConsoleError "32 bit architecture"
$DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null
}
else
{
LogAndConsoleError "Unknown architecture"
$DGVerifyCrit.AppendLine("Unknown OS, OS Architecture failure.") | Out-Null
}
}
function CheckSecureBootState
{
$_secureBoot = Confirm-SecureBootUEFI
Log $_secureBoot
Log $_secureBoot
if($_secureBoot)
{
LogAndConsoleSuccess "Secure Boot is present"
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v
"SecureBoot" /t REG_DWORD /d 2 /f '
}
else
{
LogAndConsoleError "Secure Boot is absent / not enabled."
LogAndConsoleError "If Secure Boot is supported on the system, enable Secure Boot in the BIOS and
run the script again."
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v
"SecureBoot" /t REG_DWORD /d 0 /f '
$DGVerifyCrit.AppendLine("Secure boot validation failed.") | Out-Null
}
}
function CheckVirtualization
{
$_vmmExtension = $(Get-WMIObject -Class Win32_processor).VMMonitorModeExtensions
$_vmFirmwareExtension = $(Get-WMIObject -Class Win32_processor).VirtualizationFirmwareEnabled
$_vmHyperVPresent = (Get-CimInstance -Class Win32_ComputerSystem).HypervisorPresent
Log "VMMonitorModeExtensions $_vmmExtension"
Log "VirtualizationFirmwareEnabled $_vmFirmwareExtension"
Log "HyperVisorPresent $_vmHyperVPresent"
function CheckTPM
{
$TPMLockout = $(get-tpm).LockoutCount
if($TPMLockout)
{
function CheckSecureMOR
{
$isSecureMOR = CheckDGFeatures(4)
Log "isSecureMOR= $isSecureMOR "
if($isSecureMOR -eq 1)
{
LogAndConsoleSuccess "Secure MOR is available"
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v
"SecureMOR" /t REG_DWORD /d 2 /f '
}
else
{
$WarningMsg = "Secure MOR is absent"
if($HLK)
{
LogAndConsoleError $WarningMsg
$DGVerifyCrit.AppendLine($WarningMsg) | Out-Null
}
else
{
LogAndConsoleWarning $WarningMsg
$DGVerifyWarn.AppendLine($WarningMsg) | Out-Null
}
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v
"SecureMOR" /t REG_DWORD /d 0 /f '
}
}
function CheckNXProtection
{
$isNXProtected = CheckDGFeatures(5)
Log "isNXProtected= $isNXProtected "
if($isNXProtected -eq 1)
{
LogAndConsoleSuccess "NX Protector is available"
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v
"UEFINX" /t REG_DWORD /d 2 /f '
}
else
{
LogAndConsoleWarning "NX Protector is absent"
$DGVerifyWarn.AppendLine("NX Protector is absent") | Out-Null
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v
"UEFINX" /t REG_DWORD /d 0 /f '
}
}
function CheckSMMProtection
function CheckSMMProtection
{
$isSMMMitigated = CheckDGFeatures(6)
Log "isSMMMitigated= $isSMMMitigated "
if($isSMMMitigated -eq 1)
{
LogAndConsoleSuccess "SMM Mitigation is available"
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v
"SMMProtections" /t REG_DWORD /d 2 /f '
}
else
{
LogAndConsoleWarning "SMM Mitigation is absent"
$DGVerifyWarn.AppendLine("SMM Mitigation is absent") | Out-Null
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v
"SMMProtections" /t REG_DWORD /d 0 /f '
}
}
function CheckHSTI
{
LogAndConsole "Copying HSTITest.dll"
try
{
$HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded)
[System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded)
}
catch
{
LogAndConsole $_.Exception.Message
LogAndConsole "Copying and loading HSTITest.dll failed"
}
Instantiate-Kernel32
Instantiate-HSTI
}
function PrintToolVersion
{
LogAndConsole ""
LogAndConsole "###########################################################################"
LogAndConsole ""
LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run
Device Guard and Credential Guard."
LogAndConsole ""
LogAndConsole "###########################################################################"
LogAndConsole ""
PrintToolVersion
if(!($Ready) -and !($Capable) -and !($Enable) -and !($Disable) -and !($Clear) -and !($ResetVerifier))
{
#Print Usage if none of the options are specified
LogAndConsoleWarning "How to read the output:"
LogAndConsoleWarning ""
LogAndConsoleWarning " 1. Red Errors: Basic things are missing that will prevent enabling and using
DG/CG"
LogAndConsoleWarning " 2. Yellow Warnings: This device can be used to enable and use DG/CG, but `n
additional security benefits will be absent. To learn more please go through: https://aka.ms/dgwhcr"
LogAndConsoleWarning " 3. Green Messages: This device is fully compliant with DG/CG requirements`n"
LogAndConsoleWarning "###########################################################################"
LogAndConsoleWarning ""
LogAndConsoleWarning "Hardware requirements for enabling Device Guard and Credential Guard"
LogAndConsoleWarning " 1. Hardware: Recent hardware that supports virtualization extension with SLAT"
LogAndConsoleWarning ""
LogAndConsoleWarning "########################################################################### `n"
LogAndConsoleWarning "########################################################################### `n"
LogAndConsoleWarning "To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter
else the hardcoded default policy is used"
LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path <full path to
the SIPolicy.p7b> `n"
$user = [Security.Principal.WindowsIdentity]::GetCurrent();
$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal
$user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
if(!$TestForAdmin)
{
LogAndConsoleError "This script requires local administrator privileges. Please execute this script as a
local administrator."
exit
}
if($HVCI)
{
Log "_HVCIState: $_HVCIState"
PrintHVCIDetails $_HVCIState
}
elseif($CG)
{
Log "_CGState: $_CGState"
PrintCGDetails $_CGState
if($_CGState)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\"
/v "CG_Running" /t REG_DWORD /d 1 /f'
}
else
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\"
/v "CG_Running" /t REG_DWORD /d 0 /f'
}
}
elseif($DG)
{
Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
PrintHVCIDetails $_HVCIState
PrintConfigCIDetails $_ConfigCIState
PrintCGDetails $_CGState
PrintHVCIDetails $_HVCIState
PrintConfigCIDetails $_ConfigCIState
if(($DGRunning.Length -ge 2) -and ($_CGState) -and ($_HVCIState) -and ($_ConfigCIState -ge 1))
{
LogAndConsoleSuccess "HVCI, Credential Guard, and Config CI are enabled and running."
}
else
{
LogAndConsoleWarning "Not all services are running."
}
}
}
$_isRedstone = IsRedstone
if(!$_isRedstone)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t
REG_DWORD /d 1 /f'
}
else
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t
REG_DWORD /d 0 /f'
}
try
{
if(!$HVCI -and !$CG)
{
if(!$SIPolicyPath)
{
Log "Writing Decoded SIPolicy.p7b"
$SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded)
[System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded)
}
}
else
{
LogAndConsole "Copying user provided SIpolicy.p7b"
$CmdOutput = Copy-Item $SIPolicyPath "$env:windir\System32\CodeIntegrity\SIPolicy.p7b" |
Out-String
Log $CmdOutput
}
}
}
catch
{
LogAndConsole "Writing SIPolicy.p7b file failed"
}
Log $CmdOutput
if($CmdOutput.Contains("The operation completed successfully."))
{
LogAndConsoleSuccess "Enabling Hyper-V and IOMMU successful"
#Reg key for HLK validation of DISM.EXE step
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v
"HyperVEnabled" /t REG_DWORD /d 1 /f'
}
else
{
LogAndConsoleWarning "Enabling Hyper-V failed please check the log file"
#Reg key for HLK validation of DISM.EXE step
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v
"HyperVEnabled" /t REG_DWORD /d 0 /f'
}
AutoRebootHelper
}
if($Disable)
{
LogAndConsole "Disabling Device Guard and Credential Guard"
LogAndConsole "Deleting RegKeys to disable DG/CG"
$_isRedstone = IsRedstone
if(!$_isRedstone)
{
ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f'
}
else
{
ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f'
}
if(!$CG)
{
ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v
ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v
"HypervisorEnforcedCodeIntegrity" /f'
if($_isRedstone)
{
ExecuteCommandAndLog 'REG DELETE
"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /f'
}
}
#set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS
#these steps can be performed even if the UEFI variables were not set - if not set it will lead to
No-Op but this can be run in general always
#this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the
message that is displayed in pre-OS
$FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random
Log "FreeDrive=$FreeDrive"
ExecuteCommandAndLog 'mountvol $FreeDrive /s'
$CmdOutput = Copy-Item "$env:windir\System32\SecConfig.efi"
$FreeDrive\EFI\Microsoft\Boot\SecConfig.efi -Force | Out-String
LogAndConsole $CmdOutput
ExecuteCommandAndLog 'bcdedit /create "{0cb3b571-2f2e-4343-a879-d86a476d7215}" /d DGOptOut
/application osloader'
ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" path
\EFI\Microsoft\Boot\SecConfig.efi'
ExecuteCommandAndLog 'bcdedit /set "{bootmgr}" bootsequence "{0cb3b571-2f2e-4343-a879-
d86a476d7215}"'
ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" loadoptions DISABLE-LSA-
ISO,DISABLE-VBS'
ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" device
partition=$FreeDrive'
ExecuteCommandAndLog 'mountvol $FreeDrive /d'
#steps complete
#steps complete
}
AutoRebootHelper
}
if($Clear)
{
ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities" /f'
VerifierReset
}
if($ResetVerifier)
{
VerifierReset
}
<# Is machine Device Guard / Cred Guard Capable and Verify #>
if($Capable)
{
PrintHardwareReq
$_isRedstone = IsRedstone
if(!$_isRedstone)
{
LogAndConsoleWarning "Capable is currently fully supported in Redstone only.."
}
$_StepCount = 1
if(!$CG)
{
LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== "
$_StepCount++
CheckDriverCompat
}
LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== "
$_StepCount++
CheckSecureBootState
Applies to
Windows 10
Windows 11
Windows Server 2016
Windows Server 2019
Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
Software that manages credentials outside of Windows feature protection
Local accounts and Microsoft Accounts
Windows Defender Credential Guard does not protect the Active Directory database running on Windows
Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server
2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC,
it will get the same protection as it would when running Windows 10 Enterprise.
Key loggers
Physical attacks
Does not prevent an attacker with malware on the PC from using the privileges associated with any
credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with
access to high value assets in your organization.
Third-party security packages
Digest and CredSSP credentials
When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to
users' logon credentials. This implies no Single Sign-On use for these protocols.
Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters
credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note
that these same credentials are vulnerable to key loggers as well.-
Kerberos service tickets are not protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT)
is.
When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard
protects secrets from attacks inside the VM. However, it does not provide additional protection from
privileged system attacks originating from the host.
Windows logon cached password verifiers (commonly called "cached credentials") do not qualify as
credentials because they cannot be presented to another computer for authentication, and can only be used
locally to verify credentials. They are stored in the registry on the local computer and provide validation for
credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached
logons”, or more specifically, cached domain account information, can be managed using the security policy
setting Interactive logon: Number of previous logons to cache if a domain controller is not available.
See also
Deep Dive into Windows Defender Credential Guard: Related videos
Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection: Manage Credential Guard
NOTE
Note: Requires LinkedIn Learning subscription to view the full video
Considerations when using Windows Defender
Credential Guard
3/3/2022 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016
Windows Server 2019
Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard,
organizations move away from passwords to other authentication methods, such as physical smart cards,
virtual smart cards, or Windows Hello for Business.
Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not
supported.
Kerberos Considerations
When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained
delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the
isolated LSA process. Use constrained or resource-based Kerberos delegation instead.
Upgrade Considerations
As the depth and breadth of protections provided by Windows Defender Credential Guard are increased,
subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios
that were working in the past. For example, Windows Defender Credential Guard may block the use of a
particular type of credential or a particular component to prevent malware from taking advantage of
vulnerabilities. Test scenarios required for operations in an organization before upgrading a device using
Windows Defender Credential Guard.
Saved Windows Credentials Protected
Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are
protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of
credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such
as user names and passwords that you use to log on to websites are not protected since the applications require
your cleartext password. If the application does not need a copy of the password, they can save domain
credentials as Windows credentials that are protected. Windows credentials are used to connect to other
computers on a network. The following considerations apply to the Windows Defender Credential Guard
protections for Credential Manager:
Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use
saved Windows credentials fail, displaying the error message "Logon attempt failed."
Applications that extract Windows credentials fail.
When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the
Windows credentials cannot be restored. If you need to back up your credentials, you must do this before
you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials.
WARNING
Clearing the TPM results in loss of protected data for all features that use VBS to protect data.
When a TPM is cleared ALL features, which use VBS to protect data can no longer decrypt their protected data.
As a result Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for
Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected
data is lost forever.
NOTE
Credential Guard obtains the key during initialization. So the data loss will only impact persistent data and occur after the
next system startup.
IMPORTANT
Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain
controllers. This ensures DPAPI functions and the user does not experience strange behavior.
Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers
since the VPN configurations are lost.
If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you
should consider the following.
Domain user sign-in on a domain-joined device after clearing a TPM for as long as there is no connectivity to a
domain controller:
Certificate (smart card or Windows All All data protected with user DPAPI is
Hello for Business) unusable and user DPAPI does not
work at all.
Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected
prior to clearing the TPM can be decrypted.
Impact of DPAPI failures on Windows Information Protection
When data protected with user DPAPI is unusable, then the user loses access to all work data protected by
Windows Information Protection. The impact includes: Outlook 2016 is unable to start and work protected
documents cannot be opened. If DPAPI is working, then newly created work data is protected and can be
accessed.
Workaround: Users can resolve the problem by connecting their device to the domain and rebooting or using
their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File
System Data Recovery Agent certificate, see Create and verify an Encrypting File System (EFS) Data Recovery
Agent (DRA) certificate.
See also
Related videos
What is virtualization-based security?
Additional mitigations
3/3/2022 • 18 minutes to read • Edit Online
Windows Defender Credential Guard can provide mitigation against attacks on derived credentials and prevent
the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the
derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing
privileges and use of derived credentials directly from a compromised device, re-using previously stolen
credentials prior to Windows Defender Credential Guard, and abuse of management tools and weak application
configurations. Because of this, additional mitigation also must be deployed to make the domain environment
more robust.
NOTE
You must restart the device after enrolling the machine authentication certificate.
.\get-IssuancePolicy.ps1 –LinkedToGroup:All
To link an issuance policy to a universal security group
The set-IssuancePolicyToGroupLink.ps1 creates a Universal security group, creates an organizational unit,
and links the issuance policy to that Universal security group. From a Windows PowerShell command
prompt, run the following command:
NOTE
When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not
have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios.
Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
Appendix: Scripts
Here is a list of scripts mentioned in this topic.
Get the available issuance policies on the certificate authority
Save this script file as get-IssuancePolicy.ps1.
#######################################
## Parameters to be defined ##
## by the user ##
#######################################
Param (
$Identity,
$LinkedToGroup
)
#######################################
## Strings definitions ##
#######################################
Data getIP_strings {
# culture="en-US"
ConvertFrom-StringData -stringdata @'
help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the
currently logged on user is targeted.
help2 = Usage:
help3 = The following parameter is mandatory:
help4 = -LinkedToGroup:<yes|no|all>
help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance
Policies are linked to valid groups.
help6 = "no" will return only Issuance Policies that are not currently linked to any group.
help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance
policies are linked to valid groups.
help8 = The following parameter is optional:
help9 = -Identity:<Name, Distinguished Name or Display Name of the Issuance Policy that you want to
retrieve>. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above
parameters.
help11 = Examples:
errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership.
The group has the following members:
LinkedIPs = The following Issuance Policies are linked to groups:
displayName = displayName : {0}
Name = Name : {0}
dn = distinguishedName : {0}
InfoName = Linked Group Name: {0}
InfoDN = Linked Group DN: {0}
NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
'@
}
##Import-LocalizedData getIP_strings
import-module ActiveDirectory
#######################################
## Help ##
#######################################
function Display-Help {
""
$getIP_strings.help1
""
$getIP_strings.help2
""
$getIP_strings.help3
" " + $getIP_strings.help4
" " + $getIP_strings.help5
" " + $getIP_strings.help6
" " + $getIP_strings.help7
""
$getIP_strings.help8
" " + $getIP_strings.help9
""
$getIP_strings.help10
""
""
$getIP_strings.help11
" " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
" " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
" " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
""
}
$root = get-adrootdse
$domain = get-addomain -current loggedonuser
$configNCDN = [String]$root.configurationNamingContext
if ( !($Identity) -and !($LinkedToGroup) ) {
display-Help
break
}
if ($Identity) {
$OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or
(displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
if ($OIDs -eq $null) {
$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
write-host $errormsg -ForegroundColor Red
}
foreach ($OID in $OIDs) {
if ($OID."msDS-OIDToGroupLink") {
# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with
the mapping.
$groupDN = $OID."msDS-OIDToGroupLink"
$group = get-adgroup -Identity $groupDN
$groupName = $group.Name
# Analyze the group
if ($group.groupCategory -ne "Security") {
$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
write-host $errormsg -ForegroundColor Red
}
if ($group.groupScope -ne "Universal") {
$errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
write-host $errormsg -ForegroundColor Red
}
$members = Get-ADGroupMember -Identity $group
if ($members) {
$errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
write-host $errormsg -ForegroundColor Red
foreach ($member in $members) {
write-host " " $member -ForeGroundColor Red
}
}
}
}
return $OIDs
break
}
if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
$LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
$LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
write-host ""
write-host "*****************************************************"
write-host $getIP_strings.LinkedIPs
write-host "*****************************************************"
write-host ""
if ($LinkedOIDs -ne $null){
foreach ($OID in $LinkedOIDs) {
# Display basic information about the Issuance Policies
""
$getIP_strings.displayName -f $OID.displayName
$getIP_strings.Name -f $OID.Name
$getIP_strings.dn -f $OID.distinguishedName
# Get the linked group.
$groupDN = $OID."msDS-OIDToGroupLink"
$group = get-adgroup -Identity $groupDN
$getIP_strings.InfoName -f $group.Name
$getIP_strings.InfoDN -f $groupDN
# Analyze the group
$OIDName = $OID.displayName
$groupName = $group.Name
if ($group.groupCategory -ne "Security") {
$errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
write-host $errormsg -ForegroundColor Red
}
if ($group.groupScope -ne "Universal") {
$errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
write-host $errormsg -ForegroundColor Red
}
$members = Get-ADGroupMember -Identity $group
if ($members) {
$errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
write-host $errormsg -ForegroundColor Red
foreach ($member in $members) {
write-host " " $member -ForeGroundColor Red
}
}
write-host ""
}
}else{
write-host "There are no issuance policies that are mapped to a group"
}
if ($LinkedToGroup -eq "yes") {
return $LinkedOIDs
break
}
}
if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {
$LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
$NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
write-host ""
write-host "*********************************************************"
write-host $getIP_strings.NonLinkedIPs
write-host "*********************************************************"
write-host ""
if ($NonLinkedOIDs -ne $null) {
foreach ($OID in $NonLinkedOIDs) {
# Display basic information about the Issuance Policies
write-host ""
$getIP_strings.displayName -f $OID.displayName
$getIP_strings.Name -f $OID.Name
$getIP_strings.dn -f $OID.distinguishedName
write-host ""
}
}else{
write-host "There are no issuance policies which are not mapped to groups"
}
if ($LinkedToGroup -eq "no") {
return $NonLinkedOIDs
break
}
}
NOTE
If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
#######################################
## Parameters to be defined ##
## by the user ##
#######################################
Param (
$IssuancePolicyName,
$groupOU,
$groupName
)
#######################################
## Strings definitions ##
#######################################
Data ErrorMsg {
# culture="en-US"
ConvertFrom-StringData -stringdata @'
help1 = This command can be used to set the link between a certificate issuance policy and a universal
security group.
help2 = Usage:
help3 = The following parameters are required:
help4 = -IssuancePolicyName:<name or display name of the issuance policy that you want to link to a group>
help5 = -groupName:<name of the group you want to link the issuance policy to>. If no name is specified, any
existing link to a group is removed from the Issuance Policy.
help6 = The following parameter is optional:
help7 = -groupOU:<Name of the Organizational Unit dedicated to the groups which are linked to issuance
policies>. If this parameter is not specified, the group is looked for or created in the Users container.
help8 = Examples:
help9 = This command will link the issuance policy whose display name is "High Assurance" to the group
"HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the
Organizational Unit do not exist, you will be prompted to create them.
help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062"
from any group.
MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of
"{1}"
NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to
create it?
OUCreationSuccess = Organizational Unit "{0}" successfully created.
OUcreationError = Error: Organizational Unit "{0}" could not be created.
OUFoundSuccess = Organizational Unit "{0}" was successfully found.
multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".
confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
groupCreationSuccess = Univeral Security group "{0}" successfully created.
groupCreationError = Error: Univeral Security group "{0}" could not be created.
GroupFound = Group "{0}" was successfully found.
confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really
want to remove the link?
UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
UnlinkError = Removing the link failed.
UnlinkExit = Exiting without removing the link from the issuance policy to the group.
IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it
to a group, you should specify the -groupName option when starting this script.
ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of
type "Security".
ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this
group is not "Universal".
ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty
membership. The group has the following members:
membership. The group has the following members:
ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you
really want to update the link to point to group "{2}"?
LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
LinkError = The certificate issuance policy could not be linked to the specified group.
ExitNoLinkReplacement = Exiting without setting the new link.
'@
}
# import-localizeddata ErrorMsg
function Display-Help {
""
write-host $ErrorMsg.help1
""
write-host $ErrorMsg.help2
""
write-host $ErrorMsg.help3
write-host "`t" $ErrorMsg.help4
write-host "`t" $ErrorMsg.help5
""
write-host $ErrorMsg.help6
write-host "`t" $ErrorMsg.help7
""
""
write-host $ErrorMsg.help8
""
write-host $ErrorMsg.help9
".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU
""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
""
write-host $ErrorMsg.help10
'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -
groupName $null '
""
}
# Assumption: The group to which the Issuance Policy is going
# to be linked is (or is going to be created) in
# the domain the user running this script is a member of.
import-module ActiveDirectory
$root = get-adrootdse
$domain = get-addomain -current loggedonuser
if ( !($IssuancePolicyName) ) {
display-Help
break
}
#######################################
## Find the OID object ##
## (aka Issuance Policy) ##
#######################################
$searchBase = [String]$root.configurationnamingcontext
$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq
$IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
if ($OID -eq $null) {
$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase
write-host $tmp -ForeGroundColor Red
break;
}
elseif ($OID.GetType().IsArray) {
$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase
write-host $tmp -ForeGroundColor Red
break;
}
else {
$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
write-host $tmp -ForeGroundColor Green
}
#######################################
## Find the container of the group ##
#######################################
if ($groupOU -eq $null) {
# default to the Users container
$groupContainer = $domain.UsersContainer
}
else {
$searchBase = [string]$domain.DistinguishedName
$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq
"organizationalUnit")}
if ($groupContainer.count -gt 1) {
$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
write-host $tmp -ForegroundColor Red
break;
}
elseif ($groupContainer -eq $null) {
$tmp = $ErrorMsg.confirmOUcreation
write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
$userChoice = read-host
if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -
ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
if ($?){
$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
write-host $tmp -ForegroundColor Green
}
else{
$tmp = $ErrorMsg.OUCreationError -f $groupOU
write-host $tmp -ForeGroundColor Red
break;
}
$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq
"organizationalUnit")}
}
else {
break;
}
}
else {
$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
write-host $tmp -ForegroundColor Green
}
}
#######################################
## Find the group ##
#######################################
if (($groupName -ne $null) -and ($groupName -ne "")){
##$searchBase = [String]$groupContainer.DistinguishedName
$searchBase = $groupContainer
$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase
$searchBase
if ($group -ne $null -and $group.gettype().isarray) {
$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
write-host $tmp -ForeGroundColor Red
break;
}
elseif ($group -eq $null) {
$tmp = $ErrorMsg.confirmGroupCreation
write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
$userChoice = read-host
if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -
GroupCategory "Security"
if ($?){
$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
write-host $tmp -ForegroundColor Green
}else{
$tmp = $ErrorMsg.groupCreationError -f $groupName
write-host $tmp -ForeGroundColor Red
break
}
$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase
$searchBase
}
else {
break;
}
}
else {
$tmp = $ErrorMsg.GroupFound -f $group.Name
write-host $tmp -ForegroundColor Green
}
}
else {
#####
## If the group is not specified, we should remove the link if any exists
#####
if ($OID."msDS-OIDToGroupLink" -ne $null) {
$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
$userChoice = read-host
if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
if ($?) {
$tmp = $ErrorMsg.UnlinkSuccess
write-host $tmp -ForeGroundColor Green
}else{
$tmp = $ErrorMsg.UnlinkError
write-host $tmp -ForeGroundColor Red
}
}
else {
$tmp = $ErrorMsg.UnlinkExit
write-host $tmp
break
}
}
else {
$tmp = $ErrorMsg.IPNotLinked
write-host $tmp -ForeGroundColor Yellow
}
break;
}
#######################################
## Verify that the group is ##
## Universal, Security, and ##
## has no members ##
#######################################
if ($group.GroupScope -ne "Universal") {
$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
write-host $tmp -ForeGroundColor Red
break;
}
if ($group.GroupCategory -ne "Security") {
$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
write-host $tmp -ForeGroundColor Red
break;
}
$members = Get-ADGroupMember -Identity $group
if ($members -ne $null) {
$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
write-host $tmp -ForeGroundColor Red
foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red}
break;
}
#######################################
## We have verified everything. We ##
## can create the link from the ##
## Issuance Policy to the group. ##
#######################################
if ($OID."msDS-OIDToGroupLink" -ne $null) {
if ($OID."msDS-OIDToGroupLink" -ne $null) {
$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink",
$group.distinguishedName
write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
$userChoice = read-host
if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
set-adobject -Identity $OID -Replace $tmp
if ($?) {
$tmp = $Errormsg.LinkSuccess
write-host $tmp -Foreground Green
}else{
$tmp = $ErrorMsg.LinkError
write-host $tmp -Foreground Red
}
} else {
$tmp = $Errormsg.ExitNoLinkReplacement
write-host $tmp
break
}
}
else {
$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
set-adobject -Identity $OID -Add $tmp
if ($?) {
$tmp = $Errormsg.LinkSuccess
write-host $tmp -Foreground Green
}else{
$tmp = $ErrorMsg.LinkError
write-host $tmp -Foreground Red
}
}
NOTE
If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
Windows Defender Credential Guard: Known issues
3/3/2022 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016
Windows Server 2019
Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard
blocks specific authentication capabilities. So applications that require such capabilities won't function when it's
enabled. For more information, see Application requirements.
The following known issue has been fixed in the Cumulative Security Update for November 2017:
Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The
task fails and reports Event ID 104 with the following message:
"Task Scheduler failed to log on ‘\Test’.
Failure occurred in ‘LogonUserExEx’.
User Action: Ensure the credentials for the task are correctly specified.
Additional Data: Error Value: 2147943726. 2147943726: ERROR_LOGON_FAILURE (The user name or
password is incorrect)."
When enabling NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username
format is logged. You also get a similar user name in a user logon failure event 4625 with error
0xC0000064 on the machine itself. For example:
This event stems from a scheduled task running under local user context with the Cumulative Security
Update for November 2017 or later and happens when Credential Guard is enabled.
The username appears in an unusual format because local accounts aren’t protected by Credential
Guard. The task also fails to execute.
As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
The following known issues have been fixed by servicing releases made available in the Cumulative Security
Updates for April 2017:
KB4015217 Windows Defender Credential Guard generates double bad password count on Active
Directory domain-joined Windows machines
This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base
articles KB4015219 and KB4015221
KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential
Guard installed on Windows
This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates
for each of the following operating systems:
Windows 10 Version 1607 and Windows Server 2016: KB4015217 (OS Build 14393.1066 and
14393.1083)
Windows 10 Version 1511: KB4015219 (OS Build 10586.873)
Windows 10 Version 1507: KB4015221 (OS Build 10240.17354)
Vendor support
See the following article on Citrix support for Secure Boot:
Citrix Support for Secure Boot
Windows Defender Credential Guard isn't supported by either these products, products versions, computer
systems, or Windows 10 versions:
For Windows Defender Credential Guard on Windows with McAfee Encryption products, see: Support for
Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee
encryption products
For Windows Defender Credential Guard on Windows with Check Point Endpoint Security Client, see:
Check Point Endpoint Security Client support for Microsoft Windows Defender Credential Guard and
Hypervisor-Protected Code Integrity features
For Windows Defender Credential Guard on Windows with VMWare Workstation Windows host fails
when running VMWare Workstation when Windows Defender Credential Guard is enabled
For Windows Defender Credential Guard on Windows with specific versions of the Lenovo ThinkPad
ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in
Microsoft Windows – ThinkPad
For Windows Defender Credential Guard on Windows with Symantec Endpoint Protection Windows
devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1
This isn't a comprehensive list. Check whether your product vendor, product version, or computer system,
supports Windows Defender Credential Guard on systems that run Windows or specific versions of
Windows. Specific computer system models may be incompatible with Windows Defender Credential
Guard.
Microsoft encourages third-party vendors to contribute to this page by providing relevant product
support information and by adding links to their own product support statements.
Protect Remote Desktop credentials with Windows
Defender Remote Credential Guard
3/3/2022 • 8 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your
credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's
requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote
Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your
credentials are not exposed because both credential and credential derivatives are never passed over the
network to the target device.
IMPORTANT
For information on Remote Desktop connection scenarios involving helpdesk support, see Remote Desktop connections
and helpdesk support scenarios in this article.
The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what
it helps to protect against, and compares it with the Restricted Admin mode option:
As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-
the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
Use the following table to compare different Remote Desktop connection security options:
W IN DO W S DEF EN DER
REM OT E C REDEN T IA L
F EAT URE REM OT E DESK TO P GUA RD REST RIC T ED A DM IN M O DE
Protection benefits Credentials on the server User credentials remain on User logs on to the server
are not protected from the client. An attacker can as local administrator, so an
Pass-the-Hash attacks. act on behalf of the user attacker cannot act on
only when the session is behalf of the “domain user”.
ongoing Any attack is local to the
server
Version suppor t The remote computer can Both the client and the The remote computer must
run any Windows operating remote computer must be be running at least
system running at least Windows patched Windows 7 or
10, version 1607, or patched Windows
Windows Ser ver 2016 . Ser ver 2008 R2 .
Access Users allowed , that is, Users allowed , that is, Administrators only , that
members of Remote members of Remote is, only members of
Desktop Users group of Desktop Users of remote Administrators group of
remote host. host. remote host.
Network identity Remote Desktop session Remote Desktop session Remote Desktop session
connects to other connects to other connects to other
resources as signed-in resources as signed-in resources as remote
user . user . host’s identity .
Multi-hop From the remote desktop, From the remote desktop, Not allowed for user as the
you can connect you can connect session is running as a local
through Remote through Remote host account
Desktop to another Desktop to another
computer computer .
Suppor ted Any negotiable protocol. Kerberos only. Any negotiable protocol
authentication
For further technical information, see Remote Desktop Protocol and How Kerberos works.
NOTE
Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in
credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server
must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust
relationship to the client device's domain.
GPO Remote host allows delegation of non-exportable credentials should be enabled for delegation of non-exportable
credentials.
For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the
remote host using Kerberos authentication.
The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform
app doesn't support Windows Defender Remote Credential Guard.
NOTE
Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in
clear text to the Remote Desktop server.
If you want to require Windows Defender Remote Credential Guard, choose Require Remote
Credential Guard . With this setting, a Remote Desktop connection will succeed only if the remote
computer meets the requirements listed earlier in this topic.
If you want to require Restricted Admin mode, choose Require Restricted Admin . For
information about Restricted Admin mode, see the table in Comparing Windows Defender Remote
Credential Guard with other Remote Desktop connection options, earlier in this topic.
4. Click OK .
5. Close the Group Policy Management Console.
6. From a command prompt, run gpupdate.exe /force to ensure that the Group Policy object is applied.
Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection
If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential
Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on
Windows Defender Remote Credential Guard for that connection.
mstsc.exe /remoteGuard
NOTE
The user must be authorized to connect to the remote server using Remote Desktop Protocol, for example by being a
member of the Remote Desktop Users local group on the remote computer.
Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating
system, and other Microsoft products include passwords to help secure your information. This article provides
some options that you can use to reset or recover your password if you forget it. Be aware that, if these options
don’t work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
If you lose or forget a password, you can use the links in this article to find published support information that
will help you reset the password.
Applies to
Windows 10
Windows Server 2016
This topic for the IT professional describes access control in Windows, which is the process of authorizing users,
groups, and computers to access objects on the network or computer. Key concepts that make up access control
are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.
Feature description
Computers that are running a supported version of Windows can control the use of system and network
resources through the interrelated mechanisms of authentication and authorization. After a user is
authenticated, the Windows operating system uses built-in authorization and access control technologies to
implement the second phase of protecting resources: determining if an authenticated user has the correct
permissions to access a resource.
Shared resources are available to users and groups other than the resource’s owner, and they need to be
protected from unauthorized use. In the access control model, users and groups (also referred to as security
principals) are represented by unique security identifiers (SIDs). They are assigned rights and permissions that
inform the operating system what each user and group can do. Each resource has an owner who grants
permissions to security principals. During the access control check, these permissions are examined to
determine which security principals can access the resource and how they can access it.
Security principals perform actions (which include Read, Write, Modify, or Full control) on objects. Objects
include files, folders, printers, registry keys, and Active Directory Domain Services (AD DS) objects. Shared
resources use access control lists (ACLs) to assign permissions. This enables resource managers to enforce
access control in the following ways:
Deny access to unauthorized users and groups
Set well-defined limits on the access that is provided to authorized users and groups
Object owners generally grant permissions to security groups rather than to individual users. Users and
computers that are added to existing groups assume the permissions of that group. If an object (such as a
folder) can hold other objects (such as subfolders and files), it is called a container. In a hierarchy of objects, the
relationship between a container and its content is expressed by referring to the container as the parent. An
object in the container is referred to as the child, and the child inherits the access control settings of the parent.
Object owners often define permissions for container objects, rather than individual child objects, to ease access
control management.
This content set contains:
Dynamic Access Control Overview
Security identifiers
Security Principals
Local Accounts
Active Directory Accounts
Microsoft Accounts
Service Accounts
Active Directory Security Groups
Practical applications
Administrators who use the supported version of Windows can refine the application and management of
access control to objects and subjects to provide the following security:
Protect a greater number and variety of network resources from misuse.
Provision users to access resources in a manner that is consistent with organizational policies and the
requirements of their jobs.
Enable users to access resources from a variety of devices in numerous locations.
Update users’ ability to access resources on a regular basis as an organization’s policies change or as
users’ jobs change.
Account for a growing number of use scenarios (such as access from remote locations or from a rapidly
expanding variety of devices, such as tablet computers and mobile phones).
Identify and resolve access issues when legitimate users are unable to access resources that they need to
perform their jobs.
Permissions
Permissions define the type of access that is granted to a user or group for an object or object property. For
example, the Finance group can be granted Read and Write permissions for a file named Payroll.dat.
By using the access control user interface, you can set NTFS permissions for objects such as files, Active
Directory objects, registry objects, or system objects such as processes. Permissions can be granted to any user,
group, or computer. It is a good practice to assign permissions to groups because it improves system
performance when verifying access to an object.
For any object, you can grant permissions to:
Groups, users, and other objects with security identifiers in the domain.
Groups and users in that domain and any trusted domains.
Local groups and users on the computer where the object resides.
The permissions attached to an object depend on the type of object. For example, the permissions that can be
attached to a file are different from those that can be attached to a registry key. Some permissions, however, are
common to most types of objects. These common permissions are:
Read
Modify
Change owner
Delete
When you set permissions, you specify the level of access for groups and users. For example, you can let one
user read the contents of a file, let another user make changes to the file, and prevent all other users from
accessing the file. You can set similar permissions on printers so that certain users can configure the printer and
other users can only print.
When you need to change the permissions on a file, you can run Windows Explorer, right-click the file name, and
click Proper ties . On the Security tab, you can change permissions on the file. For more information, see
Managing Permissions.
Note Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's Proper ties
page or by using the Shared Folder Wizard. For more information see Share and NTFS Permissions on a File
Server.
Ownership of objects
An owner is assigned to an object when that object is created. By default, the owner is the creator of the object.
No matter what permissions are set on an object, the owner of the object can always change the permissions.
For more information, see Manage Object Ownership.
Inheritance of permissions
Inheritance allows administrators to easily assign and manage permissions. This feature automatically causes
objects within a container to inherit all the inheritable permissions of that container. For example, the files within
a folder inherit the permissions of the folder. Only permissions marked to be inherited will be inherited.
User rights
User rights grant specific privileges and sign-in rights to users and groups in your computing environment.
Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize
users to perform specific actions, such as signing in to a system interactively or backing up files and directories.
User rights are different from permissions because user rights apply to user accounts, and permissions are
associated with objects. Although user rights can apply to individual user accounts, user rights are best
administered on a group account basis. There is no support in the access control user interface to grant user
rights. However, user rights assignment can be administered through Local Security Settings .
For more information about user rights, see User Rights Assignment.
Object auditing
With administrator's rights, you can audit users' successful or failed access to objects. You can select which
object access to audit by using the access control user interface, but first you must enable the audit policy by
selecting Audit object access under Local Policies in Local Security Settings . You can then view these
security-related events in the Security log in Event Viewer.
For more information about auditing, see Security Auditing Overview.
See also
For more information about access control and authorization, see Access Control and Authorization
Overview.
Dynamic Access Control Overview
3/3/2022 • 8 minutes to read • Edit Online
Applies to
Windows Server 2016
This overview topic for the IT professional describes Dynamic Access Control and its associated elements, which
were introduced in Windows Server 2012 and Windows 8.
Domain-based Dynamic Access Control enables administrators to apply access-control permissions and
restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the
user, and the configuration of the device that is used to access these resources.
For example, a user might have different permissions when they access a resource from their office computer
versus when they are using a portable computer over a virtual private network. Or access may be allowed only
if a device meets the security requirements that are defined by the network administrators. When Dynamic
Access Control is used, a user’s permissions change dynamically without additional administrator intervention if
the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS). For more detailed
examples of Dynamic Access Control in use, see the scenarios described in Dynamic Access Control: Scenario
Overview.
Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and
Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported
versions of Windows, only the supported versions will implement the changes.
Features and concepts associated with Dynamic Access Control include:
Central access rules
Central access policies
Claims
Expressions
Proposed permissions
Central access rules
A central access rule is an expression of authorization rules that can include one or more conditions involving
user groups, user claims, device claims, and resource properties. Multiple central access rules can be combined
into a central access policy.
If one or more central access rules have been defined for a domain, file share administrators can match specific
rules to specific resources and business requirements.
Central access policies
Central access policies are authorization policies that include conditional expressions. For example, let’s say an
organization has a business requirement to restrict access to personally identifiable information (PII) in files to
only the file owner and members of the human resources (HR) department who are allowed to view PII
information. This represents an organization-wide policy that applies to PII files wherever they are located on file
servers across the organization. To implement this policy, an organization needs to be able to:
Identify and mark the files that contain the PII.
Identify the group of HR members who are allowed to view the PII information.
Add the central access policy to a central access rule, and apply the central access rule to all files that
contain the PII, wherever they are located amongst the file servers across the organization.
Central access policies act as security umbrellas that an organization applies across its servers. These policies
are in addition to (but do not replace) the local access policies or discretionary access control lists (DACLs) that
are applied to files and folders.
Claims
A claim is a unique piece of information about a user, device, or resource that has been published by a domain
controller. The user’s title, the department classification of a file, or the health state of a computer are valid
examples of a claim. An entity can involve more than one claim, and any combination of claims can be used to
authorize access to resources. The following types of claims are available in the supported versions of Windows:
User claims Active Directory attributes that are associated with a specific user.
Device claims Active Directory attributes that are associated with a specific computer object.
Resource attributes Global resource properties that are marked for use in authorization decisions and
published in Active Directory.
Claims make it possible for administrators to make precise organization- or enterprise-wide statements about
users, devices, and resources that can be incorporated in expressions, rules, and policies.
Expressions
Conditional expressions are an enhancement to access control management that allow or deny access to
resources only when certain conditions are met, for example, group membership, location, or the security state
of the device. Expressions are managed through the Advanced Security Settings dialog box of the ACL Editor or
the Central Access Rule Editor in the Active Directory Administrative Center (ADAC).
Expressions help administrators manage access to sensitive resources with flexible conditions in increasingly
complex business environments.
Proposed permissions
Proposed permissions enable an administrator to more accurately model the impact of potential changes to
access control settings without actually changing them.
Predicting the effective access to a resource helps you plan and configure permissions for those resources
before implementing those changes.
Additional changes
Additional enhancements in the supported versions of Windows that support Dynamic Access Control include:
Support in the Kerberos authentication protocol to reliably provide user claims, device claims, and device
groups.
By default, devices running any of the supported versions of Windows are able to process Dynamic Access
Control-related Kerberos tickets, which include data needed for compound authentication. Domain controllers
are able to issue and respond to Kerberos tickets with compound authentication-related information. When a
domain is configured to recognize Dynamic Access Control, devices receive claims from domain controllers
during initial authentication, and they receive compound authentication tickets when submitting service ticket
requests. Compound authentication results in an access token that includes the identity of the user and the
device on the resources that recognize Dynamic Access Control.
Support for using the Key Distribution Center (KDC ) Group Policy setting to enable Dynamic Access Control
for a domain.
Every domain controller needs to have the same Administrative Template policy setting, which is located at
Computer Configuration\Policies\Administrative Templates\System\KDC\Suppor t Dynamic Access
Control and Kerberos armoring .
Support in Active Directory to store user and device claims, resource properties, and central access policy
objects.
Support for using Group Policy to deploy central access policy objects.
The following Group Policy setting enables you to deploy central access policy objects to file servers in your
organization: Computer Configuration\Policies\ Windows Settings\Security Settings\File
System\Central Access Policy .
Support for claims-based file authorization and auditing for file systems by using Group Policy and Global
Object Access Auditing
You must enable staged central access policy auditing to audit the effective access of central access policy by
using proposed permissions. You configure this setting for the computer under Advanced Audit Policy
Configuration in the Security Settings of a Group Policy Object (GPO). After you configure the security
setting in the GPO, you can deploy the GPO to computers in your network.
Support for transforming or filtering claim policy objects that traverse Active Directory forest trusts
You can filter or transform incoming and outgoing claims that traverse a forest trust. There are three basic
scenarios for filtering and transforming claims:
Value-based filtering Filters can be based on the value of a claim. This allows the trusted forest to
prevent claims with certain values from being sent to the trusting forest. Domain controllers in trusting
forests can use value-based filtering to guard against an elevation-of-privilege attack by filtering the
incoming claims with specific values from the trusted forest.
Claim type-based filtering Filters are based on the type of claim, rather than the value of the claim.
You identify the claim type by the name of the claim. You use claim type-based filtering in the trusted
forest, and it prevents Windows from sending claims that disclose information to the trusting forest.
Claim type-based transformation Manipulates a claim before sending it to the intended target. You
use claim type-based transformation in the trusted forest to generalize a known claim that contains
specific information. You can use transformations to generalize the claim-type, the claim value, or both.
Software requirements
Because claims and compound authentication for Dynamic Access Control require Kerberos authentication
extensions, any domain that supports Dynamic Access Control must have enough domain controllers running
the supported versions of Windows to support authentication from Dynamic Access Control-aware Kerberos
clients. By default, devices must use domain controllers in other sites. If no such domain controllers are
available, authentication will fail. Therefore, you must support one of the following conditions:
Every domain that supports Dynamic Access Control must have enough domain controllers running the
supported versions of Windows Server to support authentication from all devices running the supported
versions of Windows or Windows Server.
Devices running the supported versions of Windows or that do not protect resources by using claims or
compound identity, should disable Kerberos protocol support for Dynamic Access Control.
For domains that support user claims, every domain controller running the supported versions of Windows
server must be configured with the appropriate setting to support claims and compound authentication, and to
provide Kerberos armoring. Configure settings in the KDC Administrative Template policy as follows:
Always provide claims Use this setting if all domain controllers are running the supported versions of
Windows Server. In addition, set the domain functional level to Windows Server 2012 or higher.
Suppor ted When you use this setting, monitor domain controllers to ensure that the number of
domain controllers running the supported versions of Windows Server is sufficient for the number of
client computers that need to access resources protected by Dynamic Access Control.
If the user domain and file server domain are in different forests, all domain controllers in the file server’s forest
root must be set at the Windows Server 2012 or higher functional level.
If clients do not recognize Dynamic Access Control, there must be a two-way trust relationship between the two
forests.
If claims are transformed when they leave a forest, all domain controllers in the user’s forest root must be set at
the Windows Server 2012 or higher functional level.
A file server running a server operating system that supports Dyamic Access Control must have a Group Policy
setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is
set by default to Automatic , which results in this Group Policy setting to be turned On if there is a central policy
that contains user or device claims for that file server. If the file server contains discretionary ACLs that include
user claims, you need to set this Group Policy to On so that the server knows to request claims on behalf of
users that do not provide claims when they access the server.
See also
Access control overview
Security identifiers
3/3/2022 • 31 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
This topic for the IT professional describes security identifiers and how they work in regards to accounts and
groups in the Windows operating system.
C O M M EN T DESC RIP T IO N
Identifier authority Identifies the highest level of authority that can issue SIDs
for a particular type of security principal. For example, the
identifier authority value in the SID for the Everyone group
is 1 (World Authority). The identifier authority value in the
SID for a specific Windows Server account or group is 5 (NT
Authority).
The components of a SID are easier to visualize when SIDs are converted from a binary to a string format by
using standard notation:
S-R-X-Y1-Y2-Yn-1-Yn
In this notation, the components of a SID are represented as shown in the following table.
C O M M EN T DESC RIP T IO N
The SID's most important information is contained in the series of subauthority values. The first part of the
series (-Y1-Y2-Yn-1) is the domain identifier. This element of the SID becomes significant in an enterprise with
several domains, because the domain identifier differentiates SIDs that are issued by one domain from SIDs that
are issued by all other domains in the enterprise. No two domains in an enterprise share the same domain
identifier.
The last item in the series of subauthority values (-Yn) is the relative identifier. It distinguishes one account or
group from all other accounts and groups in the domain. No two accounts or groups in any domain share the
same relative identifier.
For example, the SID for the built-in Administrators group is represented in standardized SID notation as the
following string:
S-1-5-32-544
S-1-5-21-1004336348-1177238915-682003330-512
Well-known SIDs
The values of certain SIDs are constant across all systems. They are created when the operating system or
domain is installed. They are called well-known SIDs because they identify generic users or generic groups.
There are universal well-known SIDs that are meaningful on all secure systems that use this security model,
including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful
only on Windows operating systems.
The following table lists the universal well-known SIDs.
The following table lists the predefined identifier authority constants. The first four values are used with
universal well-known SIDs, and the rest of the values are used with well-known SIDs in Windows operating
systems designated in the Applies To list.
SECURITY_NULL_SID_AUTHORITY 0 S-1-0
SECURITY_WORLD_SID_AUTHORITY 1 S-1-1
SECURITY_LOCAL_SID_AUTHORITY 2 S-1-2
SECURITY_CREATOR_SID_AUTHORITY 3 S-1-3
SECURITY_NT_AUTHORITY 5 S-1-5
SECURITY_AUTHENTICATION_AUTHO 18 S-1-18
RITY
The following RID values are used with universal well-known SIDs. The Identifier authority column shows the
prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.
REL AT IVE IDEN T IF IER A UT H O RIT Y VA L UE IDEN T IF IER A UT H O RIT Y
SECURITY_NULL_RID 0 S-1-0
SECURITY_WORLD_RID 0 S-1-1
SECURITY_LOCAL_RID 0 S-1-2
SECURITY_CREATOR_OWNER_RID 0 S-1-3
SECURITY_CREATOR_GROUP_RID 1 S-1-3
The SECURITY_NT_AUTHORITY (S-1-5) predefined identifier authority produces SIDs that are not universal and
are meaningful only in installations of the Windows operating systems that are designated in the Applies To list
at the beginning of this topic. The following table lists the well-known SIDs.
S-1-5-113 Local account You can use this SID when restricting
network logon to local accounts
instead of "administrator" or
equivalent. This SID can be effective in
blocking network logon for local users
and groups by account type regardless
of what they are actually named.
S-1-5-114 Local account and member of You can use this SID when restricting
Administrators group network logon to local accounts
instead of "administrator" or
equivalent. This SID can be effective in
blocking network logon for local users
and groups by account type regardless
of what they are actually named.
S-1-5-5- X-Y Logon Session The X and Y values for these SIDs
uniquely identify a particular logon
session.
S-1-5-13 Terminal Server User A group that includes all users who
sign in to a server with Remote
Desktop Services enabled.
S-1-5-14 Remote Interactive Logon A group that includes all users who log
on to the computer by using a remote
desktop connection. This group is a
subset of the Interactive group. Access
tokens that contain the Remote
Interactive Logon SID also contain the
Interactive SID.
S-1-5-root domain-518 Schema Admins A group that exists only in the forest
root domain. It is a universal group if
the domain is in native mode, and it is
a global group if the domain is in
mixed mode. The Schema Admins
group is authorized to make schema
changes in Active Directory. By default,
the only member of the group is the
Administrator account for the forest
root domain.
S-1-5-root domain-519 Enterprise Admins A group that exists only in the forest
root domain. It is a universal group if
the domain is in native mode, and it is
a global group if the domain is in
mixed mode.
The Enterprise Admins group is
authorized to make changes to the
forest infrastructure, such as adding
child domains, configuring sites,
authorizing DHCP servers, and
installing enterprise certification
authorities.
By default, the only member of
Enterprise Admins is the Administrator
account for the forest root domain.
The group is a default member of
every Domain Admins group in the
forest.
SID DISP L AY N A M E DESC RIP T IO N
S-1-5-domain-553 RAS and IAS Servers A local domain group. By default, this
group has no members. Computers
that are running the Routing and
Remote Access service are added to
the group automatically.
Members of this group have access to
certain properties of User objects, such
as Read Account Restrictions, Read
Logon Information, and Read Remote
Access Information.
S-1-5-32-557 Builtin\Incoming Forest Trust Builders An alias. Members of this group can
create incoming, one-way trusts to this
forest.
S-1-5-32-561 Builtin\Terminal Server License Servers An alias. A group for Terminal Server
License Servers. When Windows Server
2003 Service Pack 1 is installed, a new
local group is created.
S-1-5-32-575 Builtin\RDS Remote Access Servers A built-in local group. Servers in this
group enable users of RemoteApp
programs and personal virtual
desktops access to these resources. In
Internet-facing deployments, these
servers are typically deployed in an
edge network. This group needs to be
populated on servers running RD
Connection Broker. RD Gateway
servers and RD Web Access servers
used in the deployment need to be in
this group.
SID DISP L AY N A M E DESC RIP T IO N
The following table provides examples of domain-relative RIDs that are used to form well-known SIDs for local
groups.
Most of the operating system files are Windows Server 2008, Windows Vista The purpose of this change is to
owned by the TrustedInstaller security prevent a process that is running as an
identifier (SID) administrator or under the
LocalSystem account from
automatically replacing the operating
system files.
Restricted SID checks are implemented Windows Server 2008, Windows Vista When restricting SIDs are present,
Windows performs two access checks.
The first is the normal access check,
and the second is the same access
check against the restricting SIDs in
the token. Both access checks must
pass to allow the process to access the
object.
Capability SIDs
Capability Security Identifiers (SIDs) are used to uniquely and immutably identify capabilities. Capabilities
represent an unforgeable token of authority that grants access to resources (Examples: documents, camera,
locations etc...) to Universal Windows Applications. An App that “has” a capability is granted access to the
resource the capability is associated with, and one that “does not have” a capability is denied access to the
resource.
All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any
Capability SID added to Windows by first or third-party applications will be added to this location.
Examples of registry keys taken from Windows 10, version 1909, 64-
bit Enterprise edition
You may see the following registry keys under AllCachedCapabilities:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capa
bilityClass_DevUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capa
bilityClass_DevUnlock_Internal
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capa
bilityClass_Enterprise
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capa
bilityClass_General
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capa
bilityClass_Restricted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capa
bilityClass_Windows
All Capability SIDs are prefixed by S-1-15-3
See also
Access Control Overview
Security Principals
3/3/2022 • 10 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
This reference topic for the IT professional describes security principals in regards to Windows accounts and
security groups, in addition to security technologies that are related to security principals.
See also
Access Control Overview
Local Accounts
3/3/2022 • 20 minutes to read • Edit Online
Applies to
Windows 11
Windows 10
Windows Server 2019
Windows Server 2016
This reference topic for IT professionals describes the default local user accounts for servers, including how to
manage these built-in accounts on a member or standalone server.
Guest account
The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users,
who do not have an account on the computer, temporarily sign in to the local server or client computer with
limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide
anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled,
unless its use is entirely necessary.
Account group membership
By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a
user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up
a user with a Guest account on one or more computers.
Security considerations
When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest
account should not be used over the network and made accessible to other computers.
In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest
account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users
cannot use services and other resources, such as resources that were unintentionally left available by a previous
user.
AT T RIB UT E VA L UE
Type User
Guests
Protected by ADMINSDHOLDER? No
Safe to move out of default container? Can be moved out, but we do not recommend it.
DefaultAccount
The DefaultAccount, also known as the Default System Managed Account (DSMA), is a built-in account
introduced in Windows 10 version 1607 and Windows Server 2016. The DSMA is a well-known user account
type. It is a user neutral account that can be used to run processes that are either multi-user aware or user-
agnostic. The DSMA is disabled by default on the desktop SKUs (full windows SKUs) and WS 2016 with the
Desktop.
The DSMA has a well-known RID of 503. The security identifier (SID) of the DSMA will thus have a well-known
SID in the following format: S-1-5-21-<ComputerIdentifier>-503
The DSMA is a member of the well-known group System Managed Accounts Group , which has a well-
known SID of S-1-5-32-581.
The DSMA alias can be granted access to resources during offline staging even before the account itself has
been created. The account and the group are created during first boot of the machine within the Security
Accounts Manager (SAM).
How Windows uses the DefaultAccount
From a permission perspective, the DefaultAccount is a standard user account. The DefaultAccount is needed to
run multi-user-manifested-apps (MUMA apps). MUMA apps run all the time and react to users signing in and
signing out of the devices. Unlike Windows Desktop where apps run in context of the user and get terminated
when the user signs off, MUMA apps run by using the DSMA.
MUMA apps are functional in shared session SKUs such as Xbox. For example, Xbox shell is a MUMA app. Today,
Xbox automatically signs in as Guest account and all apps run in this context. All the apps are multi-user-aware
and respond to events fired by user manager. The apps run as the Guest account.
Similarly, Phone auto logs in as a “DefApps” account which is akin to the standard user account in Windows but
with a few extra privileges. Brokers, some services and apps run as this account.
In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a
context different from that of the users. For this purpose, the system creates DSMA.
How the DefaultAccount gets created on domain controllers
If the domain was created with domain controllers that run Windows Server 2016, the DefaultAccount will exist
on all domain controllers in the domain. If the domain was created with domain controllers that run an earlier
version of Windows Server, the DefaultAccount will be created after the PDC Emulator role is transferred to a
domain controller that runs Windows Server 2016. The DefaultAccount will then be replicated to all other
domain controllers in the domain.
Recommendations for managing the Default Account (DSMA)
Microsoft does not recommend changing the default configuration, where the account is disabled. There is no
security risk with having the account in the disabled state. Changing the default configuration could hinder
future scenarios that rely on this account.
NOTE
To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account.
The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them.
NETWORK SERVICE
The NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). A
service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to
remote servers. For more information, see NetworkService Account.
LOCAL SERVICE
The LOCAL SERVICE account is a predefined local account used by the service control manager. It has minimum
privileges on the local computer and presents anonymous credentials on the network. For more information,
see LocalService Account.
NOTE
You use Active Directory Users and Computers to manage users and groups in Active Directory.
You can also manage local users by using NET.EXE USER and manage local groups by using NET.EXE
LOCALGROUP, or by using a variety of PowerShell cmdlets and other scripting technologies.
Restrict and protect local accounts with administrative rights
An administrator can use a number of approaches to prevent malicious users from using stolen credentials,
such as a stolen password or password hash, for a local account on one computer from being used to
authenticate on another computer with administrative rights; this is also called "lateral movement".
The simplest approach is to sign in to your computer with a standard user account, instead of using the
Administrator account for tasks, for example, to browse the Internet, send email, or use a word processor. When
you want to perform an administrative task, for example, to install a new program or to change a setting that
affects other users, you don't have to switch to an Administrator account. You can use User Account Control
(UAC) to prompt you for permission or an administrator password before performing the task, as described in
the next section.
The other approaches that can be used to restrict and protect user accounts with administrative rights include:
Enforce local account restrictions for remote access.
Deny network logon to all local Administrator accounts.
Create unique passwords for local accounts with administrative rights.
Each of these approaches is described in the following sections.
NOTE
These approaches do not apply if all administrative local accounts are disabled.
NOTE
You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates.
6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by doing
the following:
a. Navigate to the Computer Configuration\Windows Settings\Security Settings\Local Policies\, and
> Security Options .
b. Double-click User Account Control: Run all administrators in Admin Approval Mode >
Enabled > OK .
c. Double-click User Account Control: Admin Approval Mode for the Built-in Administrator
account > Enabled > OK .
7. Ensure that the local account restrictions are applied to network interfaces by doing the following:
a. Navigate to Computer Configuration\Preferences and Windows Settings, and > Registr y .
b. Right-click Registr y , and > New > Registr y Item .
c. In the New Registr y Proper ties dialog box, on the General tab, change the setting in the
Action box to Replace .
d. Ensure that the Hive box is set to HKEY_LOCAL_MACHINE .
e. Click (… ), browse to the following location for Key Path > Select for:
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System .
f. In the Value name area, type LocalAccountTokenFilterPolicy .
g. In the Value type box, from the drop-down list, select REG_DWORD to change the value.
h. In the Value data box, ensure that the value is set to 0 .
i. Verify this configuration, and > OK .
8. Link the GPO to the first Workstations organizational unit (OU) by doing the following:
a. Navigate to the <Forest>\Domains\<Domain>\OU path.
b. Right-click the Workstations OU, and > Link an existing GPO .
NOTE
To perform this procedure, you must first identify the name of the local, default Administrator account, which might not
be the default user name "Administrator", and any other accounts that are members of the local Administrators group.
The following table shows the Group Policy settings that are used to deny network logon for all local
Administrator accounts.
6. Configure the user rights to deny network logons for administrative local accounts as follows:
a. Navigate to the Computer Configuration\Windows Settings\Security Settings\, and > User
Rights Assignment .
b. Double-click Deny access to this computer from the network .
c. Click Add User or Group , type Local account and member of Administrators group , and >
OK .
7. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local
accounts as follows:
a. Navigate to Computer Configuration\Policies\Windows Settings and Local Policies, and then click
User Rights Assignment .
b. Double-click Deny log on through Remote Desktop Ser vices .
c. Click Add User or Group , type Local account and member of Administrators group , and >
OK .
8. Link the GPO to the first Workstations OU as follows:
a. Navigate to the <Forest>\Domains\<Domain>\OU path.
b. Right-click the Workstations OU, and > Link an existing GPO .
c. Select the GPO that you just created, and > OK .
9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues
caused by the new policy.
10. Create links to all other OUs that contain workstations.
11. Create links to all other OUs that contain servers.
NOTE
You might have to create a separate GPO if the user name of the default Administrator account is different on
workstations and servers.
See also
The following resources provide additional information about technologies that are related to local accounts.
Security Principals
Security Identifiers
Access Control Overview
Active Directory Accounts
3/3/2022 • 35 minutes to read • Edit Online
Applies to
Windows Server 2016
Windows Server operating systems are installed with default local accounts. In addition, you can create user
accounts to meet the requirements of your organization. This reference topic for the IT professional describes
the Windows Server default local accounts that are stored locally on the domain controller and are used in
Active Directory.
This reference topic does not describe default local user accounts for a member or standalone server or for a
Windows client. For more information, see Local Accounts.
Administrator account
The Administrator account is a default account that is used in all versions of the Windows operating system on
every computer and device. The Administrator account is used by the system administrator for tasks that
require administrative credentials. This account cannot be deleted or locked out, but the account can be
renamed or disabled.
The Administrator account gives the user complete access (Full Control permissions) of the files, directories,
services, and other resources that are on that local server. The Administrator account can be used to create local
users, and assign user rights and access control permissions. Administrator can also be used to take control of
local resources at any time simply by changing the user rights and permissions. Although files and directories
can be protected from the Administrator account temporarily, the Administrator account can take control of
these resources at any time by changing the access permissions.
Account group membership
The Administrator account has membership in the default security groups as described in the Administrator
account attributes table later in this topic.
The security groups ensure that you can control administrator rights without having to change each
Administrator account. In most instances, you do not have to change the basic settings for this account.
However, you might have to change its advanced settings, such as membership in particular groups.
Security considerations
After installation of the server operating system, your first task is to set up the Administrator account properties
securely. This includes setting up an especially long, strong password, and securing the Remote control and
Remote Desktop Services profile settings.
The Administrator account can also be disabled when it is not required. Renaming or disabling the Administrator
account makes it more difficult for malicious users to try to gain access to the account. However, even when the
Administrator account is disabled, it can still be used to gain access to a domain controller by using safe mode.
On a domain controller, the Administrator account becomes the Domain Admin account. The Domain Admin
account is used to sign in to the domain controller and this account requires a strong password. The Domain
Admin account gives you access to domain resources.
NOTE
When the domain controller is initially installed, you can sign in and use Server Manager to set up a local Administrator
account, with the rights and permissions you want to assign. For example, you can use a local Administrator account to
manage the operating system when you first install it. By using this approach, you can set up the operating system
without getting locked out. Generally, you do not need to use the account after installation. You can only create local user
accounts on the domain controller, before Active Directory Domain Services is installed, and not afterwards.
When Active Directory is installed on the first domain controller in the domain, the Administrator account is
created for Active Directory. The Administrator account is the most powerful account in the domain. It is given
domain-wide access and administrative rights to administer the computer and the domain, and it has the most
extensive rights and permissions over the domain. The person who installs Active Directory Domain Services on
the computer creates the password for this account during the installation.
Administrator account attributes
AT T RIB UT E VA L UE
Type User
Guest account
The Guest account is a default local account that has limited access to the computer and is disabled by default.
By default, the Guest account password is left blank. A blank password allows the Guest account to be accessed
without requiring the user to enter a password.
The Guest account enables occasional or one-time users, who do not have an individual account on the
computer, to sign in to the local server or domain with restricted rights and permissions. The Guest account can
be enabled, and the password can be set up if needed, but only by a member of the Administrator group on the
domain.
Account group membership
The Guest account has membership in the default security groups that are described in the following Guest
account attributes table. By default, the Guest account is the only member of the default Guests group, which
lets a user sign in to a server, and the Domain Guests global group, which lets a user sign in to a domain.
A member of the Administrators group or Domain Admins group can set up a user with a Guest account on one
or more computers.
Security considerations
Because the Guest account can provide anonymous access, it is a security risk. It also has a well-known SID. For
this reason, it is a best practice to leave the Guest account disabled, unless its use is required and then only with
restricted rights and permissions for a very limited period of time.
When the Guest account is required, an Administrator on the domain controller is required to enable the Guest
account. The Guest account can be enabled without requiring a password, or it can be enabled with a strong
password. The Administrator also grants restricted rights and permissions for the Guest account. To help prevent
unauthorized access:
Do not grant the Guest account the Shut down the system user right. When a computer is shutting down
or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could
gain unauthorized access to the computer.
Do not provide the Guest account with the ability to view the event logs. After the Guest account is
enabled, it is a best practice to monitor this account frequently to ensure that other users cannot use
services and other resources, such as resources that were unintentionally left available by a previous user.
Do not use the Guest account when the server has external network access or access to other computers.
If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly. As
with the Administrator account, you might want to rename the account as an added security precaution.
In addition, an administrator is responsible for managing the Guest account. The administrator monitors the
Guest account, disables the Guest account when it is no longer in use, and changes or removes the password as
needed.
For details about the Guest account attributes, see the following table.
Guest account attributes
AT T RIB UT E VA L UE
Type User
Protected by ADMINSDHOLDER? No
Safe to move out of default container? Can be moved out, but we do not recommend it.
AT T RIB UT E VA L UE
Type User
Protected by ADMINSDHOLDER? No
Safe to move out of default container? Can be moved out, but we do not recommend it.
KRBTGT account
The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center
(KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account
cannot be enabled in Active Directory.
KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC
4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a
new domain is created.
Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT)
enciphered with a symmetric key. This key is derived from the password of the server or service to which access
is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to
request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the
KDC.
KRBTGT account maintenance considerations
A strong password is assigned to the KRBTGT and trust accounts automatically. Like any privileged service
accounts, organizations should change these passwords on a regular schedule. The password for the KDC
account is used to derive a secret key for encrypting and decrypting the TGT requests that are issued. The
password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets.
Resetting the password requires you either to be a member of the Domain Admins group, or to have been
delegated with the appropriate authority. In addition, you must be a member of the local Administrators group,
or you must have been delegated the appropriate authority.
After you reset the KRBTGT password, ensure that event ID 9 in the (Kerberos) Key-Distribution-Center event
source is written to the System event log.
Security considerations
It is also a best practice to reset the KRBTGT account password to ensure that a newly restored domain controller
does not replicate with a compromised domain controller. In this case, in a large forest recovery that is spread
across multiple locations, you cannot guarantee that all domain controllers are shut down, and if they are shut
down, they cannot be rebooted again before all of the appropriate recovery steps have been undertaken. After
you reset the KRBTGT account, another domain controller cannot replicate this account password by using an
old password.
An organization suspecting domain compromise of the KRBTGT account should consider the use of professional
incident response services. The impact to restore the ownership of the account is domain-wide and labor
intensive an should be undertaken as part of a larger recovery effort.
The KRBTGT password is the key from which all trust in Kerberos chains up to. Resetting the KRBTGT password is
similar to renewing the root CA certificate with a new key and immediately not trusting the old key, resulting in
almost all subsequent Kerberos operations will be affected.
For all account types (users, computers, and services)
All the TGTs that are already issued and distributed will be invalid because the DCs will reject them. These
tickets are encrypted with the KRBTGT so any DC can validate them. When the password changes, the
tickets become invalid.
All currently authenticated sessions that logged on users have established (based on their service tickets)
to a resource (such as a file share, SharePoint site, or Exchange server) are good until the service ticket is
required to re-authenticate.
NTLM authenticated connections are not affected
Because it is impossible to predict the specific errors that will occur for any given user in a production operating
environment, you must assume all computers and users will be affected.
IMPORTANT
Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and
user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting
any KRBTGT related operational issues on that computer.
For information about how to help mitigate the risks associated with a potentially compromised KRBTGT
account, see KRBTGT Account Password Reset Scripts now available for customers.
Read-only domain controllers and the KRBTGT account
Windows Server 2008 introduced the read-only domain controller (RODC). The RODC is advertised as the Key
Distribution Center (KDC) for the branch office. The RODC uses a different KRBTGT account and password than
the KDC on a writable domain controller when it signs or encrypts ticket-granting ticket (TGT) requests. After an
account is successfully authenticated, the RODC determines if a user's credentials or a computer's credentials
can be replicated from the writable domain controller to the RODC by using the Password Replication Policy.
After the credentials are cached on the RODC, the RODC can accept that user's sign-in requests until the
credentials change. When a TGT is signed with the KRBTGT account of the RODC, the RODC recognizes that it
has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to
a writable domain controller.
KRBTGT account attributes
For details about the KRBTGT account attributes, see the following table.
AT T RIB UT E VA L UE
Type User
Default member of Domain Users group. Note that the Primary Group ID of all
user accounts is Domain Users.
Safe to move out of default container? Can be moved out, but we do not recommend it.
User must change password at next logon Forces a password change the next time that the user logs
signs in to the network. Use this option when you want to
ensure that the user is the only person to know his or her
password.
User cannot change password Prevents the user from changing the password. Use this
option when you want to maintain control over a user
account, such as for a Guest or temporary account.
Password never expires Prevents a user password from expiring. It is a best practice
to enable this option with service accounts and to use
strong passwords.
Store passwords using reversible encryption Provides support for applications that use protocols
requiring knowledge of the plaintext form of the user’s
password for authentication purposes.
Account is disabled Prevents the user from signing in with the selected account.
As an administrator, you can use disabled accounts as
templates for common user accounts.
A C C O UN T SET T IN GS DESC RIP T IO N
Smart card is required for interactive logon Requires that a user has a smart card to sign on to the
network interactively. The user must also have a smart card
reader attached to their computer and a valid personal
identification number (PIN) for the smart card.
Account is trusted for delegation Lets a service running under this account perform
operations on behalf of other user accounts on the network.
A service running under a user account (also known as a
service account) that is trusted for delegation can
impersonate a client to gain access to resources, either on
the computer where the service is running or on other
computers. For example, in a forest that is set to the
Windows Server 2003 functional level, this setting is found
on the Delegation tab. It is available only for accounts that
have been assigned service principal names (SPNs), which
are set by using the setspn command from Windows
Support Tools. This setting is security-sensitive and should
be assigned cautiously.
Account is sensitive and cannot be delegated Gives control over a user account, such as for a Guest
account or a temporary account. This option can be used if
this account cannot be assigned for delegation by another
account.
Use DES encryption types for this account Provides support for the Data Encryption Standard (DES).
DES supports multiple levels of encryption, including
Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit
and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit),
Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit
DES, and IPSec Triple DES (3DES).
Do not require Kerberos preauthentication Provides support for alternate implementations of the
Kerberos protocol. Because preauthentication provides
additional security, use caution when enabling this option.
Note that domain controllers running Windows 2000 or
Windows Server 2003 can use other mechanisms to
synchronize time.
IMPORTANT
Ensure that sensitive administrator accounts cannot access email or browse the Internet as described in the following
section.
NOTE
If the administrators in your environment can sign in locally to managed servers and perform all tasks without elevated
rights or domain rights from their workstation, you can skip this task.
Minimum . Build dedicated administrative workstations and block Internet access on those workstations
including web browsing and email. Use the following ways to block Internet access:
Configure authenticating boundary proxy services, if they are deployed, to disallow administrator
accounts from accessing the Internet.
Configure boundary firewall or proxy services to disallow Internet access for the IP addresses that
are assigned to dedicated administrative workstations.
Block outbound access to the boundary proxy servers in the Windows Firewall.
The instructions for meeting this minimum requirement are described in the following procedure.
Better . Do not grant administrators membership in the local Administrator group on the computer in
order to restrict the administrator from bypassing these protections.
Ideal . Restrict workstations from having any network connectivity, except for the domain controllers and
servers that the administrator accounts are used to manage. Alternately, use AppLocker application
control policies to restrict all applications from running, except for the operating system and approved
administrative tools and applications. For more information about AppLocker, see AppLocker.
The following procedure describes how to block Internet access by creating a Group Policy Object (GPO) that
configures an invalid proxy address on administrative workstations. These instructions apply only to computers
running Internet Explorer and other Windows components that use these proxy settings.
NOTE
In this procedure, the workstations are dedicated to domain administrators. By simply modifying the administrator
accounts to grant permission to administrators to sign in locally, you can create additional OUs to manage administrators
that have fewer administrative rights to use the instructions described in the following procedure.
To install administrative workstations in a domain and block Internet and email access (minimum)
1. As a domain administrator on a domain controller, open Active Directory Users and Computers, and
create a new OU for administrative workstations.
2. Create computer accounts for the new workstations.
NOTE
You might have to delegate permissions to join computers to the domain if the account that joins the
workstations to the domain does not already have them. For more information, see Delegation of Administration
in Active Directory.
8. Configure which members of accounts can log on locally to these administrative workstations as follows:
a. Navigate to Computer Configuration\Policies\Windows Settings\Local Policies, and then click User
Rights Assignment .
b. Double-click Allow log on locally , and then select the Define these policy settings check box.
c. Click Add User or Group > Browse , type Enterprise Admins , and > OK .
d. Click Add User or Group > Browse , type Domain Admins , and > OK .
IMPORTANT
These instructions assume that the workstation is to be dedicated to domain administrators.
10. Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all
users on the computer as follows:
a. Navigate to Computer Configuration\Policies\Administrative Templates\System, and > Group
Policy .
b. Double-click User Group Policy loopback policy processing mode , and > Enabled .
c. Select Merge Mode , and > OK .
11. Configure software updates as follows:
a. Navigate to Computer Configuration\Policies\Administrative Templates\Windows Components,
and then click Windows Update .
b. Configure Windows Update settings as described in the following table.
NOTE
This step assumes that Windows Server Update Services (WSUS) is installed and configured in the
environment. You can skip this step if you use another tool to deploy software updates. Also, if the public
Microsoft Windows Update service only is used on the Internet, then these administrative workstations no
longer receive updates.
b. On each profile, ensure that the firewall is enabled and that inbound connections are set to Block
all connections .
c. Click OK to complete the configuration.
13. Close the Group Policy Management Console.
14. Install the Windows operating system on the workstations, give each workstation the same names as the
computer accounts assigned to them, and then join them to the domain.
Restrict administrator logon access to servers and workstations
It is a best practice to restrict administrators from using sensitive administrator accounts to sign in to lower-trust
servers and workstations. This restriction prevents administrators from inadvertently increasing the risk of
credential theft by signing in to a lower-trust computer.
IMPORTANT
Ensure that you either have local access to the domain controller or that you have built at least one dedicated
administrative workstation.
Restrict logon access to lower-trust servers and workstations by using the following guidelines:
Minimum . Restrict domain administrators from having logon access to servers and workstations. Before
starting this procedure, identify all OUs in the domain that contain workstations and servers. Any
computers in OUs that are not identified will not restrict administrators with sensitive accounts from
signing-in to them.
Better . Restrict domain administrators from non-domain controller servers and workstations.
Ideal . Restrict server administrators from signing in to workstations, in addition to domain
administrators.
NOTE
For this procedure, do not link accounts to the OU that contain workstations for administrators that perform
administration duties only, and do not provide Internet or email access. For more information, see Create dedicated
workstation hosts for administrators
NOTE
You can optionally add any groups that contain server administrators who you want to restrict from
signing in to workstations.
NOTE
Completing this step might cause issues with administrator tasks that run as scheduled tasks or services with
accounts in the Domain Admins group. The practice of using domain administrator accounts to run services and
tasks on workstations creates a significant risk of credential theft attacks and therefore should be replaced with
alternative means to run scheduled tasks or services.
a. Double-click Deny logon as a batch job , and > Define these policy settings .
b. Click Add User or Group > Browse , type Enterprise Admins , and > OK .
c. Click Add User or Group > Browse , type Domain Admins , and > OK .
NOTE
You can optionally add any groups that contain server administrators who you want to restrict from
signing in to workstations.
d. Double-click Deny logon as a ser vice , and > Define these policy settings .
e. Click Add User or Group > Browse , type Enterprise Admins , and > OK .
f. Click Add User or Group > Browse , type Domain Admins , and > OK .
NOTE
You can optionally add any groups that contain server administrators who you want to restrict from
signing in to workstations.
10. Test the functionality of enterprise applications on workstations in the first OU and resolve any issues
caused by the new policy.
11. Link all other OUs that contain workstations.
However, do not create a link to the Administrative Workstation OU if it is created for administrative
workstations that are dedicated to administration duties only, and that are without Internet or email
access. For more information, see Create dedicated workstation hosts for administrators.
IMPORTANT
If you later extend this solution, do not deny logon rights for the Domain Users group. The Domain Users
group includes all user accounts in the domain, including Users, Domain Administrators, and Enterprise
Administrators.
See also
Security Principals
Access Control Overview
Microsoft Accounts
3/3/2022 • 9 minutes to read • Edit Online
Applies to
Windows 10
This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for
users, and how you can manage this consumer account type in your organization.
Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account
as a means of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined
secrets, and consists of a unique email address and a password.
When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's
settings, preferences, and apps can be shared across devices.
Applies to
Windows 10
Windows Server 2016
This topic for the IT professional explains group and standalone managed service accounts, and the computer-
specific virtual computer account, and it points to resources about these service accounts.
Overview
A service account is a user account that is created explicitly to provide a security context for services running on
Windows Server operating systems. The security context determines the service's ability to access local and
network resources. The Windows operating systems rely on services to run various features. These services can
be configured through the applications, the Services snap-in, or Task Manager, or by using Windows PowerShell.
This topic contains information about the following types of service accounts:
Standalone managed service accounts
Group-managed service accounts
Virtual accounts
Standalone managed service accounts
A managed service account is designed to isolate domain accounts in crucial applications, such as Internet
Information Services (IIS), and eliminate the need for an administrator to manually administer the service
principal name (SPN) and credentials for the accounts.
To use managed service accounts, the server on which the application or service is installed must be running at
least Windows Server 2008 R2. One managed service account can be used for services on a single computer.
Managed service accounts cannot be shared between multiple computers, and they cannot be used in server
clusters where a service is replicated on multiple cluster nodes. For this scenario, you must use a group-
managed service account. For more information, see Group-Managed Service Accounts Overview.
In addition to the enhanced security that is provided by having individual accounts for critical services, there are
four important administrative benefits associated with managed service accounts:
You can create a class of domain accounts that can be used to manage and maintain services on local
computers.
Unlike domain accounts in which administrators must manually reset passwords, the network passwords
for these accounts are automatically reset.
You do not have to complete complex SPN management tasks to use managed service accounts.
You don't have to complete complex SPN management tasks to use managed service accounts.
Administrative tasks for managed service accounts can be delegated to non-administrators.
Software requirements
Managed service accounts apply to the Windows operating systems that are designated in the Applies To list at
the beginning of this topic.
Group-managed service accounts
Group-managed service accounts are an extension of the standalone-managed service accounts, which were
introduced in Windows Server 2008 R2. These accounts are managed domain accounts that provide automatic
password management and simplified service principal name (SPN) management, including delegation of
management to other administrators.
The group-managed service account provides the same functionality as a standalone managed service account
within the domain, but it extends that functionality over multiple servers. When connecting to a service that is
hosted on a server farm, such as Network Load Balancing, the authentication protocols that support mutual
authentication require all instances of the services to use the same principal. When group-managed service
accounts are used as service principals, the Windows Server operating system manages the password for the
account instead of relying on the administrator to manage the password.
The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a
specific key with a key identifier for an Active Directory account. This service was introduced in Windows Server
2012, and it does not run on previous versions of the Windows Server operating system. The Key Distribution
Service shares a secret, which is used to create keys for the account. These keys are periodically changed. For a
group-managed service account, the domain controller computes the password on the key that is provided by
the Key Distribution Services, in addition to other attributes of the group-managed service account.
Practical applications
Group-managed service accounts provide a single identity solution for services running on a server farm, or on
systems that use Network Load Balancing. By providing a group-managed service account solution, services can
be configured for the group-managed service account principal, and the password management is handled by
the operating system.
By using a group-managed service account, service administrators do not need to manage password
synchronization between service instances. The group-managed service account supports hosts that are kept
offline for an extended time period and the management of member hosts for all instances of a service. This
provision means that you can deploy a server farm that supports a single identity to which existing client
computers can authenticate without knowing the instance of the service to which they are connecting.
Failover clusters do not support group-managed service accounts. However, services that run on top of the
Cluster service can use a group-managed service account or a standalone managed service account if they are a
Windows service, an App pool, a scheduled task, or if they natively support group-managed service account or
standalone managed service accounts.
Software requirements
Group-managed service accounts can only be configured and administered on computers running at least
Windows Server 2012, but they can be deployed as a single service identity solution in domains that still have
domain controllers running operating systems earlier than Windows Server 2012. There are no domain or
forest functional level requirements.
A 64-bit architecture is required to run the Windows PowerShell commands that are used to administer group-
managed service accounts.
A managed service account is dependent on encryption types supported by Kerberos. When a client computer
authenticates to a server by using Kerberos protocol, the domain controller creates a Kerberos service ticket that
is protected with encryption that the domain controller and the server support. The domain controller uses the
account’s msDS-Suppor tedEncr yptionTypes attribute to determine what encryption the server supports,
and if there is no attribute, it assumes that the client computer does not support stronger encryption types. The
Advanced Encryption Standard (AES) must always be configured for managed service accounts. If computers
that host the managed service account are configured to not support RC4, authentication will always fail.
Note Introduced in Windows Server 2008 R2, the Data Encryption Standard (DES) is disabled by default. For
more information about supported encryption types, see Changes in Kerberos Authentication.
Group-managed service accounts are not applicable in Windows operating systems prior to Windows Server
2012.
Virtual accounts
Virtual accounts were introduced in Windows Server 2008 R2 and Windows 7, and are managed local accounts
that provide the following features to simplify service administration:
The virtual account is automatically managed.
The virtual account can access the network in a domain environment.
No password management is required. For example, if the default value is used for the service accounts
during SQL Server setup on Windows Server 2008 R2, a virtual account that uses the instance name as
the service name is established in the format NT SERVICE\<SERVICENAME>.
Services that run as virtual accounts access network resources by using the credentials of the computer account
in the format <domain_name>\<computer_name>$.
For information about how to configure and use virtual service accounts, see Service Accounts Step-by-Step
Guide.
Software requirements
Virtual accounts apply to the Windows operating systems that are designated in the Applies To list at the
beginning of this topic.
See also
The following table provides links to other resources that are related to standalone managed service accounts,
group-managed service accounts, and virtual accounts.
C O N T EN T T Y P E REF EREN C ES
Applies to
Windows Server 2016 or later
Windows 10 or later
This reference topic for the IT professional describes the default Active Directory security groups.
There are two forms of common security principals in Active Directory: user accounts and computer accounts.
These accounts represent a physical entity (a person or a computer). User accounts can also be used as
dedicated service accounts for some applications. Security groups are used to collect user accounts, computer
accounts, and other groups into manageable units.
In the Windows Server operating system, there are several built-in accounts and security groups that are
preconfigured with the appropriate rights and permissions to perform specific tasks. For Active Directory, there
are two types of administrative responsibilities:
Ser vice administrators Responsible for maintaining and delivering Active Directory Domain Services
(AD DS), including managing domain controllers and configuring the AD DS.
Data administrators Responsible for maintaining the data that is stored in AD DS and on domain
member servers and workstations.
NOTE
In addition to these three scopes, the default groups in the Builtin container have a group scope of Builtin Local. This
group scope and group type cannot be changed.
The following table lists the three group scopes and more information about each scope for a security group.
Group scopes
C A N GRA N T P O SSIB L E M EM B ER
SC O P E P O SSIB L E M EM B ERS SC O P E C O N VERSIO N P ERM ISSIO N S OF
C A N GRA N T P O SSIB L E M EM B ER
SC O P E P O SSIB L E M EM B ERS SC O P E C O N VERSIO N P ERM ISSIO N S OF
Universal Accounts from any Can be converted to On any domain in Other Universal
domain in the same Domain Local the same forest or groups in the same
forest scope if the trusting forests forest
Global groups group is not a Domain
from any domain member of any
in the same other Universal Local groups in
forest groups the same forest
or trusting
Other Universal Can be forests
groups from any converted to
domain in the Global scope if Local groups on
same forest the group does computers in the
not contain any same forest or
other Universal trusting forests
groups
Global Accounts from the Can be converted to On any domain in Universal groups
same domain Universal scope if the the same forest, or from any domain in
Other Global group is not a trusting domains or the same forest
groups from the member of any other forests Other Global
same domain global group groups from the
same domain
Domain Local
groups from any
domain in the
same forest, or
from any trusting
domain
Domain Local Accounts from any Can be converted to Within the same Other Domain Local
domain or any Universal scope if the domain groups from the
trusted domain group does not same domain
Global groups contain any other Local groups on
from any domain Domain Local groups computers in the
or any trusted same domain,
domain excluding built-in
groups that have
Universal groups well-known SIDs
from any domain
in the same
forest
Other Domain
Local groups
from the same
domain
Accounts, Global
groups, and
Universal groups
from other
forests and from
external domains
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
Account Operators
The Account Operators group grants limited account creation privileges to a user. Members of this group can
create and modify most types of accounts, including those of users, local groups, and global groups, and
members can log in locally to domain controllers.
Members of the Account Operators group cannot manage the Administrator user account, the user accounts of
administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print
Operators groups. Members of this group cannot modify user rights.
The Account Operators group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
NOTE
By default, this built-in group has no members, and it can create and manage users and groups in the domain, including
its own membership and that of the Server Operators group. This group is considered a service administrator group
because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the
membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed,
deleted, or moved.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Administrators
Members of the Administrators group have complete and unrestricted access to the computer, or if the
computer is promoted to a domain controller, members have unrestricted access to the domain.
The Administrators group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
NOTE
The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be
renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can
change the membership of all administrative groups.
Membership can be modified by members of the following groups: the default service Administrators, Domain
Admins in the domain, or Enterprise Admins. This group has the special privilege to take ownership of any
object in the directory or any resource on a domain controller. This account is considered a service administrator
group because its members have full access to the domain controllers in the domain.
This security group includes the following changes since Windows Server 2008:
Default user rights changes: Allow log on through Terminal Ser vices existed in Windows
Server 2008, and it was replaced by Allow log on through Remote Desktop Services.
Remove computer from docking station was removed in Windows Server 2012 R2.
AT T RIB UT E VA L UE
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
Backup Operators
Members of the Backup Operators group can back up and restore all files on a computer, regardless of the
permissions that protect those files. Backup Operators also can log on to and shut down the computer. This
group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform
backup and restore operations on domain controllers. Its membership can be modified by the following groups:
default service Administrators, Domain Admins in the domain, or Enterprise Admins. It cannot modify the
membership of any administrative groups. While members of this group cannot change server settings or
modify the configuration of the directory, they do have the permissions needed to replace files (including
operating system files) on domain controllers. Because of this, members of this group are considered service
administrators.
The Backup Operators group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
Cert Publishers
Members of the Cert Publishers group are authorized to publish certificates for User objects in Active Directory.
The Cert Publishers group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
AT T RIB UT E VA L UE
Type Global
Protected by ADMINSDHOLDER? No
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
Device Owners
This group is not currently used in Windows.
Microsoft does not recommend changing the default configuration where this security group has zero
members. Changing the default configuration could hinder future scenarios that rely on this group.
The Device Owners group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
Safe to move out of default container? Can be moved out but it is not recommended
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
DnsUpdateProxy
Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on
behalf of other clients (such as DHCP servers). A DNS server can develop stale resource records when a DHCP
server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP
clients by using dynamic update. Adding clients to this security group mitigates this scenario.
However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register
records in zones that allow only secured dynamic updates, you must create a dedicated user account and
configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name,
password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account. This
group exists only if the DNS server role is or was once installed on a domain controller in the domain.
For information, see DNS Record Ownership and the DnsUpdateProxy Group.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Type Global
Protected by ADMINSDHOLDER? No
DnsAdmins
Members of DNSAdmins group have access to network DNS information. The default permissions are as
follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists
only if the DNS server role is or was once installed on a domain controller in the domain.
For more information about security and DNS, see DNSSEC in Windows Server 2012.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
Domain Admins
Members of the Domain Admins security group are authorized to administer the domain. By default, the
Domain Admins group is a member of the Administrators group on all computers that have joined a domain,
including the domain controllers. The Domain Admins group is the default owner of any object that is created in
Active Directory for the domain by any member of the group. If members of the group create other objects,
such as files, the default owner is the Administrators group.
The Domain Admins group controls access to all domain controllers in a domain, and it can modify the
membership of all administrative accounts in the domain. Membership can be modified by members of the
service administrator groups in its domain (Administrators and Domain Admins), and by members of the
Enterprise Admins group. This is considered a service administrator account because its members have full
access to the domain controllers in a domain.
The Domain Admins group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Type Global
Domain Computers
This group can include all computers and servers that have joined the domain, excluding domain controllers. By
default, any computer account that is created automatically becomes a member of this group.
The Domain Computers group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Type Global
Protected by ADMINSDHOLDER? No
Domain Controllers
The Domain Controllers group can include all domain controllers in the domain. New domain controllers are
automatically added to this group.
The Domain Controllers group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Type Global
Default members Computer accounts for all domain controllers of the domain
Domain Guests
The Domain Guests group includes the domain’s built-in Guest account. When members of this group sign in as
local guests on a domain-joined computer, a domain profile is created on the local computer.
The Domain Guests group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Type Global
Safe to move out of default container? Can be moved out but it is not recommended
Domain Users
The Domain Users group includes all user accounts in a domain. When you create a user account in a domain, it
is automatically added to this group.
By default, any user account that is created in the domain automatically becomes a member of this group. This
group can be used to represent all users in the domain. For example, if you want all domain users to have access
to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local
group on the print server that has permissions for the printer).
The Domain Users group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Type Global
krbtgt
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
Enterprise Admins
The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. It is a
Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. Members
of this group are authorized to make forest-wide changes in Active Directory, such as adding child domains.
By default, the only member of the group is the Administrator account for the forest root domain. This group is
automatically added to the Administrators group in every domain in the forest, and it provides complete access
for configuring all domain controllers. Members in this group can modify the membership of all administrative
groups. Membership can be modified only by the default service administrator groups in the root domain. This
is considered a service administrator account.
The Enterprise Admins group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
AT T RIB UT E VA L UE
Type Global
AT T RIB UT E VA L UE
Type Universal
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
Type Global
Protected by ADMINSDHOLDER? No
Guests
Members of the Guests group have the same access as members of the Users group by default, except that the
Guest account has further restrictions. By default, the only member is the Guest account. The Guests group
allows occasional or one-time users to sign in with limited privileges to a computer’s built-in Guest account.
When a member of the Guests group signs out, the entire profile is deleted. This includes everything that is
stored in the %userprofile% directory, including the user's registry hive information, custom desktop icons,
and other user-specific settings. This implies that a guest must use a temporary profile to sign in to the system.
This security group interacts with the Group Policy setting Do not logon users with temporar y profiles
when it is enabled. This setting is located under the following path:
Computer Configuration\Administrative Templates\System\User Profiles
NOTE
A Guest account is a default member of the Guests security group. People who do not have an actual account in the
domain can use the Guest account. A user whose account is disabled (but not deleted) can also use the Guest account.
The Guest account does not require a password. You can set rights and permissions for the Guest account as in
any user account. By default, the Guest account is a member of the built-in Guests group and the Domain Guests
global group, which allows a user to sign in to a domain. The Guest account is disabled by default, and we
recommend that it stay disabled.
The Guests group applies to versions of the Windows Server operating system listed in the Active Directory
Default Security Groups table.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
Hyper-V Administrators
Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in
Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators
group, and further separates access.
NOTE
Prior to Windows Server 2012, access to features in Hyper-V was controlled in part by membership in the Administrators
group.
This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
IIS_IUSRS
IIS_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in
account and group are guaranteed by the operating system to always have a unique SID. IIS 7.0 replaces the
IUSR_MachineName account and the IIS_WPG group with the IIS_IUSRS group to ensure that the actual names
that are used by the new account and group will never be localized. For example, regardless of the language of
the Windows operating system that you install, the IIS account name will always be IUSR, and the group name
will be IIS_IUSRS.
For more information, see Understanding Built-In User and Group Accounts in IIS 7.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
NOTE
This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations
master role (also known as flexible single master operations or FSMO).
For more information, see How Domain and Forest Trusts Work: Domain and Forest Trusts.
The Incoming Forest Trust Builders group applies to versions of the Windows Server operating system listed in
the Active Directory Default Security Groups table.
NOTE
This group cannot be renamed, deleted, or moved.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
Key Admins
Members of this group can perform administrative actions on key objects within the domain.
The Key Admins group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
AT T RIB UT E VA L UE
Type Global
NOTE
This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations
master role (also known as flexible single master operations or FSMO).
The Network Configuration Operators group applies to versions of the Windows Server operating system listed
in the Active Directory Default Security Groups table.
NOTE
This group cannot be renamed, deleted, or moved.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
WARNING
If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create
to run under your credentials.
NOTE
In Windows Server 2016 or later, Data Collector Sets cannot be created by a member of the Performance Log
Users group. If a member of the Performance Log Users group tries to create Data Collector Sets, they cannot
complete creation because access will be denied.
Cannot use the Windows Kernel Trace event provider in Data Collector Sets.
For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the
group must first be assigned the Log on as a batch job user right. To assign this user right, use the Local Security
Policy snap-in in Microsoft Management Console.
NOTE
This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations
master role (also known as flexible single master operations or FSMO).
The Performance Log Users group applies to versions of the Windows Server operating system listed in the
Active Directory Default Security Groups table.
NOTE
This account cannot be renamed, deleted, or moved.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
WARNING
You cannot configure a Data Collector Set to run as a member of the Performance Monitor Users group.
NOTE
This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations
master role (also known as flexible single master operations or FSMO). This group cannot be renamed, deleted, or moved.
The Performance Monitor Users group applies to versions of the Windows Server operating system listed in the
Active Directory Default Security Groups table.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
WARNING
This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations
master role (also known as flexible single master operations or FSMO).
The Pre–Windows 2000 Compatible Access group applies to versions of the Windows Server operating system
listed in the Active Directory Default Security Groups table.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
AT T RIB UT E VA L UE
Print Operators
Members of this group can manage, create, share, and delete printers that are connected to domain controllers
in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can
locally sign in to and shut down domain controllers in the domain.
This group has no default members. Because members of this group can load and unload device drivers on all
domain controllers in the domain, add users with caution. This group cannot be renamed, deleted, or moved.
The Print Operators group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
This security group has not changed since Windows Server 2008. However, in Windows Server 2008 R2,
functionality was added to manage print administration. For more information, see Assign Delegated Print
Administrator and Printer Permission Settings in Windows Server 2012.
AT T RIB UT E VA L UE
Protected Users
Members of the Protected Users group are afforded additional protection against the compromise of credentials
during authentication processes.
This security group is designed as part of a strategy to effectively protect and manage credentials within the
enterprise. Members of this group automatically have non-configurable protection applied to their accounts.
Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only
method to modify the protection for an account is to remove the account from the security group.
This domain-related, global group triggers non-configurable protection on devices and host computers, starting
with the Windows Server 2012 R2 and Windows 8.1 operating systems. It also triggers non-configurable
protection on domain controllers in domains with a primary domain controller running Windows Server 2012
R2 or Windows Server 2016. This greatly reduces the memory footprint of credentials when users sign in to
computers on the network from a non-compromised computer.
Depending on the account’s domain functional level, members of the Protected Users group are further
protected due to behavior changes in the authentication methods that are supported in Windows.
Members of the Protected Users group cannot authenticate by using the following Security Support
Providers (SSPs): NTLM, Digest Authentication, or CredSSP. Passwords are not cached on a device running
Windows 8.1 or Windows 10, so the device fails to authenticate to a domain when the account is a
member of the Protected User group.
The Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication
process. This means that the domain must be configured to support at least the AES cipher suite.
The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This
means that former connections to other systems may fail if the user is a member of the Protected Users
group.
The default Kerberos ticket-granting tickets (TGTs) lifetime setting of four hours is configurable by using
Authentication Policies and Silos, which can be accessed through the Active Directory Administrative
Center. This means that when four hours has passed, the user must authenticate again.
The Protected Users group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
This group was introduced in Windows Server 2012 R2. For more information about how this group works, see
Protected Users Security Group.
The following table specifies the properties of the Protected Users group.
AT T RIB UT E VA L UE
Type Global
Protected by ADMINSDHOLDER? No
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
AT T RIB UT E VA L UE
Type Global
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
Replicator
Computers that are members of the Replicator group support file replication in a domain. Windows Server
operating systems use the File Replication service (FRS) to replicate system policies and logon scripts stored in
the System Volume (SYSVOL). Each domain controller keeps a copy of SYSVOL for network clients to access.
FRS can also replicate data for the Distributed File System (DFS), synchronizing the content of each member in a
replica set as defined by DFS. FRS can copy and maintain shared files and folders on multiple servers
simultaneously. When changes occur, content is synchronized immediately within sites and by a schedule
between sites.
WARNING
In Windows Server 2008 R2, FRS cannot be used for replicating DFS folders or custom (non-SYSVOL) data. A Windows
Server 2008 R2 domain controller can still use FRS to replicate the contents of a SYSVOL shared resource in a domain
that uses FRS for replicating the SYSVOL shared resource between domain controllers.
However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart
from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to
replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You
should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see:
File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows)
DFS Namespaces and DFS Replication Overview
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Schema Admins
Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the
root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is
a Global group if the domain is in mixed mode.
The group is authorized to make schema changes in Active Directory. By default, the only member of the group
is the Administrator account for the forest root domain. This group has full administrative access to the schema.
The membership of this group can be modified by any of the service administrator groups in the root domain.
This is considered a service administrator account because its members can modify the schema, which governs
the structure and content of the entire directory.
For more information, see What Is the Active Directory Schema?: Active Directory.
The Schema Admins group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Server Operators
Members in the Server Operators group can administer domain controllers. This group exists only on domain
controllers. By default, the group has no members. Members of the Server Operators group can sign in to a
server interactively, create and delete network shared resources, start and stop services, back up and restore
files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed,
deleted, or moved.
By default, this built-in group has no members, and it has access to server configuration options on domain
controllers. Its membership is controlled by the service administrator groups Administrators and Domain
Admins in the domain, and the Enterprise Admins group in the forest root domain. Members in this group
cannot change any administrative group memberships. This is considered a service administrator account
because its members have physical access to domain controllers, they can perform maintenance tasks (such as
backup and restore), and they have the ability to change binaries that are installed on the domain controllers.
Note the default user rights in the following table.
The Server Operators group applies to versions of the Windows Server operating system listed in the Active
Directory Default Security Groups table.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
NOTE
This group cannot be renamed, deleted, or moved.
This security group only applies to Windows Server 2003 and Windows Server 2008 because Terminal Services
was replaced by Remote Desktop Services in Windows Server 2008 R2.
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
AT T RIB UT E VA L UE
Users
Members of the Users group are prevented from making accidental or intentional system-wide changes, and
they can run most applications. After the initial installation of the operating system, the only member is the
Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users
group on the computer.
Users can perform tasks such as running applications, using local and network printers, shutting down the
computer, and locking the computer. Users can install applications that only they are allowed to use if the
installation program of the application supports per-user installation. This group cannot be renamed, deleted, or
moved.
The Users group applies to versions of the Windows Server operating system listed in the Active Directory
Default Security Groups table.
This security group includes the following changes since Windows Server 2008:
In Windows Server 2008 R2, INTERACTIVE was added to the default members list.
In Windows Server 2012, the default Member Of list changed from Domain Users to none.
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
NOTE
This group cannot be renamed, deleted, or moved.
This security group has not changed since Windows Server 2008.
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
WinRMRemoteWMIUsers_
In Windows 8 and in Windows Server 2012, a Share tab was added to the Advanced Security Settings user
interface. This tab displays the security properties of a remote file share. To view this information, you must have
the following permissions and memberships, as appropriate for the version of Windows Server that the file
server is running.
The WinRMRemoteWMIUsers_ group applies to versions of the Windows Server operating system listed in the
Active Directory Default Security Groups table.
If the file share is hosted on a server that is running a supported version of the operating system:
You must be a member of the WinRMRemoteWMIUsers__ group or the BUILTIN\Administrators
group.
You must have Read permissions to the file share.
If the file share is hosted on a server that is running a version of Windows Server that is earlier than
Windows Server 2012:
You must be a member of the BUILTIN\Administrators group.
You must have Read permissions to the file share.
In Windows Server 2012, the Access Denied Assistance functionality adds the Authenticated Users group to the
local WinRMRemoteWMIUsers__ group. Therefore, when the Access Denied Assistance functionality is enabled,
all authenticated users who have Read permissions to the file share can view the file share permissions.
NOTE
The WinRMRemoteWMIUsers_ group allows running Windows PowerShell commands remotely whereas the Remote
Management Users group is generally used to allow users to manage servers by using the Server Manager console.
This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
AT T RIB UT E VA L UE
Protected by ADMINSDHOLDER? No
See also
Security Principals
Special Identities
Access Control Overview
Special Identities
3/3/2022 • 12 minutes to read • Edit Online
Applies to
Windows Server 2016 or later
This reference topic for the IT professional describes the special identity groups (which are sometimes referred
to as security groups) that are used in Windows access control.
Special identity groups are similar to Active Directory security groups as listed in the users and built-in
containers. Special identity groups can provide an efficient way to assign access to resources in your network.
By using special identity groups, you can:
Assign user rights to security groups in Active Directory.
Assign permissions to security groups for the purpose of accessing resources.
Servers that are running the supported Windows Server operating systems designated in the Applies To list at
the beginning of this topic include several special identity groups. These special identity groups do not have
specific memberships that can be modified, but they can represent different users at different times, depending
on the circumstances.
Although the special identity groups can be assigned rights and permissions to resources, the memberships
cannot be modified or viewed. Group scopes do not apply to special identity groups. Users are automatically
assigned to these special identity groups whenever they sign in or access a particular resource.
For information about security groups and group scope, see Active Directory Security Groups.
The special identity groups are described in the following tables:
Anonymous Logon
Authenticated Users
Batch
Creator Group
Creator Owner
Dialup
Digest Authentication
Enterprise Domain Controllers
Everyone
Interactive
Local Service
LocalSystem
Network
Network Service
NTLM Authentication
Other Organization
Principal Self
Remote Interactive Logon
Restricted
SChannel Authentication
Service
Terminal Server User
This Organization
Window Manager\Window Manager Group
Anonymous Logon
Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This
identity allows anonymous access to resources, such as a web page that is published on corporate servers. The
Anonymous Logon group is not a member of the Everyone group by default.
AT T RIB UT E VA L UE
AT T RIB UT E VA L UE
Authenticated Users
Any user who accesses the system through a sign-in process has the Authenticated Users identity. This identity
allows access to shared resources within the domain, such as files in a shared folder that should be accessible to
all the workers in the organization. Membership is controlled by the operating system.
AT T RIB UT E VA L UE
AT T RIB UT E VA L UE
Batch
Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity.
This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files.
Membership is controlled by the operating system.
AT T RIB UT E VA L UE
Console Logon
A group that includes users who are logged on to the physical console. This SID can be used to implement
security policies that grant different rights based on whether a user has been granted physical access to the
console.
AT T RIB UT E VA L UE
Creator Group
The person who created the file or the directory is a member of this special identity group. Windows Server
operating systems use this identity to automatically grant access permissions to the creator of a file or directory.
A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is
inherited, the system replaces this SID with the SID for the primary group of the object’s current owner. The
primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem.
AT T RIB UT E VA L UE
Creator Owner
The person who created the file or the directory is a member of this special identity group. Windows Server
operating systems use this identity to automatically grant access permissions to the creator of a file or directory.
A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with
the SID for the object’s current owner.
AT T RIB UT E VA L UE
Dialup
Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity
distinguishes dial-up users from other types of authenticated users.
AT T RIB UT E VA L UE
Digest Authentication
AT T RIB UT E VA L UE
AT T RIB UT E VA L UE
Everyone
All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special
identity group gives wide access to system resources. Whenever a user logs on to the network, the user is
automatically added to the Everyone group.
On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group
as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users
and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry
Editor, by going to the Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key
and setting the value of ever yoneincludesanonymous DWORD to 1).
Membership is controlled by the operating system.
AT T RIB UT E VA L UE
AT T RIB UT E VA L UE
Interactive
Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to
access a resource. Whenever a user accesses a given resource on the computer to which they are currently
logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating
system.
AT T RIB UT E VA L UE
IUSR
Internet Information Services (IIS) uses this account by default whenever anonymous authentication is enabled.
AT T RIB UT E VA L UE
Key Trust
A SID that means the client's identity is based on proof of possession of public key credentials using the key
trust object.
AT T RIB UT E VA L UE
Local Service
The Local Service account is similar to an Authenticated User account. The Local Service account has the same
level of access to resources and objects as members of the Users group. This limited access helps safeguard
your system if individual services or processes are compromised. Services that run as the Local Service account
access network resources as a null session with anonymous credentials. The name of the account is NT
AUTHORITY\LocalService. This account does not have a password.
AT T RIB UT E VA L UE
LocalSystem
This is a service account that is used by the operating system. The LocalSystem account is a powerful account
that has full access to the system and acts as the computer on the network. If a service logs on to the
LocalSystem account on a domain controller, that service has access to the entire domain. Some services are
configured by default to log on to the LocalSystem account. Do not change the default service setting. The name
of the account is LocalSystem. This account does not have a password.
AT T RIB UT E VA L UE
AT T RIB UT E VA L UE
Network
This group implicitly includes all users who are logged on through a network connection. Any user who accesses
the system through a network has the Network identity. This identity allows only remote users to access a
resource. Whenever a user accesses a given resource over the network, the user is automatically added to the
Network group. Membership is controlled by the operating system.
AT T RIB UT E VA L UE
Network Service
The Network Service account is similar to an Authenticated User account. The Network Service account has the
same level of access to resources and objects as members of the Users group. This limited access helps
safeguard your system if individual services or processes are compromised. Services that run as the Network
Service account access network resources by using the credentials of the computer account. The name of the
account is NT AUTHORITY\NetworkService. This account does not have a password.
AT T RIB UT E VA L UE
NTLM Authentication
AT T RIB UT E VA L UE
Other Organization
This group implicitly includes all users who are logged on to the system through a dial-up connection.
Membership is controlled by the operating system.
AT T RIB UT E VA L UE
Owner Rights
A group that represents the current owner of the object. When an ACE that carries this SID is applied to an
object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner.
AT T RIB UT E VA L UE
Principal Self
This identity is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant
permissions to Principal Self, you grant them to the security principal that is represented by the object. During
an access check, the operating system replaces the SID for Principal Self with the SID for the security principal
that is represented by the object.
AT T RIB UT E VA L UE
Proxy
Identifies a SECURITY_NT_AUTHORITY Proxy.
AT T RIB UT E VA L UE
AT T RIB UT E VA L UE
Restricted
Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a
process that is running in a restricted security context, such as running an application with the RunAs service.
When code runs at the Restricted security level, the Restricted SID is added to the user’s access token.
AT T RIB UT E VA L UE
SChannel Authentication
AT T RIB UT E VA L UE
Service
Any service that accesses the system has the Service identity. This identity group includes all security principals
that are signed in as a service. This identity grants access to processes that are being run by Windows Server
services. Membership is controlled by the operating system.
AT T RIB UT E VA L UE
AT T RIB UT E VA L UE
AT T RIB UT E VA L UE
This Organization
AT T RIB UT E VA L UE
Well-Known SID/RID
Object Class
See also
Active Directory Security Groups
Security Principals
Access Control Overview
User Account Control
3/3/2022 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a
better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator
account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block
the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
UAC allows all users to log on to their computers using a standard user account. Processes launched using a
standard user token may perform tasks using access rights granted to a standard user. For instance, Windows
Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using
Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user
permissions. Many apps, including those that are included with the operating system itself, are designed to work
properly in this way.
Other apps, especially those that were not specifically designed with security settings in mind, often require
additional permissions to run successfully. These types of apps are referred to as legacy apps. Additionally,
actions such as installing new software and making configuration changes to the Windows Firewall, require
more permissions than what is available to a standard user account.
When an app needs to run with more than standard user rights, UAC allows users to run apps with their
administrator token (with administrative groups and privileges) instead of their default, standard user access
token. Users continue to operate in the standard user security context, while enabling certain apps to run with
elevated privileges, if needed.
Practical applications
Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's
knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a
higher level of compliance where administrators must actively consent or provide credentials for each
administrative process.
In this section
TO P IC DESC RIP T IO N
How User Account Control works User Account Control (UAC) is a fundamental component of
Microsoft's overall security vision. UAC helps mitigate the
impact of malware.
User Account Control security policy settings You can use security policies to configure how User Account
Control works in your organization. They can be configured
locally by using the Local Security Policy snap-in (secpol.msc)
or configured for the domain, OU, or specific groups by
Group Policy.
TO P IC DESC RIP T IO N
User Account Control Group Policy and registry key settings Here's a list of UAC Group Policy and registry key settings
that your organization can use to manage UAC.
How User Account Control works
3/3/2022 • 14 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps
mitigate the impact of malware.
By default, standard users and administrators access resources and run apps in the security context of standard
users. When a user logs on to a computer, the system creates an access token for that user. The access token
contains information about the level of access that the user is granted, including specific security identifiers
(SIDs) and Windows privileges.
When an administrator logs on, two separate access tokens are created for the user: a standard user access
token and an administrator access token. The standard user access token contains the same user-specific
information as the administrator access token, but the administrative Windows privileges and SIDs are removed.
The standard user access token is used to start apps that do not perform administrative tasks (standard user
apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the
parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as
a standard user unless a user provides consent or credentials to approve an app to use a full administrative
access token.
A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a
standard user access token. When the administrator needs to perform a task that requires the administrator
access token, Windows 10 or Windows 11 automatically prompts the user for approval. This prompt is called an
elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or
Group Policy. For more info, see User Account Control security policy settings.
The UAC User Experience
When UAC is enabled, the user experience for standard users is different from that of administrators in Admin
Approval Mode. The recommended and more secure method of running Windows 10 or Windows 11 is to make
your primary user account a standard user account. Running as a standard user helps to maximize security for a
managed environment. With the built-in UAC elevation component, standard users can easily perform an
administrative task by entering valid credentials for a local administrator account. The default, built-in UAC
elevation component for standard users is the credential prompt.
The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the
built-in UAC elevation component, members of the local Administrators group can easily perform an
administrative task by providing approval. The default, built-in UAC elevation component for an administrator
account in Admin Approval Mode is called the consent prompt.
The consent and credential prompts
With UAC enabled, Windows 10 or Windows 11 prompts for consent or prompts for credentials of a valid local
administrator account before starting a program or task that requires a full administrator access token. This
prompt ensures that no malicious software can be silently installed.
The consent prompt
The consent prompt is presented when a user attempts to perform a task that requires a user's administrative
access token. The following is an example of the UAC consent prompt.
UAC Architecture
The following diagram details the UAC architecture.
To better understand each component, review the table below:
User
C O M P O N EN T DESC RIP T IO N
User performs operation requiring privilege If the operation changes the file system or registry,
Virtualization is called. All other operations call
ShellExecute.
System
C O M P O N EN T DESC RIP T IO N
Application Information service A system service that helps start apps that require one
or more elevated privileges or user rights to run, such as
local administrative tasks, and apps that require higher
integrity levels. The Application Information service helps
start such apps by creating a new process for the
application with an administrative user's full access token
when elevation is required and (depending on Group
Policy) consent is given by the user to do so.
Elevating an ActiveX install If ActiveX is not installed, the system checks the UAC
slider level. If ActiveX is installed, the User Account
Control: Switch to the secure desktop when
prompting for elevation Group Policy setting is
checked.
Check UAC slider level UAC has a slider to select from four levels of notification.
Always notify will:
Notify you when programs try to install
software or make changes to your computer.
Notify you when you make changes to
Windows settings.
Freeze other tasks until you respond.
Recommended if you often install new software
or visit unfamiliar websites.
Notify me only when programs tr y to
make changes to my computer will:
Notify you when programs try to install
software or make changes to your computer.
Not notify you when you make changes to
Windows settings.
Freeze other tasks until you respond.
Recommended if you do not often install apps or
visit unfamiliar websites.
Notify me only when programs tr y to
make changes to my computer (do not
dim my desktop) will:
Notify you when programs try to install
software or make changes to your computer.
Not notify you when you make changes to
Windows settings.
Not freeze other tasks until you respond.
Not recommended. Choose this only if it takes a
long time to dim the desktop on your computer.
Never notify (Disable UAC prompts) will:
Not notify you when programs try to install
software or make changes to your computer.
Not notify you when you make changes to
Windows settings.
Not freeze other tasks until you respond.
Not recommended due to security concerns.
C O M P O N EN T DESC RIP T IO N
Secure desktop enabled The User Account Control: Switch to the secure
desktop when prompting for elevation policy
setting is checked:
If the secure desktop is enabled, all elevation
requests go to the secure desktop regardless of
prompt behavior policy settings for
administrators and standard users.
If the secure desktop is not enabled, all elevation
requests go to the interactive user's desktop, and
the per-user settings for administrators and
standard users are used.
Kernel
C O M P O N EN T DESC RIP T IO N
File system and registry The per-user file and registry virtualization redirects per-
computer registry and file write requests to equivalent
per-user locations. Read requests are redirected to the
virtualized per-user location first and to the per-
computer location second.
The slider will never turn UAC completely off. If you set it to Never notify , it will:
Keep the UAC service running.
Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
Automatically deny all elevation requests for standard users.
IMPORTANT
In order to fully disable UAC you must disable the policy User Account Control: Run all administrators in Admin
Approval Mode .
WARNING
Some Universal Windows Platform apps may not work when UAC is disabled.
Virtualization
Because system administrators in enterprise environments attempt to secure systems, many line-of-business
(LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace
the majority of apps when UAC is turned on.
Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-
compliant and that require an administrator's access token to run correctly. When an administrative apps that is
not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own
virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's
profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant
app.
Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of
applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps
to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
Virtualization is not an option in the following scenarios:
Virtualization does not apply to apps that are elevated and run with a full administrative access token.
Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied
message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native
Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations.
Virtualization is disabled if the app includes an app manifest with a requested execution level attribute.
Request execution levels
An app manifest is an XML file that describes and identifies the shared and private side-by-side assemblies that
an app should bind to at run time. The app manifest includes entries for UAC app compatibility purposes.
Administrative apps that include an entry in the app manifest prompt the user for permission to access the
user's access token. Although they lack an entry in the app manifest, most administrative app can run without
modification by using app compatibility fixes. App compatibility fixes are database entries that enable
applications that are not UAC-compliant to work properly.
All UAC-compliant apps should have a requested execution level added to the application manifest. If the
application requires administrative access to the system, then marking the app with a requested execution level
of "require administrator" ensures that the system identifies this program as an administrative app and
performs the necessary elevation steps. Requested execution levels specify the privileges required for an app.
Installer detection technology
Installation programs are apps designed to deploy software. Most installation programs write to system
directories and registry keys. These protected system locations are typically writeable only by an administrator
in Installer detection technology, which means that standard users do not have sufficient access to install
programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator
credentials or approval from the administrator user in order to run with access privileges. Windows 10 and
Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals
of UAC is to prevent installations from being run without the user's knowledge and consent because installation
programs write to protected areas of the file system and registry.
Installer detection only applies to:
32-bit executable files.
Applications without a requested execution level attribute.
Interactive processes running as a standard user with UAC enabled.
Before a 32-bit process is created, the following attributes are checked to determine whether it is an installer:
The file name includes keywords such as "install," "setup," or "update."
Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File
Description, Original Filename, Internal Name, and Export Name.
Keywords in the side-by-side manifest are embedded in the executable file.
Keywords in specific StringTable entries are linked in the executable file.
Key attributes in the resource script data are linked in the executable file.
There are targeted sequences of bytes within the executable file.
NOTE
The keywords and sequences of bytes were derived from common characteristics observed from various installer
technologies.
NOTE
The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for
installer detection to detect installation programs. For more info, see User Account Control security policy settings.
User Account Control security policy settings
3/3/2022 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
You can use security policies to configure how User Account Control works in your organization. They can be
configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or
specific groups by Group Policy.
Prompt for credentials on the secure desktop When an operation requires elevation of privilege,
the user is prompted on the secure desktop to enter a privileged user name and password. If the user
enters valid credentials, the operation continues with the user's highest available privilege.
Prompt for consent on the secure desktop When an operation requires elevation of privilege, the
user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the
operation continues with the user's highest available privilege.
Prompt for credentials When an operation requires elevation of privilege, the user is prompted to
enter an administrative user name and password. If the user enters valid credentials, the operation
continues with the applicable privilege.
Prompt for consent When an operation requires elevation of privilege, the user is prompted to select
either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available
privilege.
Prompt for consent for non-Windows binaries (Default) When an operation for a non-Microsoft
application requires elevation of privilege, the user is prompted on the secure desktop to select either
Permit or Deny. If the user selects Permit, the operation continues with the user's highest available
privilege.
User Account Control: Only elevate executable files that are signed
and validated
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that
request elevation of privilege. Enterprise administrators can control which applications are allowed to run by
adding certificates to the Trusted Publishers certificate store on local computers.
Enabled Enforces the certificate certification path validation for a given executable file before it is permitted
to run.
Disabled (Default) Does not enforce the certificate certification path validation before a given executable file
is permitted to run.
Note: Windows enforces a digital signature check on any interactive app that requests to run with a
UIAccess integrity level regardless of the state of this security setting.
Enabled (Default) If an app resides in a secure location in the file system, it runs only with UIAccess integrity.
Disabled An app runs with UIAccess integrity even if it does not reside in a secure location in the file system.
User Account Control: Virtualize file and registry write failures to per-
user locations
This policy setting controls whether application write failures are redirected to defined registry and file system
locations. This policy setting mitigates applications that run as administrator and write run-time application data
to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
Enabled (Default) App write failures are redirected at run time to defined user locations for both the file
system and registry.
Disabled Apps that write data to protected locations fail.
User Account Control Group Policy and registry key
settings
3/3/2022 • 12 minutes to read • Edit Online
Applies to
Windows 10
Windows 11
Windows Server 2016 and above
User Account Control: Behavior of the ConsentPromptBehaviorAdmin Prompt for consent for non-Windows
elevation prompt for administrators in binaries
Admin Approval Mode
User Account Control: Admin Approval Mode for the built-in Administrator account
The User Account Control: Admin Approval Mode for the built-in Administrator account policy
setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
The options are:
Enabled. The built-in Administrator account uses Admin Approval Mode. By default, any operation that
requires elevation of privilege will prompt the user to approve the operation.
Disabled. (Default) The built-in Administrator account runs all applications with full administrative privilege.
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
The User Account Control: Allow UIAccess applications to prompt for elevation without using the
secure desktop policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can
automatically disable the secure desktop for elevation prompts used by a standard user.
The options are:
Enabled. UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for
elevation prompts. If you do not disable the User Account Control: Switch to the secure desktop
when prompting for elevation policy setting, the prompts appear on the interactive user's desktop
instead of the secure desktop.
Disabled. (Default) The secure desktop can be disabled only by the user of the interactive desktop or by
disabling the User Account Control: Switch to the secure desktop when prompting for elevation
policy setting.
UIA programs are designed to interact with Windows and application programs on behalf of a user. This policy
setting allows UIA programs to bypass the secure desktop to increase usability in certain cases; however,
allowing elevation requests to appear on the interactive desktop instead of the secure desktop can increase your
security risk.
UIA programs must be digitally signed because they must be able to respond to prompts regarding security
issues, such as the UAC elevation prompt. By default, UIA programs are run only from the following protected
paths:
...\Program Files, including subfolders
...\Program Files (x86), including subfolders for 64-bit versions of Windows
...\Windows\System32
The User Account Control: Only elevate UIAccess applications that are installed in secure locations
policy setting disables the requirement to be run from a protected path.
While this policy setting applies to any UIA program, it is primarily used in certain remote assistance scenarios,
including the Windows Remote Assistance program in Windows 7.
If a user requests remote assistance from an administrator and the remote assistance session is established, any
elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is
paused. To avoid pausing the remote administrator's session during elevation requests, the user may select the
Allow IT Exper t to respond to User Account Control prompts check box when setting up the remote
assistance session. However, selecting this check box requires that the interactive user respond to an elevation
prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required
credentials to allow elevation.
If you enable this policy setting, requests for elevation are automatically sent to the interactive desktop (not the
secure desktop) and also appear on the remote administrator's view of the desktop during a remote assistance
session. This allows the remote administrator to provide the appropriate credentials for elevation.
This policy setting does not change the behavior of the UAC elevation prompt for administrators.
If you plan to enable this policy setting, you should also review the effect of the User Account Control:
Behavior of the elevation prompt for standard users policy setting. If it is configured as Automatically
deny elevation requests , elevation requests are not presented to the user.
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
The User Account Control: Behavior of the elevation prompt for administrators in Admin Approval
Mode policy setting controls the behavior of the elevation prompt for administrators.
The options are:
Elevate without prompting. Allows privileged accounts to perform an operation that requires
elevation without requiring consent or credentials.
Note Use this option only in the most constrained environments.
Prompt for credentials on the secure desktop. When an operation requires elevation of privilege,
the user is prompted on the secure desktop to enter a privileged user name and password. If the user
enters valid credentials, the operation continues with the user's highest available privilege.
Prompt for consent on the secure desktop. When an operation requires elevation of privilege, the
user is prompted on the secure desktop to select either Permit or Deny . If the user selects Permit , the
operation continues with the user's highest available privilege.
Prompt for credentials. When an operation requires elevation of privilege, the user is prompted to
enter an administrative user name and password. If the user enters valid credentials, the operation
continues with the applicable privilege.
Prompt for consent. When an operation requires elevation of privilege, the user is prompted to select
either Permit or Deny . If the user selects Permit , the operation continues with the user's highest
available privilege.
Prompt for consent for non-Windows binaries. (Default) When an operation for a non-Microsoft
application requires elevation of privilege, the user is prompted on the secure desktop to select either
Permit or Deny . If the user selects Permit , the operation continues with the user's highest available
privilege.
User Account Control: Behavior of the elevation prompt for standard users
The User Account Control: Behavior of the elevation prompt for standard users policy setting controls
the behavior of the elevation prompt for standard users.
The options are:
Automatically deny elevation requests. When an operation requires elevation of privilege, a
configurable access denied error message is displayed. An enterprise that is running desktops as standard
user may choose this setting to reduce help desk calls.
Prompt for credentials on the secure desktop. When an operation requires elevation of privilege, the
user is prompted on the secure desktop to enter a different user name and password. If the user enters valid
credentials, the operation continues with the applicable privilege.
Prompt for credentials. (Default) When an operation requires elevation of privilege, the user is prompted
to enter an administrative user name and password. If the user enters valid credentials, the operation
continues with the applicable privilege.
User Account Control: Detect application installations and prompt for elevation
The User Account Control: Detect application installations and prompt for elevation policy setting
controls the behavior of application installation detection for the computer.
The options are:
Enabled. (Default for home) When an application installation package is detected that requires elevation of
privilege, the user is prompted to enter an administrative user name and password. If the user enters valid
credentials, the operation continues with the applicable privilege.
Disabled. (Default for enterprise) Application installation packages are not detected and prompted for
elevation. Enterprises that are running standard user desktops and use delegated installation technologies
such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy
setting. In this case, installer detection is unnecessary.
User Account Control: Only elevate executables that are signed and validated
The User Account Control: Only elevate executables that are signed and validated policy setting
enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of
privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to
the Trusted Publishers certificate store on local computers.
The options are:
Enabled. Enforces the PKI certification path validation for a given executable file before it is permitted to run.
Disabled. (Default) Does not enforce PKI certification path validation before a given executable file is
permitted to run.
User Account Control: Only elevate UIAccess applications that are installed in secure locations
The User Account Control: Only elevate UIAccess applications that are installed in secure locations
policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess)
integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
...\Program Files, including subfolders
...\Windows\system32
...\Program Files (x86), including subfolders for 64-bit versions of Windows
Note Windows enforces a PKI signature check on any interactive application that requests to run with a
UIAccess integrity level regardless of the state of this security setting.
The options are:
Enabled. (Default) If an application resides in a secure location in the file system, it runs only with UIAccess
integrity.
Disabled. An application runs with UIAccess integrity even if it does not reside in a secure location in the file
system.
User Account Control: Run all administrators in Admin Approval Mode
The User Account Control: Run all administrators Admin Approval Mode policy setting controls the
behavior of all UAC policy settings for the computer. If you change this policy setting, you must restart your
computer.
The options are:
Enabled. (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy
settings must also be set appropriately to allow the built-in Administrator account and all other users who
are members of the Administrators group to run in Admin Approval Mode.
Disabled. Admin Approval Mode and all related UAC policy settings are disabled.
Note If this policy setting is disabled, the Windows Security app notifies you that the overall security of the
operating system has been reduced.
User Account Control: Switch to the secure desktop when prompting for elevation
The User Account Control: Switch to the secure desktop when prompting for elevation policy setting
controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure
desktop.
The options are:
Enabled. (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy
settings for administrators and standard users.
Disabled. All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for
administrators and standard users are used.
When this policy setting is enabled, it overrides the User Account Control: Behavior of the elevation
prompt for administrators in Admin Approval Mode policy setting. The following table describes the
behavior of the elevation prompt for each of the administrator policy settings when the User Account
Control: Switch to the secure desktop when prompting for elevation policy setting is enabled or
disabled.
Prompt for credentials on the The prompt appears on the secure The prompt appears on the secure
secure desktop desktop. desktop.
Prompt for consent on the secure The prompt appears on the secure The prompt appears on the secure
desktop desktop. desktop.
Prompt for credentials The prompt appears on the secure The prompt appears on the interactive
desktop. user's desktop.
Prompt for consent The prompt appears on the secure The prompt appears on the interactive
desktop. user's desktop.
Prompt for consent for non- The prompt appears on the secure The prompt appears on the interactive
Windows binaries desktop. user's desktop.
When this policy setting is enabled, it overrides the User Account Control: Behavior of the elevation
prompt for standard users policy setting. The following table describes the behavior of the elevation prompt
for each of the standard user policy settings when the User Account Control: Switch to the secure
desktop when prompting for elevation policy setting is enabled or disabled.
Prompt for credentials on the The prompt appears on the secure The prompt appears on the secure
secure desktop desktop. desktop.
Prompt for credentials The prompt appears on the secure The prompt appears on the interactive
desktop. user's desktop.
User Account Control: Virtualize file and registry write failures to per-user locations
The User Account Control: Vir tualize file and registr y write failures to per-user locations policy
setting controls whether application write failures are redirected to defined registry and file system locations.
This policy setting mitigates applications that run as administrator and write run-time application data to
%ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
The options are:
Enabled. (Default) Application write failures are redirected at run time to defined user locations for both the
file system and registry.
Disabled. Applications that write data to protected locations fail.
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
The Smart Card Technical Reference describes the Windows smart card infrastructure for physical smart cards
and how smart card-related components work in Windows. This document also contains information about
tools that information technology (IT) developers and administrators can use to troubleshoot, debug, and deploy
smart card-based strong authentication in the enterprise.
Audience
This document explains how the Windows smart card infrastructure works. To understand this information, you
should have basic knowledge of public key infrastructure (PKI) and smart card concepts. This document is
intended for:
Enterprise IT developers, managers, and staff who are planning to deploy or are using smart cards in
their organization.
Smart card vendors who write smart card minidrivers or credential providers.
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for IT professional provides links to resources about the implementation of smart card technologies in
the Windows operating system. It includes the following resources about the architecture, certificate
management, and services that are related to smart card use:
Smart Card Architecture: Learn about enabling communications with smart cards and smart card
readers, which can be different according to the vendor that supplies them.
Certificate Requirements and Enumeration: Learn about requirements for smart card certificates based
on the operating system, and about the operations that are performed by the operating system when a
smart card is inserted into the computer.
Smart Card and Remote Desktop Services: Learn about using smart cards for remote desktop
connections.
Smart Cards for Windows Service: Learn about how the Smart Cards for Windows service is
implemented.
Certificate Propagation Service: Learn about how the certificate propagation service works when a smart
card is inserted into a computer.
Smart Card Removal Policy Service: Learn about using Group Policy to control what happens when a user
removes a smart card.
Smart Card Architecture
3/3/2022 • 19 minutes to read • Edit Online
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional describes the system architecture that supports smart cards in the Windows
operating system, including credential provider architecture and the smart card subsystem architecture.
Authentication is a process for verifying the identity of an object or person. When you authenticate an object,
such as a smart card, the goal is to verify that the object is genuine. When you authenticate a person, the goal is
to verify that you are not dealing with an imposter.
In a networking context, authentication is the act of proving identity to a network application or resource.
Typically, identity is proven by a cryptographic operation that uses a key only the user knows (such as with
public key cryptography), or a shared key. The server side of the authentication exchange compares the signed
data with a known cryptographic key to validate the authentication attempt. Storing the cryptographic keys in a
secure central location makes the authentication process scalable and maintainable.
For smart cards, Windows supports a provider architecture that meets the secure authentication requirements
and is extensible so that you can include custom credential providers. This topic includes information about:
Credential provider architecture
Smart card subsystem architecture
C O M P O N EN T DESC RIP T IO N
Credential providers (password and smart card) Describes credential information and serializing credentials.
Interactive sign-in in Windows begins when the user presses CTRL+ALT+DEL. The CTRL+ALT+DEL key
combination is called a secure attention sequence (SAS). To keep other programs and processes from using it,
Winlogon registers this sequence during the boot process.
After receiving the SAS, the UI then generates the sign-in tile from the information received from the registered
credential providers. The following graphic shows the architecture for credential providers in the Windows
operating system.
Figure 1 Credential provider architecture
Typically, a user who signs in to a computer by using a local account or a domain account must enter a user
name and password. These credentials are used to verify the user's identity. For smart card sign-in, a user's
credentials are contained on the smart card's security chip. A smart card reader lets the computer interact with
the security chip on the smart card. When users sign in with a smart card, they enter a personal identification
number (PIN) instead of a user name and password.
Credential providers are in-process COM objects that run on the local system and are used to collect credentials.
The Logon UI provides interactive UI rendering, Winlogon provides interactive sign-in infrastructure, and
credential providers work with both of these components to help gather and process credentials.
Winlogon instructs the Logon UI to display credential provider tiles after it receives an SAS event. The Logon UI
queries each credential provider for the number of credentials it wants to enumerate. Credential providers have
the option of specifying one of these tiles as the default. After all providers have enumerated their tiles, the
Logon UI displays them to the user. The user interacts with a tile to supply the proper credentials. The Logon UI
submits these credentials for authentication.
Combined with supporting hardware, credential providers can extend the Windows operating system to enable
users to sign in by using biometrics (for example, fingerprint, retinal, or voice recognition), password, PIN, smart
card certificate, or any custom authentication package. Enterprises and IT professionals can develop and deploy
custom authentication mechanisms for all domain users, and they may explicitly require users to use this
custom sign-in mechanism.
Note Credential providers are not enforcement mechanisms. They are used to gather and serialize
credentials. The LSA and authentication packages enforce security.
Credential providers can be designed to support single sign-in (SSO). In this process, they authenticate users to
a secure network access point (by using RADIUS and other technologies) for signing in to the computer.
Credential providers are also designed to support application-specific credential gathering, and they can be
used for authentication to network resources, joining computers to a domain, or to provide administrator
consent for User Account Control (UAC).
Multiple credential providers can coexist on a computer.
Credential providers must be registered on a computer running Windows, and they are responsible for:
Describing the credential information that is required for authentication.
Handling communication and logic with external authentication authorities.
Packaging credentials for interactive and network sign-in.
Note The Credential Provider API does not render the UI. It describes what needs to be rendered.
Only the password credential provider is available in safe mode.
The smart card credential provider is available in safe mode during networking.
Note Before opening a key by using the smart card KSP, a call to NCryptOpenStorageProvider
(MS_SMART_CARD_KEY_STORAGE_PROVIDER) must be made.
TYPE NAME F O RM AT
The Base CSP and smart card KSP cache smart card handle information about the calling process and about the
smart cards the process has accessed. When searching for a smart card container, the Base CSP or smart card
KSP first checks its cache for the process. If the cached handle is invalid or no match is found, the SCardUIDlg
API is called to get the card handle.
Container operations
The following three container operations can be requested by using CryptAcquireContext:
1. Create a new container. (The CNG equivalent of CryptAcquireContext with dwFlags set to
CRYPT_NEWKEYSET is NCryptCreatePersistedKey.)
2. Open an existing container. (The CNG equivalent of CryptAcquireContext to open the container is
NCryptOpenKey.)
3. Delete a container. (The CNG equivalent of CryptAcquireContext with dwFlags set to
CRYPT_DELETEKEYSET is NCryptDeleteKey.)
The heuristics that are used to associate a cryptographic handle with a particular smart card and reader are
based on the container operation requested and the level of container specification used.
The following table shows the restrictions for the container creation operation.
SP EC IF IC AT IO N REST RIC T IO N
No silent context Key container creation must always be able to show UI, such
as the PIN prompt.
No overwriting existing containers If the specified container already exists on the chosen smart
card, choose another smart card or cancel the operation.
Context flags
The following table shows the context flags used as restrictions for the container creation operation.
In addition to container operations and container specifications, you must consider other user options, such as
the CryptAcquireContext flags, during smart card selection.
Impor tant The CRYPT_SILENT flag cannot be used to create a new container.
1. For each smart card that has been accessed by the Base CSP and the handle and container information
are cached, the Base CSP looks for a valid default container. An operation is attempted on the cached
SCARDHANDLE to verify its validity. If the smart card handle is not valid, the Base CSP continues to
search for a new smart card.
2. If a matching smart card is not found in the Base CSP cache, the Base CSP calls to the smart card
subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart
card with a valid default container.
Open an existing GUID-named container (no reader specified)
Note This operation requires that you use the smart card with the Base CSP.
1. For each smart card that is already registered with the Base CSP, search for the requested container.
Attempt an operation on the cached SCARDHANDLE to verify its validity. If the smart card handle is not
valid, the smart card's serial number is passed to the SCardUI * API to continue searching for this specific
smart card (rather than only a general match for the container name).
2. If a matching smart card is not found in the Base CSP cache, a call is made to the smart card subsystem.
SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with the
requested container. Or, if a smart card serial number resulted from the search in Step 1, the callback filter
attempts to match the serial number, not the container name.
Create a new container (no reader specified)
Note This operation requires that you use the smart card with the Base CSP.
If the PIN is not cached, no CRYPT_SILENT is allowed for the container creation because the user must be
prompted for a PIN, at a minimum.
For other operations, the caller may be able to acquire a "verify" context against the default container
(CRYPT_DEFAULT_CONTAINER_OPTIONAL) and then make a call with CryptSetProvParam to cache the user PIN
for subsequent operations.
1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the
following checks:
a. If the smart card has been removed, continue the search.
b. If the smart card is present, but it already has the named container, continue the search.
c. If the smart card is available, but a call to CardQueryFreeSpace indicates that the smart card has
insufficient storage for an additional key container, continue the search.
d. Otherwise, use the first available smart card that meets the above criteria for the container
creation.
2. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The
callback that is used to filter enumerated smart cards verifies that a candidate smart card does not
already have the named container, and that CardQueryFreeSpace indicates the smart card has sufficient
space for an additional container. If no suitable smart card is found, the user is prompted to insert a
smart card.
Delete a container
1. If the specified container name is NULL, the default container is deleted. Deleting the default container
causes a new default container to be selected arbitrarily. For this reason, this operation is not
recommended.
2. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the
following checks:
a. If the smart card does not have the named container, continue the search.
b. If the smart card has the named container, but the smart card handle is no longer valid, store the
serial number of the matching smart card and pass it to SCardUI *.
3. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The
callback that is used to filter enumerated smart cards should verify that a candidate smart card has the
named container. If a serial number was provided as a result of the previous cache search, the callback
should filter enumerated smart cards on serial number rather than on container matches. If the context is
non-silent and no suitable smart card is found, display UI that prompts the user to insert a smart card.
Base CSP and KSP-based architecture in Windows
Figure 4 shows the Cryptography architecture that is used by the Windows operating system.
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developers describes how certificates are managed and used
for smart card sign-in.
When a smart card is inserted, the following steps are performed.
Note Unless otherwise mentioned, all operations are performed silently (CRYPT_SILENT is passed to
CryptAcquireContext).
1. The smart card resource manager database searches for the smart card's cryptographic service provider
(CSP).
2. A qualified container name is constructed by using the smart card reader name, and it is passed to the
CSP. The format is \\.\<Reader name>\
3. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart
card will be unusable for smart card sign-in.
4. The name of the container is retrieved by using the PP_CONTAINER parameter with CryptGetProvParam.
5. Using the context acquired in Step 3, the CSP is queried for the PP_USER_CERTSTORE parameter (added
in Windows Vista). For more information, see Smart Card Architecture. If the operation is successful, the
name of a certificate store is returned, and the program flow skips to Step 8.
6. If the operation in Step 5 fails, the default container context from Step 3 is queried for the
AT_KEYEXCHANGE key.
7. The certificate is then queried from the key context by using KP_CERTIFICATE. The certificate is added to
an in-memory certificate store.
8. For each certificate in the certificate store from Step 5 or Step 7, the following checks are performed:
a. The certificate must be valid, based on the computer system clock (not expired or valid with a
future date).
b. The certificate must not be in the AT_SIGNATURE part of a container.
c. The certificate must have a valid user principal name (UPN).
d. The certificate must have the digital signature key usage.
e. The certificate must have the smart card logon EKU.
Any certificate that meets these requirements is displayed to the user with the certificate's UPN (or e-mail
address or subject, depending on the presence of the certificate extensions).
Note These requirements are the same as those in Windows Server 2003, but they are performed
before the user enters the PIN. You can override many of them by using Group Policy settings.
Windows Server 2008 R2 and Windows 7 Support for smart card sign-in with ECC-based certificates.
ECC smart card sign-in is enabled through Group Policy.
ECDH_P256
ECDH
Curve P-256 from FIPS 186-2
ECDSA_P256
ECDSA
Curve P-256 from FIPS 186-2
ECDH_P384
ECDH
Curve P-384 from FIPS 186-2
ECDH_P521
ECDH
Curve P-521 from FIPS 186-2
ECDSA_P256
ECDH
Curve P-256 from FIPS 186-2
ECDSA_P384
ECDSA
Curve P-384 from FIPS 186-2
ECDSA_P521
ECDSA
Curve P-384 from FIPS 186-2
Windows Server 2008 and Windows Vista Valid certificates are enumerated and displayed from all
smart cards and presented to the user.
Keys are no longer restricted to the default container, and
certificates in different containers can be chosen.
Elliptic curve cryptography (ECC)-based certificates are not
supported for smart card sign-in
Note Smartcard cache entries are created for certificates with a subject name or with a subject key
identifier. If the certificate has a subject name, it is stored with an index that is based on the subject
name and certificate issuer. If another certificate with the same subject name and certificate issuer is
used, it will replace the existing cached entry. A change in this behavior after Windows Vista, allows
for the condition when the certificate does not have a subject name, the cache is created with an
index that is based on the subject key identifier and certificate issuer. If another certificate has the
same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates
have neither a subject name nor subject key identifier, a cached entry is not created.
TGT is encrypted with the master key of the KDC, and the session key is encrypted with a temporary key.
This temporary key is derived based on RFC 4556. Using CryptoAPI, the temporary key is decrypted. As
part of the decryption process, if the private key is on a smart card, a call is made to the smart card
subsystem by using the specified CSP to extract the certificate corresponding to the user's public key.
(Programmatic calls for the certificate include CryptAcquireContext, CryptSetProvParam with the PIN,
CryptgetUserKey, and CryptGetKeyParam.) After the temporary key is obtained, the Kerberos SSP
decrypts the session key.
15. The client validates the reply from the KDC (time, path, and revocation status). It first verifies the KDC's
signature by the construction of a certification path from the KDC's certificate to a trusted root CA, and
then it uses the KDC's public key to verify the reply signature.
16. Now that a TGT has been obtained, the client obtains a service ticket, which is used to sign in to the local
computer.
17. With success, LSA stores the tickets and returns a success message to LSALogonUser. After this success
message is issued, user profile for the device is selected and set, Group Policy refresh is instantiated, and
other actions are performed.
18. After the user profile is loaded, the Certification Propagation Service (CertPropSvc) detects this event,
reads the certificates from the smart card (including the root certificates), and then populates them into
the user's certificate store (MYSTORE).
19. CSP to smart card resource manager communication happens on the LRPC Channel.
20. On successful authentication, certificates are propagated to the user's store asynchronously by the
Certificate Propagation Service (CertPropSvc).
21. When the card is removed, certificates in the temporary secure cache store are removed. The Certificates
are no longer available for sign-in, but they remain in the user's certificate store.
Note A SID is created for each user or group at the time a user account or a group account is created within
the local security accounts database or within AD DS. The SID never changes, even if the user or group
account is renamed.
For more information about the Kerberos protocol, see Microsoft Kerberos.
By default, the KDC verifies that the client's certificate contains the smart card client authentication EKU
szOID_KP_SMARTCARD_LOGON. However, if enabled, the Allow cer tificates with no extended key usage
cer tificate attribute Group Policy setting allows the KDC to not require the SC-LOGON EKU. SC-LOGON EKU
is not required for account mappings that are based on the public key.
KDC certificate
Active Directory Certificate Services provides three kinds of certificate templates:
Domain controller
Domain controller authentication
Kerberos authentication
Depending on the configuration of the domain controller, one of these types of certificates is sent as a part of
the AS_REP packet.
REQ UIREM EN T S F O R W IN DO W S 8. 1,
W IN DO W S 8, W IN DO W S 7, W IN DO W S
VISTA , W IN DO W S 10, A N D W IN DO W S
C O M P O N EN T 11 REQ UIREM EN T S F O R W IN DO W S XP
CRL distribution point location Not required The location must be specified, online,
and available, for example:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://server1.contoso.com/CertE
nroll/caname.crl
Enhanced key usage (EKU) The smart card sign-in object identifier - Client Authentication
is not required. (1.3.6.1.5.5.7.3.2)
The client authentication object
Note If an EKU is present, it must identifier is required only if a certificate
contain the smart card sign-in EKU. is used for SSL authentication.
Certificates with no EKU can be used
for sign-in. - Smart Card Sign-in
(1.3.6.1.4.1.311.20.2.2)
REQ UIREM EN T S F O R W IN DO W S 8. 1,
W IN DO W S 8, W IN DO W S 7, W IN DO W S
VISTA , W IN DO W S 10, A N D W IN DO W S
C O M P O N EN T 11 REQ UIREM EN T S F O R W IN DO W S XP
Subject alternative name E-mail ID is not required for smart Other Name: Principal Name=(UPN),
card sign-in. for example:
[email protected]
The UPN OtherName object identifier
is 1.3.6.1.4.1.311.20.2.3.
The UPN OtherName value must be an
ASN1-encoded UTF8 string.
Key exchange (AT_KEYEXCHANGE field) Not required for smart card sign-in Not required
certificates if a Group Policy setting is
enabled. (By default, Group Policy
settings are not enabled.)
Notes You can enable any certificate to be There are two predefined types of
visible for the smart card credential private keys. These keys are Signature
provider. Only (AT_SIGNATURE) and Key
Exchange (AT_KEYEXCHANGE). Smart
card sign-in certificates must have a
Key Exchange (AT_KEYEXCHANGE)
private key type.
The certificate object is parsed to look for content to perform user account mapping.
When a user name is provided with the certificate, the user name is used to locate the account object.
This operation is the fastest, because string matching occurs.
When only the certificate object is provided, a series of operations are performed to locate the user name
to map the user name to an account object.
When no domain information is available for authentication, the local domain is used by default. If any
other domain is to be used for lookup, a domain name hint should be provided to perform the mapping
and binding.
Mapping based on generic attributes is not possible because there is no generic API to retrieve attributes from a
certificate. Currently, the first method that locates an account successfully stops the search. But a configuration
error occurs if two methods map the same certificate to different user accounts when the client does not supply
the client name through the mapping hints.
The following figure illustrates the process of mapping user accounts for sign-in in the directory by viewing
various entries in the certificate.
Cer tificate processing logic
Smart card sign-in for a single user with one certificate into multiple
accounts
A single user certificate can be mapped to multiple accounts. For example, a user might be able to sign in to a
user account and also to sign in as a domain administrator. The mapping is done by using the constructed
AltSecID based on attributes from client accounts. For information about how this mapping is evaluated, see
Client certificate requirements and mappings.
Note Because each account has a different user name, we recommend that you enable the Allow user
name hint Group Policy setting (X509HintsNeeded registry key) to provide the optional fields that allow
users to enter their user names and domain information to sign in.
Based on the information that is available in the certificate, the sign-in conditions are:
1. If no UPN is present in the certificate:
a. Sign-in can occur in the local forest or in another forest if a single user with one certificate needs
to sign in to different accounts.
b. A hint must be supplied if mapping is not unique (for example, if multiple users are mapped to the
same certificate).
2. If a UPN is present in the certificate:
a. The certificate cannot be mapped to multiple users in the same forest.
b. The certificate can be mapped to multiple users in different forests. For a user to sign in to other
forests, an X509 hint must be supplied to the user.
Note For the hint field to appear during smart card sign-in, the Allow user name hint Group Policy
setting (X509HintsNeeded registry key) must be enabled on the client.
See also
How Smart Card Sign-in Works in Windows
Smart Card and Remote Desktop Services
3/3/2022 • 5 minutes to read • Edit Online
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart
card sign-in.
The content in this topic applies to the versions of Windows that are designated in the Applies To list at the
beginning of this topic. In these versions, smart card redirection logic and WinSCard API are combined to
support multiple redirected sessions into a single process.
Smart card support is required to enable many Remote Desktop Services scenarios. These include:
Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart
card-based remote desktop connection. That is, the connect attempt is not successful in Fast User
Switching or from a Remote Desktop Services session.
Enabling Encrypting File System (EFS) to locate the user's smart card reader from the Local Security
Authority (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able
to locate the smart card reader or certificate, EFS cannot decrypt user files.
Note If you use the credential SSP on computers running the supported versions of the operating system
that are designated in the Applies To list at the beginning of this topic: To sign in with a smart card from a
computer that is not joined to a domain, the smart card must contain the root certification of the domain
controller. A public key infrastructure (PKI) secure channel cannot be established without the root
certification of the domain controller.
Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following
form: <ClientName>@<DomainDNSName>
The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol cannot
determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more
information about this setting, see Smart Card Group Policy and Registry Settings.
See also
How Smart Card Sign-in Works in Windows
Smart Cards for Windows Service
3/3/2022 • 2 minutes to read • Edit Online
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developers describes how the Smart Cards for Windows
service (formerly called Smart Card Resource Manager) manages readers and application interactions.
The Smart Cards for Windows service provides the basic infrastructure for all other smart card components as it
manages smart card readers and application interactions on the computer. It is fully compliant with the
specifications set by the PC/SC Workgroup. For information about these specifications, see the PC/SC
Workgroup Specifications website.
The Smart Cards for Windows service runs in the context of a local service, and it is implemented as a shared
service of the services host (svchost) process. The Smart Cards for Windows service, Scardsvr, has the following
service description:
<serviceData
dependOnService="PlugPlay"
description="@%SystemRoot%\System32\SCardSvr.dll,-5"
displayName="@%SystemRoot%\System32\SCardSvr.dll,-1"
errorControl="normal"
group="SmartCardGroup"
imagePath="%SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation"
name="SCardSvr"
objectName="NT AUTHORITY\LocalService"
requiredPrivileges="SeCreateGlobalPrivilege,SeChangeNotifyPrivilege"
sidType="unrestricted"
start="demand"
type="win32ShareProcess"
>
<failureActions resetPeriod="900">
<actions>
<action
delay="120000"
type="restartService"
/>
<action
delay="300000"
type="restartService"
/>
<action
delay="0"
type="none"
/>
</actions>
</failureActions>
<securityDescriptor name="ServiceXSecurity"/>
</serviceData>
<registryKeys buildFilter="">
<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Parameters">
<registryValue
name="ServiceDll"
value="%SystemRoot%\System32\SCardSvr.dll"
valueType="REG_EXPAND_SZ"
/>
<registryValue
name="ServiceMain"
value="CalaisMain"
valueType="REG_SZ"
/>
<registryValue
name="ServiceDllUnloadOnStop"
value="1"
valueType="REG_DWORD"
/>
</registryKey>
</registryKeys>
Note For winscard.dll to be invoked as the proper class installer, the INF file for a smart card reader must
specify the following for Class and ClassGUID :
Class=SmartCardReader
ClassGuid={50DD5230-BA8A-11D1-BF5D-0000F805F530}
By default, the service is configured for manual mode. Creators of smart card reader drivers must configure
their INFs so that they start the service automatically and winscard.dll files call a predefined entry point to start
the service during installation. The entry point is defined as part of the Smar tCardReader class, and it is not
called directly. If a device advertises itself as part of this class, the entry point is automatically invoked to start
the service when the device is inserted. Using this method ensures that the service is enabled when it is needed,
but it is also disabled for users who do not use smart cards.
When the service is started, it performs several functions:
1. It registers itself for service notifications.
2. It registers itself for Plug and Play (PnP) notifications related to device removal and additions.
3. It initializes its data cache and a global event that signals that the service has started.
Note For smart card implementations, consider sending all communications in Windows operating
systems with smart card readers through the Smart Cards for Windows service. This provides an interface
to track, select, and communicate with all drivers that declare themselves members of the smart card reader
device group.
The Smart Cards for Windows service categorizes each smart card reader slot as a unique reader, and each slot
is also managed separately, regardless of the device's physical characteristics. The Smart Cards for Windows
service handles the following high-level actions:
Device introduction
Reader initialization
Notifying clients of new readers
Serializing access to readers
Smart card access
Tunneling of reader-specific commands
See also
How Smart Card Sign-in Works in Windows
Certificate Propagation Service
3/3/2022 • 2 minutes to read • Edit Online
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in
smart card implementation.
The certificate propagation service activates when a signed-in user inserts a smart card in a reader that is
attached to the computer. This action causes the certificate to be read from the smart card. The certificates are
then added to the user's Personal store. Certificate propagation service actions are controlled by using Group
Policy. For more information, see Smart Card Group Policy and Registry Settings.
Note The certificate propagation service must be running for smart card Plug and Play to work.
The following figure shows the flow of the certificate propagation service. The action begins when a signed-in
user inserts a smart card.
1. The arrow labeled 1 indicates that the Service Control Manager (SCM) notifies the certificate propagation
service (CertPropSvc) when a user signs in, and CertPropSvc begins to monitor the smart cards in the
user session.
2. The arrow labeled R represents the possibility of a remote session and the use of smart card redirection.
3. The arrow labeled 2 indicates the certification to the reader.
4. The arrow labeled 3 indicates the access to the certificate store during the client session.
Cer tificate propagation ser vice
Note The certificate propagation service is started as a Remote Desktop Services dependency.
See also
How Smart Card Sign-in Works in Windows
Smart Card Removal Policy Service
3/3/2022 • 2 minutes to read • Edit Online
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developer links to information about smart card debugging,
settings, and events.
This section of the Smart Card Technical Reference contains information about the following:
Smart Cards Debugging Information: Learn about tools and services in supported versions of Windows
to help identify certificate issues.
Smart Card Group Policy and Registry Settings: Learn about smart card-related Group Policy settings and
registry keys that can be set on a per-computer basis, including how to edit and apply Group Policy
settings to local or domain computers.
Smart Card Events: Learn about events that can be used to manage smart cards in an organization,
including how to monitor installation, use, and errors.
See also
Smart Card Technical Reference
Smart Card Troubleshooting
3/3/2022 • 5 minutes to read • Edit Online
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This article explains tools and services that smart card developers can use to help identify certificate issues with
the smart card deployment.
Debugging and tracing smart card issues requires a variety of tools and approaches. The following sections
provide guidance about tools and approaches you can use.
Certutil
Debugging and tracing using Windows software trace preprocessor (WPP)
Kerberos protocol, Key Distribution Center (KDC), and NTLM debugging and tracing
Smart Card service
Smart card readers
CryptoAPI 2.0 Diagnostics
Certutil
For a complete description of Certutil including examples that show how to use it, see Certutil [W2012].
List certificates available on the smart card
To list certificates that are available on the smart card, type certutil -scinfo .
NOTE
Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
Examples
To enable tracing for the SCardSvr service:
tracelog.exe -kd -r t -star t scardsvr -guid #13038e47-ffec-425d-bc69-5707708075fe -
f .\scardsvr.etl -flags 0xffff -ft 1
logman star t scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -r t -
o .\scardsvr.etl -mode 0x00080000
To enable tracing for scfilter.sys:
tracelog.exe -kd -r t -star t scfilter -guid #eed7f3c9-62ba-400e-a001-658869df9a91 -
f .\scfilter.etl -flags 0xffff -ft 1
Stop the trace
Using WPP, use one of the following commands to stop the tracing:
tracelog.exe -stop <FriendlyName>
logman -stop <FriendlyName> -ets
Examples
To stop a trace:
tracelog.exe -stop scardsvr
logman -stop scardsvr -ets
NOTE
The default location for logman.exe is %systemroot%system32\. Use the -s option to supply a computer name.
EL EM EN T REGIST RY K EY SET T IN G
EL EM EN T REGIST RY K EY SET T IN G
NTLM HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\Lsa\MSV1_0
Value name: NtLmInfoLevel
Value type: DWORD
Value data: c0015003
Kerberos HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\Lsa\Kerberos
Value name: LogToFile
Value type: DWORD
Value data: 00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\Lsa\Kerberos\Parameters
Value name: KerbDebugLevel
Value type: DWORD
Value data: c0000043
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\Lsa\Kerberos\Parameters
Value name: LogToFile
Value type: DWORD
Value data: 00000001
KDC HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service
s\Kdc
Value name: KdcDebugLevel
Value type: DWORD
Value data: c0000803
If you used Tracelog , look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
If you used the registry key settings shown in the previous table, look for the trace log files in the following
locations:
NTLM: %systemroot%\tracing\msv1_0
Kerberos: %systemroot%\tracing\kerberos
KDC: %systemroot%\tracing\kdcsvc
To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a command-line tool that formats
and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display
the messages in the Command Prompt window or save them in a text file. It is located in the \tools\tracing
subdirectory of the Windows Driver Kit (WDK). For more information, see Tracefmt .
You can use the following command at the command prompt to check whether the service is running:
sc queryex scardsvr .
SERVICE_NAME: scardsvr
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1320
FLAGS :
C:\>
NOTE
If the smart card reader is not listed in Device Manager, in the Action menu, select Scan for hardware changes .
See also
Smart Card Technical Reference
Smart Card Group Policy and Registry Settings
3/3/2022 • 20 minutes to read • Edit Online
Applies to: Windows 10, Windows 11, Windows Server 2016 and above
This article for IT professionals and smart card developers describes the Group Policy settings, registry key
settings, local security policy settings, and credential delegation policy settings that are available for configuring
smart cards.
The following sections and tables list the smart card-related Group Policy settings and registry keys that can be
set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group
Policy settings to local or domain computers.
Primary Group Policy settings for smart cards
Allow certificates with no extended key usage certificate attribute
Allow ECC certificates to be used for logon and authentication
Allow Integrated Unblock screen to be displayed at the time of logon
Allow signature keys valid for Logon
Allow time invalid certificates
Allow user name hint
Configure root certificate clean up
Display string when smart card is blocked
Filter duplicate logon certificates
Force the reading of all certificates from the smart card
Notify user of successful smart card driver installation
Prevent plaintext PINs from being returned by Credential Manager
Reverse the subject name stored in a certificate when displaying
Turn on certificate propagation from smart card
Turn on root certificate propagation from smart card
Turn on Smart Card Plug and Play service
Base CSP and Smart Card KSP registry keys
CRL checking registry keys
Additional smart card Group Policy settings and registry keys
NOTE
Smart card reader registry information is in
HKEY_LOCAL_MACHINE\Software\Microsoft\Cr yptography\Calais\Readers .
Smart card registry information is in
HKEY_LOCAL_MACHINE\Software\Microsoft\Cr yptography\Calais\Smar tCards .
The following table lists the default values for these GPO settings. Variations are documented under the policy
descriptions in this article.
NOTE
Enhanced key usage certificate attribute is also known as extended key usage.
In versions of Windows before Windows Vista, smart card certificates that are used to sign in require an EKU extension
with a smart card logon object identifier. This policy setting can be used to modify that restriction.
When this policy setting is turned on, certificates with the following attributes can also be used to sign in with a
smart card:
Certificates with no EKU
Certificates with an All Purpose EKU
Certificates with a Client Authentication EKU
When this policy setting isn't turned on, only certificates that contain the smart card logon object identifier can
be used to sign in with a smart card.
IT EM DESC RIP T IO N
IT EM DESC RIP T IO N
Notes and resources This policy setting only affects a user's ability to sign in to a
domain. ECC certificates on a smart card that are used for
other applications, such as document signing, aren't affected
by this policy setting.
If you use an ECDSA key to sign in, you must also have an
associated ECDH key to permit sign in when you're not
connected to the network.
IT EM DESC RIP T IO N
Notes and resources To use the integrated unblock feature, the smart card must
support it. Check with the hardware manufacturer to verify
that the smart card supports this feature.
You can create a custom message that the user sees when
the smart card is blocked by configuring the policy setting
Display string when smart card is blocked.
IT EM DESC RIP T IO N
NOTE
Before Windows Vista, certificates were required to contain a valid time and to not expire. For a certificate to be used, it
must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client
computer.
When this setting is turned on, certificates are listed on the sign-in screen whether they have an invalid time, or
their time validity has expired.
When this policy setting isn't turned on, certificates that are expired or not yet valid aren't listed on the sign-in
screen.
IT EM DESC RIP T IO N
IT EM DESC RIP T IO N
IT EM DESC RIP T IO N
NOTE
During the certificate renewal period, a user’s smart card can have multiple valid sign-in certificates issued from the same
certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate
is renewed and the old certificate has not expired yet.
If two certificates are issued from the same template with the same major version and they are for the same user (this is
determined by their UPN), they are determined to be the same.
When this policy setting is turned on, filtering occurs so that the user can select from only the most current valid
certificates.
If this policy setting isn't turned on, all the certificates are displayed to the user.
This policy setting is applied to the computer after the Allow time invalid certificates policy setting is applied.
IT EM DESC RIP T IO N
Notes and resources If there are two or more of the same certificates on a smart
card and this policy setting is enabled, the certificate that is
used to sign in to computers running Windows 2000,
Windows XP, or Windows Server 2003 will be displayed.
Otherwise, the certificate with the most distant expiration
time will be displayed.
IT EM DESC RIP T IO N
Notes and resources Contact the smart card vendor to determine if your smart
card and associated CSP support the required behavior.
Notes and resources This policy setting applies only to smart card drivers that
have passed the Windows Hardware Quality Labs (WHQL)
testing process.
NOTE
Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers
and Windows applications. Credentials are saved in special encrypted folders on the computer under the user’s profile.
When this policy setting is turned on, Credential Manager doesn't return a plaintext PIN.
When this setting isn't turned on, Credential Manager can return plaintext PINs.
IT EM DESC RIP T IO N
Notes and resources If this policy setting is enabled, some smart cards might not
work in computers running Windows. Consult the smart
card manufacturer to determine whether this policy setting
should be enabled.
NOTE
To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed
by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example,
DN=com and the UPN is [email protected], "User1" is displayed with "[email protected]." If the UPN is not present,
the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be
adjusted for your organization.
When this policy setting is turned on, the subject name during sign in appears reversed from the way that it's
stored in the certificate.
When this policy setting isn’t turned on, the subject name appears the same as it’s stored in the certificate.
IT EM DESC RIP T IO N
NOTE
The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the
computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's
Personal store.
When this policy setting is turned on, certificate propagation occurs when the user inserts the smart card.
When this policy setting is turned off, certificate propagation doesn't occur, and the certificates aren't available to
applications, like Outlook.
IT EM DESC RIP T IO N
When this policy setting is turned on, root certificate propagation occurs when the user inserts the smart card.
When this policy setting isn’t turned on, root certificate propagation doesn’t occur when the user inserts the
smart card.
IT EM DESC RIP T IO N
NOTE
Your users can use smart cards from vendors who have published their drivers through Windows Update without needing
special middleware. These drivers will be downloaded in the same way as drivers for other devices in Windows. If an
appropriate driver isn't available from Windows Update, a PIV-compliant mini driver that's included with any of the
supported versions of Windows is used for these cards.
When this policy setting is turned on, the system attempts to install a smart card device driver the first time a
smart card is inserted in a smart card reader.
When this policy setting isn't turned on, a device driver isn't installed when a smart card is inserted in a smart
card reader.
IT EM DESC RIP T IO N
Notes and resources This policy setting applies only to smart card drivers that
have passed the Windows Hardware Quality Labs (WHQL)
testing process.
RequireOnCardPrivateKeyGen This key sets the flag that requires on-card private key
generation (default). If this value is set, a key generated on a
host can be imported into the smart card. This is used for
smart cards that don't support on-card key generation or
where key escrow is required.
Default value: 00000000
REGIST RY K EY DETA IL S
GRO UP P O L IC Y SET T IN G A N D
REGIST RY K EY DEFA ULT DESC RIP T IO N
Interactive logon: Require smart card Disabled This security policy setting requires
users to sign in to a computer by
scforceoption using a smart card.
Interactive logon: Smart card removal This policy setting isn't defined, which This setting determines what happens
behavior means that the system treats it as No when the smart card for a signed-in
Action . user is removed from the smart card
scremoveoption reader. The options are:
No Action
Lock Workstation : The workstation
is locked when the smart card is
removed, so users can leave the area,
take their smart card with them, and
still maintain a protected session.
Force Logoff : The user is
automatically signed out when the
smart card is removed.
Disconnect if a Remote Desktop
Ser vices session : Removal of the
smart card disconnects the session
without signing out the user. The user
can reinsert the smart card and
resume the session later, or at another
computer that's equipped with a smart
card reader, without having to sign in
again. If the session is local, this policy
setting functions identically to the
Lock Workstation option.
From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential
delegation for local or domain computers.
The following smart card-related Group Policy settings are in Computer Configuration\Administrative
Templates\System\Credentials Delegation.
Registry keys are in
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Credssp\PolicyDefaults .
NOTE
In the following table, fresh credentials are those that you are prompted for when running an application.
GRO UP P O L IC Y SET T IN G A N D
REGIST RY K EY DEFA ULT DESC RIP T IO N
GRO UP P O L IC Y SET T IN G A N D
REGIST RY K EY DEFA ULT DESC RIP T IO N
Allow Delegating Fresh Credentials Not configured This policy setting applies:
When server authentication was
AllowFreshCredentials achieved through a trusted X509
certificate or Kerberos protocol.
To applications that use the CredSSP
component (for example, Remote
Desktop Services).
Allow Delegating Fresh Credentials Not configured This policy setting applies:
with NTLM-only Server Authentication When server authentication was
achieved by using NTLM.
AllowFreshCredentialsWhenNTLM To applications that use the CredSSP
Only component (for example, Remote
Desktop).
Deny Delegating Fresh Credentials Not configured This policy setting applies to
applications that use the CredSSP
DenyFreshCredentials component (for example, Remote
Desktop).
If you're using Remote Desktop Services with smart card logon, you can't delegate default and saved credentials.
The registry keys in the following table, which are at
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Credssp\PolicyDefaults , and the
corresponding Group Policy settings are ignored.
See also
Smart Card Technical Reference
Smart Card Events
3/3/2022 • 13 minutes to read • Edit Online
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developer describes events that are related to smart card
deployment and development.
A number of events can be used to monitor smart card activities on a computer, including installation, use, and
errors. The following sections describe the events and information that can be used to manage smart cards in an
organization.
Smart card reader name
Smart card warning events
Smart card error events
Smart card Plug and Play events
620 Smart Card Resource Manager was This occurs if the resource manager
unable to cancel IOCTL %3 for reader attempts to cancel a command to the
'%2': %1. The reader may no longer be smart card reader when the smart
responding. If this error persists, your card service is shutting down or after a
smart card or reader may not be smart card is removed from the smart
functioning correctly. %n%nCommand card reader and the command could
Header: %4 not to be canceled. This can leave the
smart card reader in an unusable state
until it is removed from the computer
or the computer is restarted.
619 Smart Card Reader '%2' has not This occurs when a reader has not
responded to IOCTL %3 in %1 responded to an IOCTL after an
seconds. If this error persists, your unusually long period of time.
smart card or reader may not be Currently, this error is sent after a
functioning correctly. %n%nCommand reader does not respond for 150
Header: %4 seconds. This can leave the smart card
reader in an unusable state until it is
removed from the computer or the
computer is restarted.
202 Failed to initialize Server Application An error occurred, and the service
cannot initialize properly. Restarting
the computer may resolve the issue.
203 Server Control has no memory for This is an internal, unrecoverable error
reader reference object. that indicates a failure in the smart
card service. The most common cause
is limited computer resources.
Restarting the computer may resolve
the issue.
205 Reader object has duplicate name: %1 There are two smart card readers that
have the same name. Remove the
smart card reader that is causing this
error message.
%1 = Name of the smart card reader
that is duplicated
206 Failed to create global reader change This is an internal, unrecoverable error
event. that indicates a failure in the smart
card service. The most common cause
is limited computer resources.
Restarting the computer may resolve
the issue.
401 Reader shutdown exception from eject A smart card reader could not eject a
smart card command smart card while the smart card reader
was shutting down.
406 Reader object cannot Identify Device A smart card reader did not properly
respond to a request for information
about the device, which is required for
constructing the smart card reader
name. The smart card reader will not
be recognized by the service until it is
removed from the computer and
reinserted or until the computer is
restarted.
506 Smart Card Resource Manager failed This is an internal, unrecoverable error
to register service: %1 that indicates a failure in the smart
card service. The most common cause
is limited computer resources.
Restarting the computer may resolve
the issue.
%1 = Windows error code
506 Smart Card Resource Manager An attempt to add a Plug and Play
received unexpected exception from reader failed. The device may already
PnP event %1 be in use or may be defective. To
resolve this error message, try to add
the device again or restart the
computer.
%1 = The affected handle name
EVEN T ID ERRO R M ESSA GE DESC RIP T IO N
507 No memory available for Service Status There is not enough system memory
Critical Section available. This prevents the service
from managing the status. Restarting
the computer may resolve the issue.
508 Smart Card Resource Manager An attempt to add a Plug and Play
received unexpected exception from reader failed. The device may already
PnP event %1 be in use or may be defective. To
resolve this error message, try to add
the device again or restart the
computer.
%1 = The affected handle name
509 Smart Card Resource Manager An attempt to add a Plug and Play
received unexpected exception from reader failed. The device may already
PnP event %1 be in use or may be defective. To
resolve this error message, try to add
the device again or restart the
computer.
%1 = The affected handle name
510 Smart Card Resource Manager An attempt to add a Plug and Play
received NULL handle from PnP event smart card reader failed. The device
%1 may already be in use or may be
defective. To resolve this error
message, try to add the device again
or restart the computer.
%1 = The affected handle name
511 Smart Card Resource Manager An attempt to add a Plug and Play
received unexpected exception from reader failed. The device may already
PnP event %1 be in use or may be defective. To
resolve this error message, try to add
the device again or restart the
computer.
%1 = The affected handle name
512 Smart Card Resource Manager An attempt to add a Plug and Play
received NULL handle from PnP event smart card reader failed. The device
%1 may already be in use or may be
defective. To resolve this error
message, try to add the device again
or restart the computer.
%1 = The affected handle name
513 Smart Card Resource Manager An attempt to add a Plug and Play
received unexpected exception from reader failed. The device may already
PnP event %1 be in use or may be defective. To
resolve this error message, try to add
the device again or restart the
computer.
%1 = The affected handle name
EVEN T ID ERRO R M ESSA GE DESC RIP T IO N
514 Smart Card Resource Manager failed This is an internal, unrecoverable error
to add reader %2: %1 that indicates a failure in the smart
card service. The most common cause
is limited computer resources.
Restarting the computer may resolve
the issue.
%1 = Windows error code
%2 = Smart card reader name
515 Smart Card Resource Manager failed This is an internal unrecoverable error
to declare state: %1 that indicates a failure in the smart
card service. The smart card service
may not operate properly. Restarting
the service or computer may resolve
this issue.
%1 = Windows error code
516 Smart Card Resource Manager Failed This is an internal, unrecoverable error
to declare shutdown: %1 that indicates a failure in the smart
card service. The smart card service
may not be able to stop. Restarting
the computer may resolve this issue.
%1 = Windows error code
521 Smart Card Resource Manager An attempt to add a Plug and Play
received NULL handle from PnP event smart card reader failed. The device
%1 may already be in use or may be
defective. To resolve this error
message, try to add the device again
or restart the computer.
%1 = The affected handle name
523 Smart Card Resource Manager An attempt to add a Plug and Play
received NULL handle from PnP event smart card reader failed. The device
%1 may already be in use or may be
defective. To resolve this error
message, try to add the device again
or restart the computer.
%1 = The affected handle name
603 WDM Reader driver initialization has There is not enough system memory
no memory available to control device available. This prevents the service
%1 from managing the smart card reader
that was added. Restarting the
computer may resolve the issue.
%1 = Name of affected reader
604 Server control cannot set reader This is an internal, unrecoverable error
removal event: %1 that indicates a failure in the smart
card service. The most common cause
is limited computer resources.
Restarting the computer may resolve
the issue.
%1 = Windows error code
606 Reader object failed to create removal This is an internal, unrecoverable error
event: %1 that indicates a failure in the smart
card service. The most common cause
is limited computer resources.
Restarting the computer may resolve
the issue.
%1 = Windows error code
607 Reader object failed to start monitor This is an internal, unrecoverable error
thread: %1 that indicates a failure in the smart
card service. The most common cause
is limited computer resources.
Restarting the computer may resolve
the issue.
%1 = Windows error code
608 Reader monitor failed to create power This is an internal, unrecoverable error
down timer: %1 that indicates a failure in the smart
card service. The most common cause
is limited computer resources.
Restarting the computer may resolve
the issue.
%1 = Windows error code
610 Smart Card Reader '%2' rejected IOCTL The reader cannot successfully
%3: %1 If this error persists, your transmit the indicated IOCTL to the
smart card or reader may not be smart card. This can indicate hardware
functioning correctly.%n%nCommand failure, but this error can also occur if a
Header: %4 smart card or smart card reader is
removed from the system while an
operation is in progress.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command
sent to the smart card
These events are caused by legacy
functionality in the smart card stack. It
can be ignored if there is no noticeable
failure in the smart card usage
scenarios. You might also see this error
if your eSIM is recognized as a
smartcard controller.
611 Smart Card Reader initialization failed This is an internal, unrecoverable error
that indicates a failure in the smart
card service. The most common cause
is limited computer resources.
Restarting the computer may resolve
this issue.
612 Reader insertion monitor error retry This occurs when a smart card reader
threshold reached: %1 fails several times to respond properly
to the IOCTL, which indicates whether
a smart card is present in the reader.
The smart card reader is marked as
defective, and it is not recognized by
the service until it is removed from the
computer and reinserted or until the
computer is restarted.
%1 = Windows error code
615 Reader removal monitor error retry This occurs when a smart card reader
threshold reached: %1 fails several times to respond properly
to the IOCTL, which indicates whether
a smart card is present in the reader.
The smart card reader is marked as
defective, and it is not recognized by
the service until it is removed from the
computer and reinserted or until the
computer is restarted.
%1 = Windows error code
EVEN T ID ERRO R M ESSA GE DESC RIP T IO N
616 Reader monitor '%2' received uncaught This occurs when a smart card reader
error code: %1 fails several times to respond properly
to the IOCTL, which indicates whether
a smart card is present in the reader.
The smart card reader is marked as
defective, and it is not recognized by
the service until it is removed from the
computer and reinserted or until the
computer is restarted.
%1 = Windows error code
%2 = Reader name
621 Server Control failed to access start This is an internal, unrecoverable error
event: %1 that indicates a failure in the smart
card service. The most common cause
is limited computer resources.
Restarting the computer may resolve
the issue.
%1 = Windows error code
These events are caused by legacy
functionality in the smart card stack. It
can be ignored if there is no noticeable
failure in the smart card usage
scenarios.
622 Server Control failed to access stop This is an internal, unrecoverable error
event: %1 that indicates a failure in the smart
card service. The most common cause
is limited computer resources.
Restarting the computer may resolve
the issue.
%1 = Windows error code
1000 Error Could not get device ID for Smart card Plug and Play
smart card in reader %1. could not obtain the device
The return code is %2. ID for the smart card. This
information is required to
determine the correct driver.
The smart card may be
defective.
%1 = Smart card reader
name
%2 = Windows error code
See also
Smart Card Technical Reference
Virtual Smart Card Overview
3/3/2022 • 8 minutes to read • Edit Online
NOTE
Windows Hello for Business is the modern, two-factor authentication for Windows 10. Microsoft will be deprecating
virtual smart cards in the future, but no date has been set at this time. Customers using Windows 10 and virtual smart
cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have
adequate lead time to move to Windows Hello for Business. We recommend that new Windows 10 deployments use
Windows Hello for Business. Virtual smart cards remain supported for Windows 7 and Windows 8.
Feature description
Virtual smart card technology from Microsoft offers comparable security benefits to physical smart cards by
using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they
use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than
requiring the use of a separate physical smart card and reader. Virtual smart cards are created in the TPM,
where the keys that are used for authentication are stored in cryptographically secured hardware.
By utilizing TPM devices that provide the same cryptographic capabilities as physical smart cards, virtual smart
cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated
cryptography, and anti-hammering.
Practical applications
Virtual smart cards are functionally similar to physical smart cards and appear in Windows as smart cards that
are always-inserted. Virtual smart cards can be used for authentication to external resources, protection of data
by secure encryption, and integrity through reliable signing. They are easily deployed by using in-house
methods or a purchased solution, and they can become a full replacement for other methods of strong
authentication in a corporate setting of any scale.
Authentication use cases
Two-factor authentication ‒based remote access
After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is
used to gain strongly authenticated access to corporate resources. When the proper certificate is provisioned to
the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card,
to sign in to the domain.
In practice, this is as easy as entering a password to access the system. Technically, it is far more secure. Using
the virtual smart card to access the system proves to the domain that the user who is requesting authentication
has possession of the personal computer upon which the card has been provisioned and knows the virtual
smart card PIN. Because this request could not have possibly originated from a system other than the system
certified by the domain for this user’s access, and the user could not have initiated the request without knowing
the PIN, a strong two-factor authentication is established.
Client authentication
Virtual smart cards can also be used for client authentication by using Secure Socket Layer (SSL) or a similar
technology. Similar to domain access with a virtual smart card, an authentication certificate can be provisioned
for the virtual smart card, provided to a remote service, as requested in the client authentication process. This
adheres to the principles of two-factor authentication because the certificate is only accessible from the
computer that hosts the virtual smart card, and the user is required to enter the PIN for initial access to the card.
Vir tual smar t card redirection for remote desktop connections
The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to
the computers that they access domain resources through. Therefore, when a user remotely connects to a
computer that is hosting virtual smart cards, the virtual smart cards that are located on the remote computer
cannot be used during the remote session. However, the virtual smart cards that are stored on the connecting
computer (which is under physical control of the user) are loaded onto the remote computer, and they can be
used as if they were installed by using the remote computer’s TPM. This extends a user’s privileges to the
remote computer, while maintaining the principles of two-factor authentication.
Windows To Go and vir tual smar t cards
Virtual smart cards work well with Windows To Go, where a user can boot into a supported version of Windows
from a compatible removable storage device. A virtual smart card can be created for the user, and it is tied to the
TPM on the physical host computer to which the removable storage device is connected. When the user boots
the operating system from a different physical computer, the virtual smart card will not be available. This can be
used for scenarios when a single physical computer is shared by many users. Each user can be given a
removable storage device for Windows To Go, which has a virtual smart card provisioned for the user. This way,
users are only able to access their personal virtual smart card.
Confidentiality use cases
S/MIME email encr yption
Physical smart cards are designed to hold private keys that can be used for email encryption and decryption.
This functionality also exists in virtual smart cards. By using S/MIME with a user’s public key to encrypt email,
the sender of an email can be assured that only the person with the corresponding private key will be able to
decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within
reach of malicious software, and it remains protected by the TPM—even during decryption.
BitLocker for data volumes
sBitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a
user’s hard drive. This ensures that if the physical ownership of a hard drive is compromised, an adversary will
not be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card,
which necessitates knowledge of the virtual smart card PIN to access the drive and possession of the computer
that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the
virtual smart card, any brute force attack will be very difficult.
BitLocker can also be used to encrypt portable drives, which involves storing keys in virtual smart cards. In this
scenario (unlike using BitLocker with a physical smart card), the encrypted drive can be used only when it is
connected to the host for the virtual smart card that is used to encrypt the drive, because the BitLocker key is
only accessible from this computer. However, this method can be useful to ensure the security of backup drives
and personal storage uses outside the main hard drive.
Data integrity use case
Signing data
To verify authorship of data, a user can sign it by using a private key that is stored in the virtual smart card.
Digital signatures confirm the integrity and origin of the data. If the key is stored in an operating system that is
accessible, a malicious user could access it and use it to modify already signed data or to spoof the key owner’s
identity. However, if this key is stored in a virtual smart card, it can be used only to sign data on the host
computer. It cannot be exported to other systems (intentionally or unintentionally, such as with malware theft).
This makes digital signatures far more secure than other methods for private key storage.
Hardware requirements
To use the virtual smart card technology, TPM 1.2 is the minimum required for computers running Windows 10
or Windows Server 2016.
Software requirements
To use the virtual smart card technology, computers must be running one of the following operating systems:
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows 10
Windows 8.1
Windows 8
See also
Understanding and Evaluating Virtual Smart Cards
Get Started with Virtual Smart Cards: Walkthrough Guide
Use Virtual Smart Cards
Deploy Virtual Smart Cards
Evaluate Virtual Smart Card Security
Tpmvscmgr
Understanding and Evaluating Virtual Smart Cards
3/3/2022 • 13 minutes to read • Edit Online
Protects private keys by using the built-in cryptographic Protects private keys by using the cryptographic
functionality of the card. functionality of the TPM.
Stores private keys in isolated non-volatile memory on the Stores encrypted private keys on the hard drive. The
card, which means that access to private keys is only from encryption ensures that these keys can only be decrypted
the card, and access is never allowed to the operating and used in the TPM, not in the accessible memory of the
system. operating system.
Guarantees non-exportability through the card Guarantees non-exportability through the TPM
manufacturer, which includes isolating private information manufacturer, which includes the inability of an adversary to
from operating system access. replicate or remove the TPM.
Performs and isolates cryptographic operations within the Performs and isolates cryptographic operations in the TPM
built-in capabilities of the card. of the user’s computer or device.
Provides anti-hammering through the card. After a certain Provides anti-hammering through the TPM. Successive failed
number of failed PIN entry attempts, the card blocks further attempts increase the device lockout time (the time the user
access until administrative action is taken. has to wait before trying again). This can be reset by an
administrator.
Requires that users carry their smart card and smart card Allows users to access their TPM-enabled computers or
reader with them to access network resources. devices, and potentially access the network, without
additional equipment.
Enables credential portability by inserting the smart card Prevents exporting credentials from a given computer or
into smart card readers that are attached to other device. However, virtual smart cards can be issued for the
computers. same user on multiple computers or devices by using
additional certificates.
Enables multiple users to access network resources through Enables multiple users to access network resources through
the same computer by inserting their personal smart cards. the same computer or device by issuing a virtual smart card
for each user on that computer or device.
Requires the user to carry the card, making it more difficult Stores virtual smart card on the user’s computer, which may
for an attacker to access the device and launch a hammering be left unattended and allow a greater risk window for
attempt. hammering attempts.
Provides a generally single-purpose device that is carried Installs the virtual smart card on a device that has other
explicitly for the purpose of authentication. The smart card purposes for the user, so the user has greater incentive to be
can be easily misplaced or forgotten. responsible for the computer or device.
P H Y SIC A L SM A RT C A RDS T P M VIRT UA L SM A RT C A RDS
Alerts users that their card is lost or stolen only when they Installs the virtual smart card on a device that the user likely
need to sign in and notice it is missing. needs for other purposes, so users will notice its loss much
more quickly. This reduces the associated risk window.
Requires companies to invest in smart cards and smart card Requires that companies ensure all employees have TPM-
readers for all employees. enabled computers, which are relatively common.
Enables using a smart card removal policy to affect system Eliminates the necessity for a smart card removal policy
behavior when the smart card is removed. For example, the because a TPM virtual smart card is always present and
policy can dictate if the user’s sign-in session is locked or cannot be removed from the computer.
terminated when the user removes the card.
See also
Get Started with Virtual Smart Cards: Walkthrough Guide
Use Virtual Smart Cards
Deploy Virtual Smart Cards
Evaluate Virtual Smart Card Security
Get Started with Virtual Smart Cards: Walkthrough
Guide
3/3/2022 • 5 minutes to read • Edit Online
Impor tant This basic configuration is for test purposes only. It is not intended for use in a production
environment.
Prerequisites
You will need:
A computer running Windows 10 with an installed and fully functional TPM (version 1.2 or version 2.0).
A test domain to which the computer listed above can be joined.
Access to a server in that domain with a fully installed and running certification authority (CA).
3. In the available snap-ins list, click Cer tificate Templates , and then click Add .
4. Certificate Templates is now located under Console Root in the MMC. Double-click it to view all the
available certificate templates.
5. Right-click the Smar tcard Logon template, and click Duplicate Template .
6. On the Compatibility tab, under Cer tification Authority , review the selection, and change it if needed.
7. On the General tab:
a. Specify a name, such as TPM Vir tual Smar t Card Logon .
b. Set the validity period to the desired value.
8. On the Request Handling tab:
a. Set the Purpose to Signature and smar tcard logon .
b. Click Prompt the user during enrollment .
9. On the Cr yptography tab:
a. Set the minimum key size to 2048.
b. Click Requests must use one of the following providers , and then select Microsoft Base
Smar t Card Cr ypto Provider .
10. On the Security tab, add the security group that you want to give Enroll access to. For example, if you
want to give access to all users, select the Authenticated users group, and then select Enroll
permissions for them.
11. Click OK to finalize your changes and create the new template. Your new template should now appear in
the list of Certificate Templates.
12. Select File , then click Add/Remove Snap-in to add the Certification Authority snap-in to your MMC
console. When asked which computer you want to manage, select the computer on which the CA is
located, probably Local Computer .
13. In the left pane of the MMC, expand Cer tification Authority (Local) , and then expand your CA within
the Certification Authority list.
14. Right-click Cer tificate Templates , click New , and then click Cer tificate Template to Issue .
15. From the list, select the new template that you just created (TPM Vir tual Smar t Card Logon ), and then
click OK .
Note It can take some time for your template to replicate to all servers and become available in this
list.
16. After the template replicates, in the MMC, right-click in the Certification Authority list, click All Tasks , and
then click Stop Ser vice . Then, right-click the name of the CA again, click All Tasks , and then click Star t
Ser vice .
Step 2: Create the TPM virtual smart card
In this step, you will create the virtual smart card on the client computer by using the command-line tool,
Tpmvscmgr.exe.
To create the TPM virtual smart card
1. On a domain-joined computer, open a Command Prompt window with Administrative credentials.
2. At the command prompt, type the following, and then press ENTER:
tpmvscmgr.exe create /name TestVSC /pin default /adminkey random /generate
This will create a virtual smart card with the name TestVSC , omit the unlock key, and generate the file
system on the card. The PIN will be set to the default, 12345678. To be prompted for a PIN, instead of
/pin default you can type /pin prompt .
For more information about the Tpmvscmgr command-line tool, see Use Virtual Smart Cards and
Tpmvscmgr.
3. Wait several seconds for the process to finish. Upon completion, Tpmvscmgr.exe will provide you with the
device instance ID for the TPM Virtual Smart Card. Store this ID for later reference because you will need
it to manage or remove the virtual smart card.
Step 3: Enroll for the certificate on the TPM Virtual Smart Card
The virtual smart card must be provisioned with a sign-in certificate for it to be fully functional.
To enroll the certificate
1. Open the Certificates console by typing cer tmgr.msc on the Star t menu.
2. Right-click Personal , click All Tasks , and then click Request New Cer tificate .
3. Follow the prompts and when offered a list of templates, select the TPM Vir tual Smar t Card Logon
check box (or whatever you named the template in Step 1).
4. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created
in the previous section. It displays as Identity Device (Microsoft Profile) .
5. Enter the PIN that was established when you created the TPM virtual smart card, and then click OK .
6. Wait for the enrollment to finish, and then click Finish .
The virtual smart card can now be used as an alternative credential to sign in to your domain. To verify that your
virtual smart card configuration and certificate enrollment were successful, sign out of your current session, and
then sign in. When you sign in, you will see the icon for the new TPM virtual smart card on the Secure Desktop
(sign in) screen or you will be automatically directed to the TPM smart card sign-in dialog box. Click the icon,
enter your PIN (if necessary), and then click OK . You should be signed in to your domain account.
See also
Understanding and Evaluating Virtual Smart Cards
Use Virtual Smart Cards
Deploy Virtual Smart Cards
Use Virtual Smart Cards
3/3/2022 • 5 minutes to read • Edit Online
Supported Trusted Platform Module (TPM) Any TPM that adheres to the TPM main specifications for
version 1.2 or version 2.0 (as set by the Trusted Computing
Group) is supported for use as a virtual smart card. For
more information, see the TPM Main Specification.
Supported virtual smart cards per computer Ten smart cards can be connected to a computer or device
at one time. This includes physical and virtual smart cards
combined.
Note
You can create more than one virtual smart card; however,
after creating more than four virtual smart cards, you may
start to notice performance degradation. Because all smart
cards appear as if they are always inserted, if more than one
person shares a computer or device, each person can see all
the virtual smart cards that are created on that computer or
device. If the user knows the PIN values for all the virtual
smart cards, the user will also be able to use them.
Supported number of certificates on a virtual smart card A single TPM virtual smart card can contain 30 distinct
certificates with the corresponding private keys. Users can
continue to renew certificates on the card until the total
number of certificates on a card exceeds 90. The reason that
the total number of certificates is different from the total
number of private keys is that sometimes the renewal can be
done with the same private key—in which case a new private
key is not generated.
PIN, PIN Unlock Key (PUK), and Administrative key The PIN and the PUK must be a minimum of eight
requirements characters that can include numerals, alphabetic characters,
and special characters.
The Administrative key must be entered as 48 hexadecimal
characters. It is a 3-key triple DES with ISO/IEC 9797
padding method 2 in CBC chaining mode.
Using Tpmvscmgr.exe
To create and delete TPM virtual smart cards for end users, the Tpmvscmgr command-line tool is included as a
command-line tool with the operating system. You can use the Create and Delete parameters to manage
virtual smart cards on local or remote computers. For information about using this tool, see Tpmvscmgr.
A TPM-based virtual smart card is labeled Security Device in the user interface.
Resolving issues
TPM not provisioned
For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer.
If the TPM is disabled in the BIOS, or it is not provisioned with full ownership and the storage root key, the TPM
virtual smart card creation will fail.
If the TPM is initialized after creating a virtual smart card, the card will no longer function, and it will need to be
re-created.
If the TPM ownership was established on a Windows Vista installation, the TPM will not be ready to use virtual
smart cards. The system administrator needs to clear and initialize the TPM for it to be suitable for creating TPM
virtual smart cards.
If the operating system is reinstalled, prior TPM virtual smart cards are no longer available and need to be re-
created. If the operating system is upgraded, prior TPM virtual smart cards will be available to use in the
upgraded operating system.
TPM in lockout state
Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter the lockout state. To resume
using the TPM virtual smart card, it is necessary to reset the lockout on the TPM by using the owner’s password
or to wait for the lockout to expire. Unblocking the user PIN does not reset the lockout in the TPM. When the
TPM is in lockout, the TPM virtual smart card appears as if it is blocked. When the TPM enters the lockout state
because the user entered an incorrect PIN too many times, it may be necessary to reset the user PIN by using
the virtual smart card management tools, such as Tpmvscmgr command-line tool.
See also
For information about authentication, confidentiality, and data integrity use cases, see Virtual Smart Card
Overview.
Deploy Virtual Smart Cards
3/3/2022 • 24 minutes to read • Edit Online
Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will
ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In
smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key
(PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a
sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For
example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally,
you’ll retire devices when they exceed their intended lifetime or when employees leave the company.
This topic contains information about the following phases in a virtual smart card lifecycle:
Create and personalize virtual smart cards
Provision virtual smart cards
Maintain virtual smart cards
Reset PIN when the user forgets the Yes No, the card has to be deleted and
PIN created again.
Allow user to change the PIN Yes No, the card has to be deleted and
created again.
Managed cards
A managed virtual smart card can be serviced by the IT administrator or another person in that designated role.
It allows the IT administrator to have influence or complete control over specific aspects of the virtual smart
card from its creation to deletion. To manage these cards, a virtual smart card deployment management tool is
often required.
Managed card creation
A user can create blank virtual smart card by using the Tpmvscmgr command-line tool, which is a built-in tool
that is run with administrative credentials through an elevated command prompt. This virtual smart card needs
to be created with well-known parameters (such as default values), and it should be left unformatted
(specifically, the /generate option should not be specified).
The following command creates a virtual smart card that can later be managed by a smart card management
tool launched from another computer (as explained in the next section):
tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey DEFAULT /PIN PROMPT
Alternatively, instead of using a default administrator key, a user can enter an administrator key at the command
line:
tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey PROMPT /PIN PROMPT
In either case, the card management system needs to be aware of the initial administrator key that is used so
that it can take ownership of the virtual smart card and change the administrator key to a value that is only
accessible through the card management tool operated by the IT administrator. For example, when the default
value is used, the administrator key is set to:
10203040506070801020304050607080102030405060708
Unmanaged cards
Unmanaged virtual smart cards are not serviceable by an IT administrator. Unmanaged cards might be suitable
if an organzation does not have an elaborate smart card deployment management tool and using remote
desktop connections to manage the card is not desirable. Because unmanaged cards are not serviceable by the
IT administrator, when a user needs help with a virtual smart card (for example, resetting or unlocking a PIN),
the only option available to the user is to delete the card and create it again. This results in loss of the user’s
credentials and he or she must re-enroll.
Unmanaged card creation
A user can create a virtual smart card by using the Tpmvscmgr command-line tool, which is run with
administrative credentials through an elevated command prompt. The following command creates an
unmanaged card that can be used to enroll certificates:
tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey RANDOM /PIN PROMPT /generate
This command creates a card with a randomized administrator key. The key is automatically discarded after the
creation of the card. If users forget or want to change their PIN, they need to delete the card and create it again.
To delete the card, a user can run the following command:
tpmvscmgr.exe destroy /instance <instance ID>
where <instance ID> is the value that is printed on the screen when the user creates the card. Specifically, for the
first card created, the instance ID is ROOT\SMARTCARDREADER\0000).
Certificate management for unmanaged cards
Depending on the security requirements that are unique to an organization, users can initially enroll for
certificates from the certificate management console (certmgr.msc) or from within custom certificate enrollment
applications. The latter method can create a request and submit it to a server that has access to the Certification
Authority. This requires specific organizational configurations and deployments for certificate enrollment
policies and certificate enrollment services. Windows has built-in tools, specifically Certreq.exe and Certutil.exe,
which can be used by scripts to perform the enrollment from the command line.
Requesting the certificate by providing domain credentials only
The simplest way for users to request certificates is to provide their domain credentials through a script that can
perform the enrollment through built-in components you have in place for certificate requests.
Alternatively, an application (such as a line-of-business app) can be installed on the computer to perform
enrollment by generating a request on the client. The request is submitted to an HTTP server, which can forward
it to a registration authority.
Another option is to have the user access an enrollment portal that is available through Internet Explorer. The
webpage can use the scripting APIs to perform certificate enrollment.
Signing the request with another certificate
You can provide users with a short-term certificate through a Personal Information Exchange (.pfx) file. You can
generate the .pfx file by initiating a request from a domain-joined computer. Additional policy constraints can be
enforced on the .pfx file to assert the identity of the user.
The user can import the certificate into the MY store (which is the user’s certificate store). And your
organization can present the user with a script that can be used to sign the request for the short-term certificate
and to request a virtual smart card.
For deployments that require users to use a physical smart card to sign the certificate request, you can use the
procedure:
1. Users initiate a request on a domain-joined computer.
2. Users complete the request by using a physical smart card to sign the request.
3. Users download the request to the virtual smart card on their client computer.
Using one-time password for enrollment
Another option to ensure that users are strongly authenticated before virtual smart card certificates are issued
is to send a user a one-time password through SMS, email, or phone. The user then types the one-time
password during the certificate enrollment from an application or a script on a desktop that invokes built-in
command-line tools.
Certificate lifecycle management
Certificate renewal can be done from the same tools that are used for the initial certificate enrollment.
Certificate enrollment policies and certificate enrollment services can also be used to perform automatic
renewal.
Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably
available, the specific certificate can be easily revoked. When information about the certificate to be revoked is
not easy to determine, all certificates that are issued to the user under the policy that was used to issue the
certificate might need to be revoked. For example, this could occur if an employee reports a lost or
compromised device, and information that associates the device with a certificate is not available.
See also
Understanding and Evaluating Virtual Smart Cards
Get Started with Virtual Smart Cards: Walkthrough Guide
Use Virtual Smart Cards
Evaluate Virtual Smart Card Security
Tpmvscmgr
Evaluate Virtual Smart Card Security
3/3/2022 • 3 minutes to read • Edit Online
Note Introduced in Windows Server 2012 R2 and Windows 8.1, if the user enters the wrong PIN five
consecutive times for a virtual smart card (which works in conjunction with the TPM), the card is
blocked. When the card is blocked, it has to be unblocked by using the administrative key or the PUK.
2. Increase the time delay exponentially as the user enters the wrong PIN so that an excessive number of
wrong PIN attempts quickly trigger long delays in accepting commands.
3. Have a failure leakage mechanism to allow the TPM to reset the timed delays over a period of time. This
is useful in cases where a valid user has entered the wrong PIN occasionally, for example, due to
complexity of the PIN.
As an example, it will take 14 years to guess an 8-character PIN for a TPM that implements the following
protection:
1. Number of wrong PINs allowed before entering lockout (threshold): 9
2. Time the TPM is in lockout after the threshold is reached: 10 seconds
3. Timed delay doubles for each wrong PIN after the threshold is reached
See also
Understanding and Evaluating Virtual Smart Cards
Tpmvscmgr
3/3/2022 • 5 minutes to read • Edit Online
Syntax
Tpmvscmgr create [/quiet] /name <name> /AdminKey {DEFAULT | PROMPT | RANDOM} [/PIN {DEFAULT | PROMPT}] [/PUK
{DEFAULT | PROMPT}] [/generate] [/machine <machine name>] [/pinpolicy [policy options]] [/attestation
{AIK_AND_CERT | AIK_ONLY}] [/?]
Tpmvscmgr destroy [/quiet] [/instance <device instance ID>] [/machine <machine name>] [/?]
PA RA M ET ER DESC RIP T IO N
/name Required. Indicates the name of the new virtual smart card.
/PUK Indicates the desired PIN Unlock Key (PUK) value. The PUK
value must be a minimum of eight characters, and it can
contain numerals, characters, and special characters. If the
parameter is omitted, the card is created without a PUK.
DEFAULT Specifies the default PUK of 12345678.
PROMPT Prompts the user to enter a PUK at the
command line.
PA RA M ET ER DESC RIP T IO N
/generate Generates the files in storage that are necessary for the
virtual smart card to function. If the /generate parameter is
omitted, it is equivalent to creating a card without this file
system. A card without a file system can be managed only
by a smart card management system such as Microsoft
Endpoint Configuration Manager.
WARNING
When a virtual smart card is deleted, it cannot be recovered.
PA RA M ET ER DESC RIP T IO N
Remarks
Membership in the Administrators group (or equivalent) on the target computer is the minimum required to run
all the parameters of this command.
For alphanumeric inputs, the full 127 character ASCII set is allowed.
Examples
The following command shows how to create a virtual smart card that can be later managed by a smart card
management tool launched from another computer.
Alternatively, instead of using a default administrator key, you can create an administrator key at the command
line. The following command shows how to create an administrator key.
The following command will create the unmanaged virtual smart card that can be used to enroll certificates.
The preceding command will create a virtual smart card with a randomized administrator key. The key is
automatically discarded after the card is created. This means that if the user forgets the PIN or wants to the
change the PIN, the user needs to delete the card and create it again. To delete the card, the user can run the
following command.
where <instance ID> is the value printed on the screen when the user created the card. Specifically, for the first
card created, the instance ID is ROOT\SMARTCARDREADER\0000.
The following command will create a TPM virtual smart card with the default value for the administrator key
and a specified PIN policy and attestation method:
tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /PIN PROMPT /pinpolicy minlen 4 maxlen 8
/AdminKey DEFAULT /attestation AIK_AND_CERT /generate
Additional references
Virtual Smart Card Overview
Windows and cloud security
3/3/2022 • 2 minutes to read • Edit Online
Today’s workforce has more freedom and mobility than ever before. With the growth of enterprise cloud
adoption, increased personal app usage, and increased use of third-party apps, the risk of data exposure is at its
highest. Enabling Zero-Trust protection, Windows 11 works with Microsoft cloud services. Windows and cloud
services together help organizations strengthen their multi-cloud security infrastructure, protect hybrid cloud
workloads, and safeguard sensitive information while controlling access and mitigating threats.
Windows 11 includes the cloud services that are listed in the following table:
Mobile device management (MDM) and Microsoft Endpoint Windows 11 supports MDM, an enterprise management
Manager solution to help you manage your organization's security
policies and business applications. MDM enables your
security team to manage devices without compromising
people's privacy on their personal devices.
Microsoft account When users add their Microsoft account to Windows 11,
they can bring their Windows, Microsoft Edge, Xbox settings,
web page favorites, files, photos, and more across their
devices.
OneDrive OneDrive is your online storage for your files, photos, and
data. OneDrive provides extra security, backup, and restore
options for important files and photos. With options for
both personal and business, people can use OneDrive to
store and protect files in the cloud, allowing users to them
on their laptops, desktops, and mobile devices. If a device is
lost or stolen, people can quickly recover all their important
files, photos, and data.
Access to Azure Active Directory Microsoft Azure Active Directory (Azure AD) is a complete
cloud identity and access management solution for
managing identities and directories, enabling access to
applications, and protecting identities from security threats.
With Azure AD, you can manage and secure identities for
your employees, partners, and customers to access the
applications and services they need. Windows 11 works
seamlessly with Azure Active Directory to provide secure
access, identity management, and single sign-on to apps
and services from anywhere.
Next steps
Learn more about MDM and Windows 11
Learn more about Windows security
Windows security foundations
3/3/2022 • 2 minutes to read • Edit Online
Microsoft is committed to continuously invest in improving our software development process, building highly
secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security
and privacy considerations from the earliest life-cycle phases of all our software development processes. We
build in security from the ground for powerful defense in today’s threat environment.
Our strong security foundation uses Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for
product security standards and certifications, and Azure Code signing. As a result, we improve security by
producing software with fewer defects and vulnerabilities instead of relying on applying updates after
vulnerabilities have been identified.
Use the links in the following table to learn more about the security foundations:
C O N C EP T DESC RIP T IO N
Microsoft Security Development Lifecycle The Security Development Lifecycle (SDL) is a security
assurance process that is focused on software development.
The SDL has played a critical role in embedding security and
privacy in software and culture at Microsoft.
Microsoft Bug Bounty Program If you find a vulnerability in a Microsoft product, service, or
device, we want to hear from you! If your vulnerability
report affects a product or service that is within scope of
one of our bounty programs below, you could receive a
bounty award according to the program descriptions.
The Security Development Lifecycle (SDL) is a security assurance process that is focused on software
development. As a Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical
role in embedding security and privacy in software and culture at Microsoft.
Combining a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities
in software. The SDL introduces security and privacy throughout all phases of the development process.
The Microsoft SDL is based on three core concepts:
Education
Continuous process improvement
Accountability
To learn more about the SDL, visit the Security Engineering site.
And, download the Simplified Implementation of the Microsoft SDL whitepaper.
About the Microsoft Bug Bounty Program
3/3/2022 • 2 minutes to read • Edit Online
Are you a security researcher? Did you find a vulnerability in a Microsoft product, service, or device? If so, we
want to hear from you!
If your vulnerability report affects a product or service that is within scope of one of our bounty programs
below, you could receive a bounty award according to the program descriptions.
Visit the Microsoft Bug Bounty Program site for all the details!
FIPS 140-2 Validation
3/3/2022 • 166 minutes to read • Edit Online
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s 1 0 Sp r i n g 2 0 1 8 U p d a t e (Ve r si o n 1 8 0 3 )
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s 1 0 F a l l C r e a t o r s U p d a t e (Ve r si o n 1 7 0 9 )
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s 1 0 C r e a t o r s U p d a t e (Ve r si o n 1 70 3 )
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
[3]
[3] Applies only to Pro, Enterprise, Education, and S
W i n d o w s 1 0 A n n i v e r sa r y U p d a t e (Ve r si o n 1 6 0 7)
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
[4] Applies only to Home, Pro, Enterprise, Mobile, and Surface Hub
[5] Applies only to Home, Pro, Enterprise, Mobile, and Surface Hub
[6] Applies only to Home, Pro, and Enterprise
[7] Applies only to Pro, Enterprise, Mobile, and Surface Hub
[8] Applies only to Enterprise and Enterprise LTSB
W i n d o w s 1 0 (Ve r si o n 1 5 0 7)
Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s Vi st a SP 1
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
Enhanced DSS and Diffie- 6.0.6001.18000 and 1003 FIPS approved algorithms:
Hellman Cryptographic 6.0.6002.18005 DSA (Cert. #281); RNG
Provider (DSSENH) (Cert. #435); SHS (Cert.
#753); Triple-DES (Cert.
#656); Triple-DES MAC
(Triple-DES Cert. #656,
vendor affirmed)
Other algorithms: DES;
DES MAC; DES40;
DES40 MAC; Diffie-
Hellman (key
agreement; key
establishment
methodology provides
between 112 bits and
150 bits of encryption
strength; non-
compliant less than 112
bits of encryption
strength); MD5; RC2;
RC2 MAC; RC4
W i n d o w s Vi st a
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s X P SP 3
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s X P SP 2
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s X P SP 1
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W indow s XP
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s 2 0 0 0 SP 3
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
Base DSS Cryptographic (Base DSS: 5.0.2195.3665 103 FIPS approved algorithms:
Provider, Base [SP3]) Triple-DES (Cert. #16);
Cryptographic Provider, (Base: 5.0.2195.3839 DSA/SHA-1 (Certs. #28 and
DSS/Diffie-Hellman [SP3]) #29); RSA (vendor affirmed)
Enhanced Cryptographic Other algorithms: DES
Provider, and Enhanced (DSS/DH Enh: (Certs. #65, 66, 67 and
Cryptographic Provider 5.0.2195.3665 [SP3]) 68); Diffie-Hellman (key
(Enh: 5.0.2195.3839 agreement); RC2; RC4;
[SP3] MD2; MD4; MD5
W i n d o w s 2 0 0 0 SP 2
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s 2 0 0 0 SP 1
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
Base DSS Cryptographic (Base DSS: 5.0.2150.1391 103 FIPS approved algorithms:
Provider, Base [SP1]) Triple-DES (Cert. #16);
Cryptographic Provider, (Base: 5.0.2150.1391 DSA/SHA-1 (Certs. #28 and
DSS/Diffie-Hellman [SP1]) #29); RSA (vendor affirmed)
Enhanced Cryptographic Other algorithms: DES
Provider, and Enhanced (DSS/DH Enh: (Certs. #65, 66, 67 and
Cryptographic Provider 5.0.2150.1391 [SP1]) 68); Diffie-Hellman (key
(Enh: 5.0.2150.1391 agreement); RC2; RC4;
[SP1]) MD2; MD4; MD5
W indow s 2000
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W in dow s 9 5 an d W in dow s 9 8
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s N T 4 .0
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s Se r v e r (Ve r si o n 1 8 0 3 )
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s Se r v e r (Ve r si o n 1 7 0 9 )
W i n d o w s Se r v e r 2 0 1 6
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s Se r v e r 2 0 1 2 R 2
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
[16] Doesn't apply to Azure StorSimple Vir tual Array Windows Ser ver 2012 R2
[17] Doesn't apply to Azure StorSimple Vir tual Array Windows Ser ver 2012 R2
Windows Ser ver 2012
Validated Editions: Server, Storage Server
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s Se r v e r 2 0 0 8 R 2
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s Se r v e r 2 0 0 8
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
Enhanced DSS and Diffie- 6.0.6001.18000 and 1009 FIPS approved algorithms:
Hellman Cryptographic 6.0.6002.18005 DSA (Cert. #282); RNG
Provider (DSSENH) (Cert. #435); SHS (Cert.
#753); Triple-DES (Cert.
#656); Triple-DES MAC
(Triple-DES Cert. #656,
vendor affirmed)
Other algorithms: DES;
DES MAC; DES40;
DES40 MAC; Diffie-
Hellman (key
agreement; key
establishment
methodology provides
between 112 bits and
150 bits of encryption
strength; non-
compliant less than 112
bits of encryption
strength); MD5; RC2;
RC2 MAC; RC4
W i n d o w s Se r v e r 2 0 0 3 SP 2
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s Se r v e r 2 0 0 3 SP 1
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
Enhanced DSS and Diffie- 5.2.3790.1830 [Service Pack 381 FIPS approved algorithms:
Hellman Cryptographic 1] Triple-DES (Certs. #199[1]
Provider (DSSENH) and #381[2]); SHA-1 (Certs.
#181[1] and #385[2]); DSA
(Certs. #95[1] and #146[2]);
RSA (Cert. #81)
Other algorithms: DES
(Cert. #229[1]); Diffie-
Hellman (key
agreement); RC2; RC4;
MD5; DES 40
[1] x86
[2] SP1 x86, x64, IA64
W i n d o w s Se r v e r 2 0 0 3
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
Other Products
W i n d o w s Em b e d d e d C o m p a c t 7 a n d W i n d o w s Em b e d d e d C o m p a c t 8
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
W i n d o w s C E 6 .0 a n d W i n d o w s Em b e d d e d C o m p a c t 7
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
VERSIO N ( L IN K TO
C RY P TO GRA P H IC M O DUL E SEC URIT Y P O L IC Y ) F IP S C ERT IF IC AT E # A L GO RIT H M S
Cryptographic Algorithms
The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each
algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm
Validation Program (CAVP) issued certificate.
Advanced Encryption Standard (AES )
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
CBC (e/d; 128, 192, 256); Windows 10 Creators Update (version 1703) Pro, Enterprise,
CFB128 (e/d; 128, 192, 256); Education Virtual TPM Implementations #4627
Version 10.0.15063
OFB (e/d; 128, 192, 256);
CTR (int only; 128, 192, 256)
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
KW (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, Windows 10 Creators Update (version 1703) Home, Pro,
192, 320, 2048) Enterprise, Education, Windows 10 S, Windows 10 Mobile
AES validation number 4624 Cryptography Next Generation (CNG) Implementations
#4626
Version 10.0.15063
CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Windows 10 Creators Update (version 1703) Home, Pro,
Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): Enterprise, Education, Windows 10 S, Windows 10 Mobile
16) BitLocker(R) Cryptographic Implementations #4625
AES validation number 4624 Version 10.0.15063
ECB (e/d; 128, 192, 256); Windows 10 Creators Update (version 1703) Home, Pro,
CBC (e/d; 128, 192, 256); Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #4624
CFB8 (e/d; 128, 192, 256); Version 10.0.15063
CFB128 (e/d; 128, 192, 256);
CTR (int only; 128, 192, 256)
CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0,
2^16) (Payload Length Range: 0 - 32 (Nonce Length(s):
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
CMAC (Generation/Verification) (KS: 128; Block Size(s):
Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s)
Min: 16 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg
Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16)
(KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0
Max: 2^16; Tag Len(s) Min: 16 Max: 16)
GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104
96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104
96)
(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
IV Generated: (External); PT Lengths Tested: (0, 1024, 8,
1016); Additional authenticated data lengths tested: (0,
1024, 8, 1016); 96 bit IV supported
GMAC supported
XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))
ECB (e/d; 128, 192, 256); Windows Embedded Compact Enhanced Cryptographic
CBC (e/d; 128, 192, 256); Provider (RSAENH) #4434
Version 7.00.2872
ECB (e/d; 128, 192, 256); Windows Embedded Compact Enhanced Cryptographic
CBC (e/d; 128, 192, 256); Provider (RSAENH) #4433
Version 8.00.6246
ECB (e/d; 128, 192, 256); Windows Embedded Compact Cryptographic Primitives
CBC (e/d; 128, 192, 256); Library (bcrypt.dll) #4431
Version 7.00.2872
CTR (int only; 128, 192, 256)
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
ECB (e/d; 128, 192, 256); Windows Embedded Compact Cryptographic Primitives
CBC (e/d; 128, 192, 256); Library (bcrypt.dll) #4430
Version 8.00.6246
CTR (int only; 128, 192, 256)
CBC (e/d; 128, 192, 256); Microsoft Windows 10 Anniversary Update, Windows Server
CFB128 (e/d; 128, 192, 256); 2016, Windows Storage Server 2016; Microsoft Surface
Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10
OFB (e/d; 128, 192, 256); Anniversary Update Virtual TPM Implementations #4074
CTR (int only; 128, 192, 256) Version 10.0.14393
ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 Microsoft Windows 10 Anniversary Update, Windows Server
(e/d; 128, 192, 256); 2016, Windows Storage Server 2016; Microsoft Surface
CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/
256) Windows 10 Anniversary Update; Microsoft Lumia 950 and
Lumia 650 w/ Windows 10 Mobile Anniversary Update
CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, SymCrypt Cryptographic Implementations #4064
2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): Version 10.0.14393
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
CMAC (Generation/Verification) (KS: 128; Block
Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag
Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial;
Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max:
16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0
Max: 2^16; Tag Len(s) Min: 0 Max: 16)
GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104
96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104
96)
(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
IV Generated: (Externally); PT Lengths Tested: (0,
1024, 8, 1016); Additional authenticated data lengths
tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96
bit IV supported
GMAC supported
XTS((KS: XTS_128 ((e/d)(f)) KS: XTS_256 ((e/d)(f))
ECB (e/d; 128, 192, 256); Microsoft Windows 10 Anniversary Update, Windows Server
CBC (e/d; 128, 192, 256); 2016, Windows Storage Server 2016; Microsoft Surface
Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/
CFB8 (e/d; 128, 192, 256); Windows 10 Anniversary Update; Microsoft Lumia 950 and
Lumia 650 w/ Windows 10 Mobile Anniversary Update
RSA32 Algorithm Implementations #4063
Version 10.0.14393
KW (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 192, Microsoft Windows 10 Anniversary Update, Windows Server
256, 320, 2048) 2016, Windows Storage Server 2016; Microsoft Surface
AES validation number 4064 Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/
Windows 10 Anniversary Update; Microsoft Lumia 950 and
Lumia 650 w/ Windows 10 Mobile Anniversary Update
Cryptography Next Generation (CNG) Implementations
#4062
Version 10.0.14393
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Microsoft Windows 10 Anniversary Update, Windows Server
Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 2016, Windows Storage Server 2016; Microsoft Surface
16) Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/
AES validation number 4064 Windows 10 Anniversary Update; Microsoft Lumia 950 and
Lumia 650 w/ Windows 10 Mobile Anniversary Update
BitLocker® Cryptographic Implementations #4061
Version 10.0.14393
KW (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, Microsoft Windows 10 November 2015 Update; Microsoft
192, 320, 2048) Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
AES validation number 3629 Pro 2, and Surface Pro w/ Windows 10 November 2015
Update; Windows 10 Mobile for Microsoft Lumia 950 and
Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub
84” and Surface Hub 55” Cryptography Next Generation
(CNG) Implementations #3652
Version 10.0.10586
CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Microsoft Windows 10 November 2015 Update; Microsoft
Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
16) Pro 2, and Surface Pro w/ Windows 10 November 2015
AES validation number 3629 Update; Windows 10 Mobile for Microsoft Lumia 950 and
Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub
84” and Surface Hub 55” BitLocker® Cryptographic
Implementations #3653
Version 10.0.10586
ECB (e/d; 128, 192, 256); Microsoft Windows 10 November 2015 Update; Microsoft
CBC (e/d; 128, 192, 256); Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
Pro 2, and Surface Pro w/ Windows 10 November 2015
CFB8 (e/d; 128, 192, 256); Update; Windows 10 Mobile for Microsoft Lumia 950 and
Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub
84” and Surface Hub 55” RSA32 Algorithm Implementations
#3630
Version 10.0.10586
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 Microsoft Windows 10 November 2015 Update; Microsoft
(e/d; 128, 192, 256); Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, Pro 2, and Surface Pro w/ Windows 10 November 2015
256) Update; Windows 10 Mobile for Microsoft Lumia 950 and
Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub
CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 84” and Surface Hub 55” SymCrypt Cryptographic
2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): Implementations #3629
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16) Version 10.0.10586
CMAC (Generation/Verification) (KS: 128; Block
Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag
Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial;
Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max:
16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0
Max: 2^16; Tag Len(s) Min: 0 Max: 16)
GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104
96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104
96)
(KS: AES_256(e/d) Tag Length(s): 128 120 112 104
96)vIV Generated: (Externally); PT Lengths Tested: (0,
1024, 8, 1016); Additional authenticated data lengths
tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96
bit IV supported
GMAC supported
XTS((KS: XTS_128 ((e/d) (f)) KS: XTS_256 ((e/d) (f))
KW (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, Microsoft Windows 10 Anniversary Update, Windows Server
192, 320, 2048) 2016, Windows Storage Server 2016; Microsoft Surface
AES validation number 3497 Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/
Windows 10 Anniversary Update; Microsoft Lumia 950 and
Lumia 650 w/ Windows 10 Mobile Anniversary Update
Cryptography Next Generation (CNG) Implementations
#3507
Version 10.0.10240
CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Microsoft Windows 10, Microsoft Surface Pro 3 with
Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): Windows 10, Microsoft Surface 3 with Windows 10,
16) Microsoft Surface Pro 2 with Windows 10, Microsoft Surface
AES validation number 3497 Pro with Windows 10 BitLocker® Cryptographic
Implementations #3498
Version 10.0.10240
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 Microsoft Windows 10, Microsoft Surface Pro 3 with
(e/d; 128, 192, 256); Windows 10, Microsoft Surface 3 with Windows 10,
CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface
256) Pro with Windows 10 SymCrypt Cryptographic
Implementations #3497
CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, Version 10.0.10240
2^16) (Payload Length Range: 0 - 32 (Nonce Length(s):
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
CMAC(Generation/Verification) (KS: 128; Block
Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag
Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial;
Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max:
16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0
Max: 2^16; Tag Len(s) Min: 0 Max: 16)
GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104
96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104
96)
(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
IV Generated: (Externally); PT Lengths Tested: (0,
1024, 8, 1016); Additional authenticated data lengths
tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96
bit IV supported
GMAC supported
XTS((KS: XTS_128 ((e/d)(f)) KS: XTS_256 ((e/d)(f))
ECB (e/d; 128, 192, 256); Microsoft Windows 10, Microsoft Surface Pro 3 with
CBC (e/d; 128, 192, 256); Windows 10, Microsoft Surface 3 with Windows 10,
Microsoft Surface Pro 2 with Windows 10, Microsoft Surface
CFB8 (e/d; 128, 192, 256); Pro with Windows 10 RSA32 Algorithm Implementations
#3476
Version 10.0.10240
ECB (e/d; 128, 192, 256); Microsoft Windows 8.1, Microsoft Windows Server 2012 R2,
CBC (e/d; 128, 192, 256); Microsoft Windows Storage Server 2012 R2, Microsoft
Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
CFB8 (e/d; 128, 192, 256); Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2,
Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
Windows Phone 8.1, Microsoft Windows Embedded 8.1
Industry RSA32 Algorithm Implementations #2853
Version 6.3.9600
CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) Microsoft Windows 8.1, Microsoft Windows Server 2012 R2,
(Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Microsoft Windows Storage Server 2012 R2, Microsoft
Length(s): 16) Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
AES validation number 2832 Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2,
Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
Windows Phone 8.1, Microsoft Windows Embedded 8.1
Industry, and Microsoft StorSimple 8100 BitLocker
Cryptographic Implementations #2848
Version 6.3.9600
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, Windows Storage Server 2012 R2, Microsoft Windows RT
2^16) (Payload Length Range: 0 - 0 (Nonce Length(s): 7 8 9 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16) Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft
CMAC (Generation/Verification) (KS: 128 ; Block Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows
Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and
Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Microsoft StorSimple 8100 SymCrypt Cryptographic
Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: Implementations #2832
16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Version 6.3.9600
Max: 2^16; Tag Len(s) Min: 0 Max: 16)
GCM (KS: AES_128 (e/d) Tag Length(s): 128 120 112
104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112
104 96)
(KS: AES_256 (e/d) Tag Length(s): 128 120 112 104 96)
IV Generated: (Externally); PT Lengths Tested: (0, 128,
1024, 8, 1016); Additional authenticated data lengths
tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8,
1024); 96 bit IV supported;
OtherIVLen_Suppor ted
GMAC suppor ted
CCM (KS: 128, 192, 256 ) (Assoc. Data Len Range : 0- Windows 8, Windows RT, Windows Server 2012, Surface
0, 2^16) (Payload Length Range : 0 - 32 (Nonce Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Length(s) : 7 8 9 10 11 12 13 (Tag Length(s) : 4 6 8 10 12 Cryptography Next Generation (CNG) Implementations
14 16) #2216
AES validation number 2197
CMAC (Generation/Verification) (KS: 128; Block Size(s);
Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16
Max: 16) (KS: 192 ; Block Size(s); Msg Len(s) Min: 0
Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256 ;
Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag
Len(s) Min: 16 Max: 16)
AES validation number 2197
GCM(KS: AES_128 (e/d) Tag Length(s): 128 120 112
104 96) (KS: AES_192 (e/d) Tag Length(s): 128 120 112
104 96)
(KS: AES_256 (e/d) Tag Length(s): 128 120 112 104 96)
IV Generated: (Externally); PT Lengths Tested: (0,
128, 1024, 8, 1016); Additional authenticated data
lengths tested: (0, 128, 1024, 8, 1016); IV Lengths
Tested: (8, 1024); 96 bit IV suppor ted
GMAC suppor ted
CCM (KS: 256) (Assoc. Data Len Range: 0 - 0, 2^16 ) Windows 8, Windows RT, Windows Server 2012, Surface
(Payload Length Range: 0 - 32 (Nonce Length(s) : 12 Windows RT, Surface Windows 8 Pro, and Windows Phone 8
(Tag Length(s) : 16) BitLocker® Cryptographic Implementations #2198
AES validation number 2196
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
ECB (e/d; 128, 192, 256); Windows 8, Windows RT, Windows Server 2012, Surface
CBC (e/d; 128, 192, 256); Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Next Generation Symmetric Cryptographic Algorithms
CFB8 (e/d; 128, 192, 256); Implementations (SYMCRYPT) #2197
CFB128 (e/d; 128, 192, 256);
CTR (int only; 128, 192, 256)
ECB (e/d; 128, 192, 256); Windows 8, Windows RT, Windows Server 2012, Surface
CBC (e/d; 128, 192, 256); Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Symmetric Algorithm Implementations (RSA32) #2196
CFB8 (e/d; 128, 192, 256);
CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 Windows Server 2008 R2 and SP1 CNG algorithms #1187
– 0, 2^16 ) (Payload Length Range: 0 - 32 (Nonce Windows 7 Ultimate and SP1 CNG algorithms #1178
Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10
12 14 16 )
AES validation number 1168
CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8 ) Windows 7 Ultimate and SP1 and Windows Server 2008 R2
(Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 and SP1 BitLocker Algorithm Implementations #1177
12 13 (Tag Length(s): 4 6 8 14 16 )
AES validation number 1168
ECB (e/d; 128, 192, 256); Windows 7 and SP1 and Windows Server 2008 R2 and SP1
CBC (e/d; 128, 192, 256); Symmetric Algorithm Implementation #1168
CFB8 (e/d; 128, 192, 256);
GCM Windows 7 and SP1 and Windows Server 2008 R2 and SP1
GMAC Symmetric Algorithm Implementation #1168, vendor-
affirmed
CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8 ) Windows Vista Ultimate SP1 and Windows Server 2008
(Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 BitLocker Algorithm Implementations #760
12 13 (Tag Length(s): 4 6 8 14 16 )
CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 Windows Server 2008 CNG algorithms #757
- 0, 2^16 ) (Payload Length Range: 1 - 32 (Nonce Windows Vista Ultimate SP1 CNG algorithms #756
Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12
14 16**)**
CBC (e/d; 128, 256); Windows Vista Ultimate BitLocker Drive Encryption #715
CCM (KS: 128, 256 ) (Assoc. Data Len Range : 0 - 8) Windows Vista Ultimate BitLocker Drive Encryption
(Payload Length Range : 4 - 32 (Nonce Length(s) : 7 #424
8 12 13 (Tag Length(s) : 4 6 8 14 16)
ECB (e/d; 128, 192, 256); Windows Vista Ultimate SP1 and Windows Server 2008
CBC (e/d; 128, 192, 256); Symmetric Algorithm Implementation #739
Windows Vista Symmetric Algorithm Implementation
CFB8 (e/d; 128, 192, 256); #553
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
ECB (e/d; 128, 192, 256); Windows Embedded Compact 7 Cryptographic Primitives
CBC (e/d; 128, 192, 256); Library (bcrypt.dll) #2023
CTR (int only; 128, 192, 256)
ECB (e/d; 128, 192, 256); Windows Embedded Compact 7 Enhanced Cryptographic
CBC (e/d; 128, 192, 256); Provider (RSAENH) #2024
Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #818
Windows XP Professional SP3 Enhanced Cryptographic
Provider (RSAENH) #781
Windows 2003 SP2 Enhanced Cryptographic Provider
(RSAENH) #548
Windows CE 6.0 and Windows CE 6.0 R2 and Windows
Mobile Enhanced Cryptographic Provider (RSAENH)
#516
Windows CE and Windows Mobile 6, 6.1, and 6.5
Enhanced Cryptographic Provider (RSAENH) #507
Windows Server 2003 SP1 Enhanced Cryptographic
Provider (RSAENH) #290
Windows CE 5.0 and 5.1 Enhanced Cryptographic
Provider (RSAENH) #224
Windows Server 2003 Enhanced Cryptographic Provider
(RSAENH) #80
Windows XP, SP1, and SP2 Enhanced Cryptographic
Provider (RSAENH) #33
CTR_DRBG: [Prediction Resistance Tested: Not Enabled; Windows 10 Creators Update (version 1703) Pro, Enterprise,
BlockCipher_No_df: (AES-256) Education Virtual TPM Implementations #1556
(AES validation number 4627)] Version 10.0.15063
CTR_DRBG: [Prediction Resistance Tested: Not Enabled; Windows 10 Creators Update (version 1703) Home, Pro,
BlockCipher_Use_df: (AES-256 (AES validation number Enterprise, Education, Windows 10 S, Windows 10 Mobile
4624)] SymCrypt Cryptographic Implementations #1555
Version 10.0.15063
CTR_DRBG :[Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Enhanced Cryptographic
BlockCipher_No_df: (AES-256) (AES validation number Provider (RSAENH) #1433
4434)] Version 7.00.2872
CTR_DRBG :[Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Enhanced Cryptographic
BlockCipher_No_df: (AES-256) (AES validation number Provider (RSAENH) #1432
4433)] Version 8.00.6246
CTR_DRBG :[Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Cryptographic Primitives
BlockCipher_No_df: (AES-256) (AES validation number Library (bcrypt.dll) #1430
4431)] Version 7.00.2872
CTR_DRBG :[Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Cryptographic Primitives
BlockCipher_No_df: (AES-256) (AES validation number Library (bcrypt.dll) #1429
4430)] Version 8.00.6246
CTR_DRBG: [Prediction Resistance Tested: Not Enabled; Microsoft Windows 10 Anniversary Update, Windows Server
BlockCipher_No_df: (AES-256) (AES validation number 2016, Windows Storage Server 2016; Microsoft Surface
4074)] Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10
Anniversary Update Virtual TPM Implementations #1222
Version 10.0.14393
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
CTR_DRBG: [Prediction Resistance Tested: Not Enabled; Microsoft Windows 10 Anniversary Update, Windows Server
BlockCipher_Use_df: (AES-256) (AES validation number 2016, Windows Storage Server 2016; Microsoft Surface
4064)] Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/
Windows 10 Anniversary Update; Microsoft Lumia 950 and
Lumia 650 w/ Windows 10 Mobile Anniversary Update
SymCrypt Cryptographic Implementations #1217
Version 10.0.14393
CTR_DRBG: [Prediction Resistance Tested: Not Enabled; Microsoft Windows 10 November 2015 Update; Microsoft
BlockCipher_Use_df: (AES-256) (AES validation number Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
3629)] Pro 2, and Surface Pro w/ Windows 10 November 2015
Update; Windows 10 Mobile for Microsoft Lumia 950 and
Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub
and Surface Hub SymCrypt Cryptographic Implementations
#955
Version 10.0.10586
CTR_DRBG: [Prediction Resistance Tested: Not Enabled; Microsoft Windows 10, Microsoft Surface Pro 3 with
BlockCipher_Use_df: (AES-256) (AES validation number Windows 10, Microsoft Surface 3 with Windows 10,
3497)] Microsoft Surface Pro 2 with Windows 10, Microsoft Surface
Pro with Windows 10 SymCrypt Cryptographic
Implementations #868
Version 10.0.10240
CTR_DRBG: [Prediction Resistance Tested: Not Enabled; Windows Storage Server 2012 R2, Microsoft Windows RT
BlockCipher_Use_df: (AES-256) (AES validation number 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
2832)] Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft
Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows
Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and
Microsoft StorSimple 8100 SymCrypt Cryptographic
Implementations #489
Version 6.3.9600
CTR_DRBG :[Prediction Resistance Tested: Not Enabled; Windows 8, Windows RT, Windows Server 2012, Surface
BlockCipher_Use_df: (AES-256) (AES validation number Windows RT, Surface Windows 8 Pro, and Windows Phone 8
2197)] Next Generation Symmetric Cryptographic Algorithms
Implementations (SYMCRYPT) #258
CTR_DRBG :[Prediction Resistance Tested: Not Enabled; Windows Embedded Compact 7 Cryptographic Primitives
BlockCipher_No_df: (AES-256) (AES validation number Library (bcrypt.dll) #193
2023)]
CTR_DRBG :[Prediction Resistance Tested: Not Enabled; Windows 7 Ultimate and SP1 and Windows Server 2008 R2
BlockCipher_No_df: (AES-256) (AES validation number and SP1 RNG Library #23
1168)]
FIPS186-2: PRIME; Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-
FIPS186-2: Hellman Cryptographic Provider #17
**KEYGEN(Y):**SHS: SHA-1 (BYTE)
SIG(gen):SIG(ver) MOD(1024);
SHS: SHA-1 (BYTE)
FIPS186-2: Windows 8,
PKG: CURVES(P-256 P-384 P-521) Windows RT, Windows Server 2012, Surface Windows
SHS: #1903 RT, Surface Windows 8 Pro, and Windows Phone 8
Cryptography Next Generation (CNG) Implementations
DRBG : #258 #341
SIG(ver): CURVES(P-256 P-384 P-521)
SHS: #1903
DRBG : #258
FIPS186-4:
PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384)
P-521: (SHA-512)
SigVer : CURVES(P-256: (SHA-256) P-384: (SHA-384)
P-521: (SHA-512))
SHS: #1903
DRBG : #258
Some of the previously validated components for this
validation have been removed because they're now non-
compliant per the SP800-131A transition. See Historical
ECDSA List validation number 341.
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Windows 10 Creators Update (version 1703) Pro, Enterprise,
validation number 3790 Education Virtual TPM Implementations #3062
Version 10.0.15063
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS validation number 3790
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 3790
HMAC-SHA1(Key Sizes Ranges Tested: KSBS) SHS Windows 10 Creators Update (version 1703) Home, Pro,
validation number 3790 Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #3061
HMAC-SHA256 (Key Size Ranges Tested: KSBS) Version 10.0.15063
SHS validation number 3790
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 3790
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 3790
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Windows Embedded Compact Enhanced Cryptographic
validation number 3652 Provider (RSAENH) #2946
Version 7.00.2872
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS validation number 3652
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 3652
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHSvalidation number 3652
M O DES / STAT ES /
K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Windows Embedded Compact Enhanced Cryptographic
validation number 3651 Provider (RSAENH) #2945
Version 8.00.6246
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS validation number 3651
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 3651
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHSvalidation number 3651
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Windows Embedded Compact Cryptographic Primitives
validation number 3649 Library (bcrypt.dll) #2943
Version 7.00.2872
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS validation number 3649
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 3649
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHSvalidation number 3649
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Windows Embedded Compact Cryptographic Primitives
validation number 3648 Library (bcrypt.dll) #2942
Version 8.00.6246
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS validation number 3648
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 3648
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHSvalidation number 3648
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Microsoft Windows 10 Anniversary Update, Windows Server
2016, Windows Storage Server 2016; Microsoft Surface
SHS validation number 3347 Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10
HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Anniversary Update Virtual TPM Implementations #2661
validation number 3347 Version 10.0.14393
HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS
validation number 3347
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Microsoft Windows 10 Anniversary Update, Windows Server
validation number 3347 2016, Windows Storage Server 2016; Microsoft Surface
Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/
HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Windows 10 Anniversary Update; Microsoft Lumia 950 and
validation number 3347 Lumia 650 w/ Windows 10 Mobile Anniversary Update
HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS SymCrypt Cryptographic Implementations #2651
validation number 3347 Version 10.0.14393
HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS
validation number 3347
M O DES / STAT ES /
K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Microsoft Windows 10 November 2015 Update; Microsoft
SHS validation number 3047 Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
Pro 2, and Surface Pro w/ Windows 10 November 2015
HMAC-SHA256 (Key Size Ranges Tested: KSBS) Update; Windows 10 Mobile for Microsoft Lumia 950 and
SHS validation number 3047 Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub
HMAC-SHA384 (Key Size Ranges Tested: KSBS) 84” and Surface Hub 55” SymCrypt Cryptographic
SHS validation number 3047 Implementations #2381
Version 10.0.10586
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 3047
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Microsoft Windows 10, Microsoft Surface Pro 3 with
SHSvalidation number 2886 Windows 10, Microsoft Surface 3 with Windows 10,
Microsoft Surface Pro 2 with Windows 10, Microsoft Surface
HMAC-SHA256 (Key Size Ranges Tested: KSBS) Pro with Windows 10 SymCrypt Cryptographic
SHSvalidation number 2886 Implementations #2233
HMAC-SHA384 (Key Size Ranges Tested: KSBS) Version 10.0.10240
SHSvalidation number 2886
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHSvalidation number 2886
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows Storage Server 2012 R2, Microsoft Windows RT
SHS validation number 2373 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft
HMAC-SHA256 (Key Size Ranges Tested: KSBS) Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows
SHS validation number 2373 Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and
HMAC-SHA384 (Key Size Ranges Tested: KSBS) Microsoft StorSimple 8100 SymCrypt Cryptographic
SHS validation number 2373 Implementations #1773
Version 6.3.9600
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 2373
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Windows CE and Windows Mobile, and Windows Embedded
validation number 2764 Handheld Enhanced Cryptographic Provider (RSAENH)
#2122
HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Version 5.2.29344
validation number 2764
HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS
validation number 2764
HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS
validation number 2764
HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902 Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
HMAC-SHA256 (Key Size Ranges Tested: KS#1902 BitLocker® Cryptographic Implementations #1347
M O DES / STAT ES /
K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows 8, Windows RT, Windows Server 2012, Surface
SHS#1902 Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Enhanced Cryptographic Provider (RSAENH) #1346
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS#1902
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS#1902
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS#1902
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows 8, Windows RT, Windows Server 2012, Surface
SHS#1903 Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Next Generation Symmetric Cryptographic Algorithms
HMAC-SHA256 (Key Size Ranges Tested: KSBS) Implementations (SYMCRYPT) #1345
SHS#1903
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS#1903
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS#1903
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows Embedded Compact 7 Cryptographic Primitives
SHS validation number 1773 Library (bcrypt.dll), #1364
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS validation number 1773
Tinker HMAC-SHA384 (Key Size Ranges Tested:
KSBS) SHS validation number 1773
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 1773
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows Embedded Compact 7 Enhanced Cryptographic
SHS validation number 1774 Provider (RSAENH) #1227
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS validation number 1774
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 1774
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 1774
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows Server 2008 R2 and SP1 CNG algorithms #686
SHS validation number 1081 Windows 7 and SP1 CNG algorithms #677
HMAC-SHA256 (Key Size Ranges Tested: KSBS) Windows Server 2008 R2 Enhanced Cryptographic
SHS validation number 1081 Provider (RSAENH) #687
HMAC-SHA384 (Key Size Ranges Tested: KSBS) Windows 7 Enhanced Cryptographic Provider (RSAENH)
SHS validation number 1081 #673
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 1081
M O DES / STAT ES /
K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
HMAC-SHA1(Key Sizes Ranges Tested: Windows 7 and SP1 and Windows Server 2008 R2 and SP1
KSvalidation number 1081 BitLocker Algorithm Implementations #675
HMAC-SHA256 (Key Size Ranges Tested:
KSvalidation number 1081
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows Server 2003 SP2 Enhanced Cryptographic Provider
SHS validation number 816 (RSAENH) #452
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS validation number 816
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 816
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 816
HMAC-SHA1 (Key Sizes Ranges Tested: Windows Vista Ultimate SP1 and Windows Server 2008
KSvalidation number 753 BitLocker Algorithm Implementations #415
HMAC-SHA256 (Key Size Ranges Tested:
KSvalidation number 753
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows Server 2008 Enhanced Cryptographic Provider
SHS validation number 753 (RSAENH) #408
Windows Vista Enhanced Cryptographic Provider
HMAC-SHA256 (Key Size Ranges Tested: KSBS) (RSAENH) #407
SHS validation number 753
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 753
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 753
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)SHS Windows Vista Enhanced Cryptographic Provider (RSAENH)
validation number 618 #297
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS validation number 618
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 618
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 618
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows XP Professional SP3 Kernel Mode Cryptographic
SHS validation number 785 Module (fips.sys) #429
Windows XP, vendor-affirmed
M O DES / STAT ES /
K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows XP Professional SP3 Enhanced Cryptographic
SHS validation number 783 Provider (RSAENH) #428
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS validation number 783
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 783
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 783
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows Server 2003 SP2 Enhanced Cryptographic Provider
SHS validation number 613 (RSAENH) #289
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS validation number 613
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 613
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 613
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows Server 2003 SP2 Kernel Mode Cryptographic
SHS validation number 610 Module (fips.sys) #287
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows Server 2008 CNG algorithms #413
SHS validation number 753 Windows Vista Ultimate SP1 CNG algorithms #412
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS validation number 753
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 753
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 753
HMAC-SHA1 (Key Sizes Ranges Tested: Windows Vista Ultimate BitLocker Drive Encryption #386
KSvalidation number 737
HMAC-SHA256 (Key Size Ranges Tested:
KSvalidation number 737
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows Vista CNG algorithms #298
SHS validation number 618
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS validation number 618
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 618
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 618
M O DES / STAT ES /
K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows CE 6.0 and Windows CE 6.0 R2 and Windows
SHS validation number 589 Mobile Enhanced Cryptographic Provider (RSAENH) #267
HMAC-SHA256 (Key Size Ranges Tested:
KSBS)SHS validation number 589
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 589
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 589
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows CE and Windows Mobile 6.0 and Windows Mobil
SHS validation number 578 6.5 Enhanced Cryptographic Provider (RSAENH) #260
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS validation number 578
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 578
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 578
HMAC-SHA1 (Key Sizes Ranges Tested: Windows Vista BitLocker Drive Encryption #199
KSvalidation number 495
HMAC-SHA256 (Key Size Ranges Tested:
KSvalidation number 495
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows Server 2003 SP1 Enhanced Cryptographic Provider
SHS validation number 364 (RSAENH) #99
Windows XP, vendor-affirmed
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) Windows CE 5.00 and Windows CE 5.01 Enhanced
SHS validation number 305 Cryptographic Provider (RSAENH) #31
HMAC-SHA256 (Key Size Ranges Tested: KSBS)
SHS validation number 305
HMAC-SHA384 (Key Size Ranges Tested: KSBS)
SHS validation number 305
HMAC-SHA512 (Key Size Ranges Tested: KSBS)
SHS validation number 305
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows 10 Creators Update (version 1703) Pro, Enterprise,
DPV KPG Full Validation Key Regeneration) SCHEMES Education Virtual TPM Implementations #128
[FullUnified (EC: P-256 SHA256 HMAC) (ED: P-384 Version 10.0.15063
SHA384 HMAC)]
SHS validation number 3790
DSA validation number 1135
DRBG validation number 1556
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows 10 Creators Update (version 1703) Home, Pro,
DPV KPG Partial Validation) Enterprise, Education, Windows 10 S, Windows 10 Mobile
SCHEMES [dhEphem (KARole(s): Initiator / Responder) SymCrypt Cryptographic Implementations #127
(FB: SHA256) (FC: SHA256)] Version 10.0.15063
[dhOneFlow (FB: SHA256) (FC: SHA256)]
[dhStatic (No_KC < KARole(s): Initiator / Responder>)
(FB: SHA256 HMAC) (FC: SHA256 HMAC)]
SHS validation number 3790
DSA validation number 1223
DRBG validation number 1555ECC: (FUNCTIONS
INCLUDED IN IMPLEMENTATION: DPG DPV KPG
Partial Validation) SCHEMES [EphemeralUnified
(No_KC < KARole(s): Initiator / Responder>) (EC: P-256
SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE:
P-521 HMAC (SHA512, HMAC_SHA512)))]
[OnePassDH (No_KC < KARole(s): Initiator /
Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384
SHA384 HMAC) (EE: P-521 HMAC (SHA512,
HMAC_SHA512))]
[StaticUnified (No_KC < KARole(s): Initiator /
Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384
SHA384 HMAC) (EE: P-521 HMAC (SHA512,
HMAC_SHA512))]
SHS validation number 3790
ECDSA validation number 1133DRBG validation number
1555
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows Embedded Compact Cryptographic Primitives
DPV KPG Partial Validation) Library (bcrypt.dll) #115
SCHEMES [dhEphem (KARole(s): Initiator / Responder) Version 7.00.2872
(FB: SHA256) (FC: SHA256)]
[dhOneFlow (KARole(s): Initiator / Responder) (FB:
SHA256) (FC: SHA256)] [dhStatic (No_KC < KARole(s):
Initiator / Responder>) (FB: SHA256 HMAC) (FC:
SHA256 HMAC)]
SHS validation number 3649
DSA validation number 1188
DRBG validation number 1430
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION:
DPG DPV KPG Partial Validation Key Regeneration)
SCHEMES [EphemeralUnified (No_KC < KARole(s):
Initiator / Responder>) (EC: P-256 SHA256 HMAC)
(ED: P-384 SHA384 HMAC) (EE: P-521 HMAC
(SHA512, HMAC_SHA512)))]
[OnePassDH (No_KC < KARole(s): Initiator /
Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384
SHA384 HMAC) (EE: P-521 HMAC (SHA512,
HMAC_SHA512))]
[StaticUnified (No_KC < KARole(s): Initiator /
Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384
SHA384 HMAC) (EE: P-521 HMAC (SHA512,
HMAC_SHA512))]
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows Embedded Compact Cryptographic Primitives
DPV KPG Partial Validation) Library (bcrypt.dll) #114
SCHEMES [dhEphem (KARole(s): Initiator / Responder) Version 8.00.6246
(FB: SHA256) (FC: SHA256)]
[dhHybridOneFlow (No_KC < KARole(s): Initiator /
Responder>) (**FB:**SHA256 HMAC) (FC: SHA256
HMAC)]
[dhStatic (No_KC < KARole(s): Initiator / Responder>)
(**FB:**SHA256 HMAC) (FC: SHA256 HMAC)]
SHS validation number 3648
DSA validation number 1187
DRBG validation number 1429
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION:
DPG DPV KPG Partial Validation Key Regeneration)
SCHEMES [EphemeralUnified (No_KC ) (EC: P-256
SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-
521 HMAC (SHA512, HMAC_SHA512)))]
[OnePassDH (No_KC < KARole(s): Initiator /
Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384
SHA384 HMAC) (EE: P-521 HMAC (SHA512,
HMAC_SHA512))]
[StaticUnified (No_KC < KARole(s): Initiator /
Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384
SHA384 HMAC) (EE: P-521 HMAC (SHA512,
HMAC_SHA512))]
SHS validation number 3648
ECDSA validation number 1072
DRBG validation number 1429
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Microsoft Windows 10 Anniversary Update, Windows Server
DPV KPG Full Validation Key Regeneration) 2016, Windows Storage Server 2016; Microsoft Surface
SCHEMES [FullUnified (No_KC < KARole(s): Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10
Initiator / Responder > < KDF: CONCAT >) (EC: P-256 Anniversary Update Virtual TPM Implementations #93
SHA256 HMAC) (ED: P-384 SHA384 HMAC)] Version 10.0.14393
SHS validation number 3347 ECDSA validation number
920 DRBG validation number 1222
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Microsoft Windows 10 Anniversary Update, Windows Server
DPV KPG Partial Validation) 2016, Windows Storage Server 2016; Microsoft Surface
SCHEMES [dhEphem (KARole(s): Initiator / Responder) Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/
(FB: SHA256) (FC: SHA256)] Windows 10 Anniversary Update; Microsoft Lumia 950 and
Lumia 650 w/ Windows 10 Mobile Anniversary Update
[dhOneFlow (KARole(s): Initiator / Responder) (FB: Cryptography Next Generation (CNG) Implementations #92
SHA256) (FC: SHA256)] [dhStatic (No_KC < Version 10.0.14393
KARole(s): Initiator / Responder >) (FB: SHA256 HMAC)
(FC: SHA256 HMAC)]
SHS validation number 3347 DSA validation number
1098 DRBG validation number 1217
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION:
DPG DPV KPG Partial Validation Key Regeneration)
SCHEMES [EphemeralUnified (No_KC < KARole(s):
Initiator / Responder >) (EC: P-256 SHA256 HMAC)
(ED: P-384 SHA384 HMAC) (EE: P-521 HMAC
(SHA512, HMAC_SHA512)))]
[OnePassDH (No_KC < KARole(s): Initiator / Responder
>) (EC: P-256 SHA256 HMAC) (ED: P-384
SHA384 HMAC) (EE: P-521 HMAC (SHA512,
HMAC_SHA512))]
[StaticUnified (No_KC < KARole(s): Initiator / Responder
>) (EC: P-256 SHA256 HMAC) (ED: P-384
SHA384 HMAC) (EE: P-521 HMAC (SHA512,
HMAC_SHA512))]
SHS validation number 3347 DSA validation number
1098 ECDSA validation number 911 DRBG validation
number 1217 HMAC validation number 2651
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Microsoft Windows 10 November 2015 Update; Microsoft
DPV KPG Partial Validation) SCHEMES [dhEphem Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
(KARole(s): Initiator / Responder)(FB: SHA256) (FC: SHA256)] Pro 2, and Surface Pro w/ Windows 10 November 2015
[dhOneFlow (KARole(s): Initiator / Responder) (FB: Update; Windows 10 Mobile for Microsoft Lumia 950 and
SHA256) (FC: SHA256)] [dhStatic (No_KC < KARole(s): Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub
Initiator / Responder >) (FB: SHA256 HMAC) (FC: and Surface Hub Cryptography Next Generation (CNG)
SHA256 HMAC)] Implementations #72
Version 10.0.10586
SHS validation number 3047 DSA validation number
1024 DRBG validation number 955
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION:
DPG DPV KPG Partial Validation Key Regeneration)
SCHEMES [EphemeralUnified (No_KC < KARole(s):
Initiator / Responder >) (EC: P-256 SHA256 HMAC)
(ED: P-384 SHA384 HMAC) (EE: P-521 HMAC
(SHA512, HMAC_SHA512)))]
[OnePassDH (No_KC < KARole(s): Initiator / Responder
>) (EC: P-256 SHA256 HMAC) (ED: P-384
SHA384 HMAC) (EE: P-521 HMAC (SHA512,
HMAC_SHA512))]
[StaticUnified (No_KC < KARole(s): Initiator / Responder
>) (EC: P-256 SHA256 HMAC) (ED: P-384
SHA384 HMAC) (EE: P-521 HMAC (SHA512,
HMAC_SHA512))]
SHS validation number 3047 ECDSA validation number
760 DRBG validation number 955
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Microsoft Windows 10, Microsoft Surface Pro 3 with
DPV KPG Partial Validation) SCHEMES [dhEphem Windows 10, Microsoft Surface 3 with Windows 10,
(KARole(s): Initiator / Responder)(FB: SHA256) (FC: SHA256)] Microsoft Surface Pro 2 with Windows 10, Microsoft Surface
[dhOneFlow (KARole(s): Initiator / Responder) (FB: Pro with Windows 10 Cryptography Next Generation (CNG)
SHA256) (FC: SHA256)] [dhStatic (No_KC < KARole(s): Implementations #64
Initiator / Responder >) (FB: SHA256 HMAC) (FC: Version 10.0.10240
SHA256 HMAC)]
SHS validation number 2886 DSA validation number
983 DRBG validation number 868
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION:
DPG DPV KPG Partial Validation Key Regeneration)
SCHEMES [EphemeralUnified (No_KC < KARole(s):
Initiator / Responder >) (EC: P-256 SHA256 HMAC)
(ED: P-384 SHA384 HMAC) (EE: P-521 HMAC
(SHA512, HMAC_SHA512)))]
[OnePassDH (No_KC < KARole(s): Initiator / Responder
>) (EC: P-256 SHA256 HMAC) (ED: P-384
SHA384 HMAC) (EE: P-521 HMAC (SHA512,
HMAC_SHA512))]
[StaticUnified (No_KC < KARole(s): Initiator / Responder
>) (EC: P-256 SHA256 HMAC) (ED: P-384
SHA384 HMAC) (EE: P-521 HMAC (SHA512,
HMAC_SHA512))]
SHS validation number 2886 ECDSA validation number
706 DRBG validation number 868
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows Storage Server 2012 R2, Microsoft Windows RT
DPV KPG Partial Validation) SCHEMES [dhEphem 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
(KARole(s): Initiator / Responder)(FB: SHA256) (FC: SHA256)] Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft
[dhOneFlow (KARole(s): Initiator / Responder) (FB: Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows
SHA256) (FC: SHA256)] [dhStatic (No_KC < KARole(s): Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and
Initiator / Responder >) (FB: SHA256 HMAC) (FC: Microsoft StorSimple 8100 Cryptography Next Generation
SHA256 HMAC)] Cryptographic Implementations #47
Version 6.3.9600
SHS validation number 2373 DSA validation number
855 DRBG validation number 489
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION:
DPG DPV KPG Partial Validation Key Regeneration)
SCHEMES [EphemeralUnified (No_KC < KARole(s):
Initiator / Responder >) (EC: P-256 SHA256 HMAC)
(ED: P-384 SHA384 HMAC) (EE: P-521 HMAC
(SHA512, HMAC_SHA512)))]
[OnePassDH (No_KC < KARole(s): Initiator / Responder
>) (EC: P-256 SHA256 HMAC) (ED: P-384
SHA384 HMAC) (EE: P-521 HMAC (SHA512,
HMAC_SHA512))]
[StaticUnified (No_KC < KARole(s): Initiator / Responder
>) (EC: P-256 SHA256 HMAC) (ED: P-384
SHA384 HMAC) (EE: P-521 HMAC (SHA512,
HMAC_SHA512))]
SHS validation number 2373 ECDSA validation number
505 DRBG validation number 489
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
FFC : (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows 8, Windows RT, Windows Server 2012, Surface
DPV KPG Partial Validation) SCHEMES [dhEphem (KARole(s): Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Initiator / Responder) Cryptography Next Generation (CNG) Implementations #36
(FA : SHA256) (FB : SHA256) (FC : SHA256)]
[dhOneFlow (KARole(s): Initiator / Responder) (FA :
SHA256) (FB : SHA256) (FC : SHA256)]
[dhStatic (No_KC < KARole(s): Initiator / Responder>)
(FA : SHA256 HMAC) (FB : SHA256 HMAC) (FC : SHA256
HMAC)]
SHS #1903 DSA validation number 687 DRBG #258
ECC : (FUNCTIONS INCLUDED IN IMPLEMENTATION:
DPG DPV KPG Partial Validation Key Regeneration)
SCHEMES
[EphemeralUnified (No_KC < KARole(s): Initiator /
Responder>) (EC: P-256 SHA256 HMAC) (ED : P-384
SHA384 HMAC) (EE : P-521 HMAC (SHA512,
HMAC_SHA512)))]
[OnePassDH(No_KC < KARole(s): Initiator /
Responder>) (EC : P-256 SHA256) (ED : P-384 SHA384)
(EE : P-521 (SHA512, HMAC_SHA512)))]
[StaticUnified (No_KC < KARole(s): Initiator /
Responder>) (EC : P-256 SHA256 HMAC) (ED : P-384
SHA384 HMAC) (EE : P-521 HMAC (SHA512,
HMAC_SHA512))]
SHS #1903
ECDSA validation number 341 DRBG #258
CTR_Mode: (Llength(Min0 Max0) Windows 10 Creators Update (version 1703) Pro, Enterprise,
MACSupported([HMACSHA1] [HMACSHA256] Education Virtual TPM Implementations #141
[HMACSHA384]) LocationCounter([BeforeFixedData]) Version 10.0.15063
rlength([32]))
KAS validation number 128
DRBG validation number 1556
MAC validation number 3062
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
CTR_Mode: (Llength(Min20 Max64) Windows 10 Creators Update (version 1703) Home, Pro,
MACSupported([CMACAES128] [CMACAES192] Enterprise, Education, Windows 10 S, Windows 10 Mobile
[CMACAES256] [HMACSHA1] [HMACSHA256] Cryptography Next Generation (CNG) Implementations
[HMACSHA384] [HMACSHA512]) #140
LocationCounter([BeforeFixedData]) rlength([32])) Version 10.0.15063
KAS validation number 127
AES validation number 4624
DRBG validation number 1555
MAC validation number 3061
CTR_Mode: (Llength(Min20 Max64) Microsoft Windows 10, Microsoft Surface Pro 3 with
MACSupported([CMACAES128] [CMACAES192] Windows 10, Microsoft Surface 3 with Windows 10,
[CMACAES256] [HMACSHA1] [HMACSHA256] Microsoft Surface Pro 2 with Windows 10, Microsoft Surface
[HMACSHA384] [HMACSHA512]) Pro with Windows 10 Cryptography Next Generation (CNG)
LocationCounter([BeforeFixedData]) rlength([32])) Implementations #66
KAS validation number 64 AES validation number 3497 Version 10.0.10240
RBG validation number 868 MAC validation number
2233
CTR_Mode: (Llength(Min0 Max0) Windows Storage Server 2012 R2, Microsoft Windows RT
MACSupported([HMACSHA1] [HMACSHA256] 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
[HMACSHA512]) LocationCounter([BeforeFixedData]) Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft
rlength([32])) Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows
DRBG validation number 489 MAC validation number Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and
1773 Microsoft StorSimple 8100 Cryptography Next Generation
Cryptographic Implementations #30
Version 6.3.9600
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
CTR_Mode : (Llength(Min0 Max4) Windows 8, Windows RT, Windows Server 2012, Surface
MACSupported([HMACSHA1] [HMACSHA256] Windows RT, Surface Windows 8 Pro, and Windows Phone 8
[HMACSHA512]) LocationCounter([BeforeFixedData]) Cryptography Next Generation (CNG) Implementations #3
rlength([32]))
DRBG #258 HMAC validation number 1345
FIPS 186-2 General Purpose Windows 8, Windows RT, Windows Server 2012, Surface
[(x-Original); (SHA-1)] Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Cryptography Next Generation (CNG) Implementations
#1110
FIPS 186-2 Windows 7 and SP1 and Windows Server 2008 R2 and SP1
[(x-Change Notice); (SHA-1)] ; FIPS 186-2 General RNG Library #649
Purpose Windows Vista Ultimate SP1 and Windows Server 2008
[(x-Change Notice); (SHA-1)] RNG Implementation #435
Windows Vista RNG implementation #321
FIPS 186-2 General Purpose Windows Server 2003 SP2 Enhanced Cryptographic Provider
[(x-Change Notice); (SHA-1)] (RSAENH) #470
Windows XP Professional SP3 Kernel Mode
Cryptographic Module (fips.sys) #449
Windows XP Professional SP3 Enhanced Cryptographic
Provider (RSAENH) #447
Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #316
Windows Server 2003 SP2 Kernel Mode Cryptographic
Module (fips.sys) #313
RSA
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
FIPS186-2: Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key
ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 Generation Implementation #559
PubKey Values: 65537 DRBG: validation number 23
Some of the previously validated components for this
validation have been removed because they're now non-
compliant per the SP800-131A transition. See Historical
RSA List validation number 559.
FIPS186-2: Windows Vista SP1 and Windows Server 2008 RSA Key
ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 Generation Implementation #353
PubKey Values: 65537
Some of the previously validated components for this
validation have been removed because they're now non-
compliant per the SP800-131A transition. See Historical
RSA List validation number 353.
SHA-1 (BYTE-only) Microsoft Windows 8.1, Microsoft Windows Server 2012 R2,
SHA-256 (BYTE-only) Microsoft Windows Storage Server 2012 R2, Microsoft
SHA-384 (BYTE-only) Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
SHA-512 (BYTE-only) Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2,
Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
Windows Phone 8.1, Microsoft Windows Embedded 8.1
Industry RSA32 Algorithm Implementations #2396
Version 6.3.9600
SHA-1 (BYTE-only) Windows 7 and SP1 and Windows Server 2008 R2 and SP1
SHA-256 (BYTE-only) Symmetric Algorithm Implementation #1081
SHA-384 (BYTE-only) Windows Server 2003 SP2 Enhanced Cryptographic
SHA-512 (BYTE-only) Provider (RSAENH) #816
SHA-1 (BYTE-only) Windows Vista SP1 and Windows Server 2008 Symmetric
SHA-256 (BYTE-only) Algorithm Implementation #753
SHA-384 (BYTE-only) Windows Vista Symmetric Algorithm Implementation
SHA-512 (BYTE-only) #618
SHA-1 (BYTE-only) Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman
Cryptographic Provider #611
Windows Server 2003 SP2 Kernel Mode Cryptographic
Module (fips.sys) #610
Windows Server 2003 SP1 Enhanced DSS and Diffie-
Hellman Cryptographic Provider (DSSENH) #385
Windows Server 2003 SP1 Kernel Mode Cryptographic
Module (fips.sys) #371
Windows Server 2003 Enhanced DSS and Diffie-Hellman
Cryptographic Provider (DSSENH) #181
Windows Server 2003 Kernel Mode Cryptographic
Module (fips.sys) #177
Windows Server 2003 Enhanced Cryptographic Provider
(RSAENH) #176
Triple DES
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
TECB (KO 1 e/d); TCBC (KO 1 e/d); TCFB8 (KO 1 e/d); Windows 10 Creators Update (version 1703) Home, Pro,
TCFB64 (KO 1 e/d) Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #2459
Version 10.0.15063
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
TECB (KO 1 e/d);TCBC (KO 1 e/d) Windows Embedded Compact Enhanced Cryptographic
Provider (RSAENH) #2384
Version 8.00.6246
TECB (KO 1 e/d);TCBC (KO 1 e/d) Windows Embedded Compact Enhanced Cryptographic
Provider (RSAENH) #2383
Version 8.00.6246
TECB (KO 1 e/d);TCBC (KO 1 e/d);CTR (int only) Windows Embedded Compact Cryptographic Primitives
Library (bcrypt.dll) #2382
Version 7.00.2872
TECB (KO 1 e/d);TCBC (KO 1 e/d) Windows Embedded Compact Cryptographic Primitives
Library (bcrypt.dll) #2381
Version 8.00.6246
TECB (KO 1 e/d);TCBC (KO 1 e/d);TCFB8 (KO 1 Microsoft Windows 10 Anniversary Update, Windows Server
e/d);TCFB64 (KO 1 e/d) 2016, Windows Storage Server 2016; Microsoft Surface
Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/
Windows 10 Anniversary Update; Microsoft Lumia 950 and
Lumia 650 w/ Windows 10 Mobile Anniversary Update
SymCrypt Cryptographic Implementations #2227
Version 10.0.14393
TECB (KO 1 e/d);TCBC (KO 1 e/d);TCFB8 (KO 1 Microsoft Windows 10 November 2015 Update; Microsoft
e/d);TCFB64 (KO 1 e/d) Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
Pro 2, and Surface Pro w/ Windows 10 November 2015
Update; Windows 10 Mobile for Microsoft Lumia 950 and
Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub
and Surface Hub SymCrypt Cryptographic Implementations
#2024
Version 10.0.10586
TECB (KO 1 e/d);TCBC (KO 1 e/d);TCFB8 (KO 1 Microsoft Windows 10, Microsoft Surface Pro 3 with
e/d);TCFB64 (KO 1 e/d) Windows 10, Microsoft Surface 3 with Windows 10,
Microsoft Surface Pro 2 with Windows 10, Microsoft Surface
Pro with Windows 10 SymCrypt Cryptographic
Implementations #1969
Version 10.0.10240
TECB (KO 1 e/d);TCBC (KO 1 e/d);TCFB8 (KO 1 Windows Storage Server 2012 R2, Microsoft Windows RT
e/d);TCFB64 (KO 1 e/d) 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft
Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows
Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and
Microsoft StorSimple 8100 SymCrypt Cryptographic
Implementations #1692
Version 6.3.9600
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
TECB (e/d; KO 1, 2);TCBC (e/d; KO 1, 2);TCFB8 (e/d; KO 1, Windows 8, Windows RT, Windows Server 2012, Surface
2);TCFB64 (e/d; KO 1, 2) Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Next Generation Symmetric Cryptographic Algorithms
Implementations (SYMCRYPT) #1387
TECB (e/d; KO 1, 2);TCBC (e/d; KO 1, 2);TCFB8 (e/d; KO 1, 2) Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Symmetric Algorithm Implementations (RSA32) #1386
TECB (e/d; KO 1, 2);TCBC (e/d; KO 1, 2);TCFB8 (e/d; KO 1, 2) Windows 7 and SP1 and Windows Server 2008 R2 and SP1
Symmetric Algorithm Implementation #846
TECB (e/d; KO 1, 2);TCBC (e/d; KO 1, 2);TCFB8 (e/d; KO 1, 2) Windows Vista SP1 and Windows Server 2008 Symmetric
Algorithm Implementation #656
TECB (e/d; KO 1, 2);TCBC (e/d; KO 1, 2);TCFB8 (e/d; KO 1, 2) Windows Vista Symmetric Algorithm Implementation #549
Triple DES MAC Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
#1386, vendor-affirmedWindows 7 and SP1 and Windows
Server 2008 R2 and SP1 #846, vendor-affirmed
M O DES / STAT ES / K EY SIZ ES A L GO RIT H M IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
ECDSA SigGen: Microsoft Windows 8.1, Microsoft Windows Server 2012 R2,
Microsoft Windows Storage Server 2012 R2, Microsoft
P-256 SHA: SHA-256 Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
P-384 SHA: SHA-384 Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2,
P-521 SHA: SHA-512 Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
Prerequisite: DRBG #489 Windows Phone 8.1, Microsoft Windows Embedded 8.1
Industry, and Microsoft StorSimple 8100 MsBignum
Cryptographic Implementations #1540
Version 6.3.9600
FIPS186-4 RSA; PKCS#1 v2.1 Windows 10 Creators Update (version 1703) Pro, Enterprise,
RSASP1 Signature Primitive Education Virtual TPM Implementations #1285
Version 10.0.15063
RSASP1: (Mod2048: PKCS1.5 PKCSPSS)
Windows 10 Creators Update (version 1703) Home, Pro,
Enterprise, Education, Windows 10 S, Windows 10
Mobile MsBignum Cryptographic Implementations
#1282
Version 10.0.15063
Windows 10 Creators Update (version 1703) Home, Pro,
Enterprise, Education, Windows 10 S, Windows 10
Mobile SymCrypt Cryptographic Implementations
#1280
Version 10.0.15063
Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, and Surface Pro 3 w/
Windows 10 Anniversary Update Virtual TPM
Implementations #893
Version 10.0.14393
Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia
950 and Lumia 650 w/ Windows 10 Mobile Anniversary
Update MsBignum Cryptographic Implementations
#888
Version 10.0.14393
Microsoft Windows 10 November 2015 Update;
Microsoft Surface Book, Surface Pro 4, Surface Pro 3,
Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10
November 2015 Update; Windows 10 Mobile for
Microsoft Lumia 950 and Microsoft Lumia 635;
Windows 10 for Microsoft Surface Hub 84” and Surface
Hub 55” MsBignum Cryptographic Implementations
#665
Version 10.0.10586
Microsoft Windows 10, Microsoft Surface Pro 3 with
Windows 10, Microsoft Surface 3 with Windows 10,
Microsoft Surface Pro 2 with Windows 10, Microsoft
Surface Pro with Windows 10 MsBignum Cryptographic
Implementations #572
Version 10.0.10240
Microsoft Windows 8.1, Microsoft Windows Server 2012
R2, Microsoft Windows Storage Server 2012 R2,
Microsoft Windows RT 8.1, Microsoft Surface with
Windows RT 8.1, Microsoft Surface Pro with Windows
8.1, Microsoft Surface 2, Microsoft Surface Pro 2,
Microsoft Surface Pro 3, Microsoft Windows Phone 8.1,
Microsoft Windows Embedded 8.1 Industry MsBignum
Cryptographic Implementations #289
Version 6.3.9600
P UB L IC AT IO N / C O M P O N EN T VA L IDAT ED / DESC RIP T IO N IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
FIPS186-4 RSA; RSADP Windows 10 Creators Update (version 1703) Home, Pro,
RSADP Primitive Enterprise, Education, Windows 10 S, Windows 10 Mobile
MsBignum Cryptographic Implementations #1283
RSADP: (Mod2048) Version 10.0.15063
Windows 10 Creators Update (version 1703) Home, Pro,
Enterprise, Education, Windows 10 S, Windows 10
Mobile SymCrypt Cryptographic Implementations
#1281
Version 10.0.15063
Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, and Surface Pro 3 w/
Windows 10 Anniversary Update Virtual TPM
Implementations #895
Version 10.0.14393
Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia
950 and Lumia 650 w/ Windows 10 Mobile Anniversary
Update Cryptography Next Generation (CNG)
Implementations #887
Version 10.0.14393
Microsoft Windows 10 November 2015 Update;
Microsoft Surface Book, Surface Pro 4, Surface Pro 3,
Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10
November 2015 Update; Windows 10 Mobile for
Microsoft Lumia 950 and Microsoft Lumia 635;
Windows 10 for Microsoft Surface Hub 84” and Surface
Hub 55” Cryptography Next Generation (CNG)
Implementations #663
Version 10.0.10586
Microsoft Windows 10, Microsoft Surface Pro 3 with
Windows 10, Microsoft Surface 3 with Windows 10,
Microsoft Surface Pro 2 with Windows 10, Microsoft
Surface Pro with Windows 10 Cryptography Next
Generation (CNG) Implementations #576
Version 10.0.10240
P UB L IC AT IO N / C O M P O N EN T VA L IDAT ED / DESC RIP T IO N IM P L EM EN TAT IO N A N D C ERT IF IC AT E #
Contact
[email protected]
References
FIPS 140-2, Security Requirements for Cryptographic Modules)
Cryptographic Module Validation Program (CMVP) FAQ
SP 800-57 - Recommendation for Key Management – Part 1: General (Revised)
SP 800-131A - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key
Lengths
Common Criteria Certifications
3/3/2022 • 6 minutes to read • Edit Online
Microsoft is committed to optimizing the security of its products and services. As part of that commitment,
Microsoft supports the Common Criteria certification program, ensures that products incorporate the features
and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria
certifications of Microsoft Windows products. This topic lists the current and archived certified Windows
products, together with relevant documentation from each certification.
Certified Products
The product releases below are currently certified against the cited Protection Profile, as listed on the Common
Criteria Portal. The Security Target describes the product edition(s) in scope, the security functionality in the
product, and the assurance measures from the Protection Profile used as part of the evaluation. The
Administrative Guide provides guidance on configuring the product to match the evaluated configuration. The
Certification Report or Validation Report documents the results of the evaluation by the validation team, with
the Assurance Activity Report providing details on the evaluator's actions.
Microsoft Windows 10, Windows Server version 2004 (May 2020 Update ); Microsoft Windows Server Core
Datacenter (Azure Frabic Controller); Microsoft Windows Server Core Datacenter (Azure Stack)
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package
for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients.
Security Target
Administrative Guide
Validation Report
Assurance Activity Report
Microsoft Windows Server, Windows 10 version 1909 (November 2019 Update ), Microsoft Windows Server
2019 (version 1809) Hyper-V
Certified against the Protection Profile for Virtualization, including the Extended Package for Server
Virtualization.
Security Target
Administrative Guide
Validation Report
Assurance Activities Report
Microsoft Windows 10 and Windows Server (November 2019 Update, version 1909)
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package
for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients.
Security Target
Administrative Guide
Certification Report
Assurance Activity Report
Microsoft Windows 10 and Windows Server (May 2019 Update, version 1903)
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package
for Wireless Local Area Network Clients.
Security Target
Administrative Guide
Certification Report
Assurance Activity Report
Microsoft Windows 10 and Windows Server (October 2018 Update, version 1809)
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package
for Wireless Local Area Network Clients.
Security Target
Administrative Guide
Certification Report
Assurance Activity Report
Microsoft Windows 10 and Windows Server (April 2018 Update, version 1803)
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package
for Wireless Local Area Network Clients.
Security Target
Administrative Guide
Certification Report
Assurance Activity Report
Microsoft Windows 10 and Windows Server (Fall Creators Update, version 1709)
Certified against the Protection Profile for General Purpose Operating Systems.
Security Target
Administrative Guide
Certification Report
Assurance Activity Report
Microsoft Windows 10 (Creators Update, version 1703)
Certified against the Protection Profile for General Purpose Operating Systems.
Security Target
Administrative Guide
Certification Report
Assurance Activity Report
Microsoft Windows 10 (Anniversary Update, version 1607) and Windows Server 2016
Certified against the Protection Profile for General Purpose Operating Systems.
Security Target
Administrative Guide
Validation Report
Assurance Activity Report
Microsoft Windows 10 (version 1507) and Windows Server 2012 R2
Certified against the Protection Profile for General Purpose Operating Systems.
Security Target
Administrative Guide
Certification Report
Assurance Activity Report