buttonwin8.1升级win10

2018MicrosoftConfidential.
Allrightsreserved.
OperationalandAdministrativeGuidanceMicrosoftWindows10andWindowsServerCommonCriteriaEvaluationforMicrosoftWindows10andWindowsServerVersion1803GeneralPurposeOperatingSystemProtectionProfileMicrosoftWindows10GPOSAdministrativeGuidance2018MicrosoftConfidential.
Allrightsreserved.
iiCopyrightanddisclaimerTheinformationcontainedinthisdocumentrepresentsthecurrentviewofMicrosoftCorporationontheissuesdiscussedasofthedateofpublication.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationpresentedafterthedateofpublication.
Thisdocumentisforinformationalpurposesonly.
MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,ASTOTHEINFORMATIONINTHISDOCUMENT.
Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.
ThisworkislicensedundertheCreativeCommonsAttribution-NoDerivs-NonCommercialVLicense(whichallowsredistributionofthework).
Toviewacopyofthislicense,visithttp://creativecommons.
org/licenses/by-nd-nc/1.
0/orsendalettertoCreativeCommons,559NathanAbbottWay,Stanford,California94305,USA.
Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.
ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.
Theexamplecompanies,organizations,products,peopleandeventsdepictedhereinarefictitious.
Noassociationwithanyrealcompany,organization,product,personoreventisintendedorshouldbeinferred.
2018MicrosoftCorporation.
Allrightsreserved.
Microsoft,ActiveDirectory,VisualBasic,VisualStudio,Windows,theWindowslogo,WindowsNT,andWindowsServerareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.
Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.
MicrosoftWindows10GPOSAdministrativeGuidance2018MicrosoftConfidential.
Allrightsreserved.
iii1Contents2Changehistory.
93Introduction.
103.
1What'snew.
103.
2Howthisguideisorganized.
103.
3Linkstootherresources.
113.
4SecurityTargetdocument.
113.
5Guidancespecifictouserroles113.
6Mobiledevicemanagement.
123.
7ApproachesforconfiguringWindowspolicies.
133.
7.
1Settingpolicieswithmobiledevicemanagement(MDM)133.
7.
2SettingpolicieswithGroupPolicyObjects(GPO)133.
7.
3SettingpolicieswithPowerShellscripts:144Evaluatededitionsandplatforms145Evaluatedconfiguration.
155.
1Installingtheoperatingsystem.
155.
2Operationalprerequisites.
165.
2.
1Trustedplatforms165.
2.
2Deviceadministration165.
2.
3Securityupdates.
165.
2.
4Modeofoperation.
175.
2.
5FIPS140cryptographymode.
175.
2.
6Additionalcryptographyconfiguration.
185.
2.
7Deviceaccess.
196Managingevaluatedfeatures.
196.
1Managingcryptography.
19MicrosoftWindows10GPOSAdministrativeGuidance2018MicrosoftConfidential.
Allrightsreserved.
iv6.
2ManagingX.
509certificates.
206.
2.
1ClientcertificatesandCertificateAuthorities.
206.
2.
2Rootcertificates.
216.
2.
3Certificatenamecomparison.
226.
2.
4Certificatevalidation.
226.
3ManagingTransportLayerSecurity(TLS)246.
3.
1Availableciphersuites.
246.
3.
2AvailableTLS-EAPciphersuites.
256.
3.
3ConfiguringwithMDM.
266.
3.
4Configuringwithgrouppolicy.
266.
3.
5ConfiguringwithPowerShell.
276.
3.
6GeneratingX.
509certificateswithtemplates276.
3.
7ManagingsignaturealgorithmswiththeWindowsregistry.
286.
3.
8ChoosingTLSinawebbrowser.
286.
4Managingnetworkconnections.
296.
4.
1EnablingordisablingnetworkconnectionswiththeWindowsUI.
296.
4.
2EnablingordisablingnetworkconnectionswithPowerShell.
296.
4.
3ConfiguringWi-FiaccesswithMDM.
296.
4.
4ConfiguringWi-FiaccesswiththeWindowsuserinterface.
306.
4.
5ConfiguringallowedWi-FinetworkswithMDM306.
4.
6ConfiguringallowedWi-FinetworkswithGroupPolicy.
306.
4.
7SelectingasecureWi-FiconnectionwiththeWindowsUI.
316.
4.
8ConfiguringaWi-FiconnectionprofilewiththeWindowsUI.
316.
5Managingpersonalhotspots.
326.
5.
1ConfiguringwithMDM.
326.
5.
2Configuringwithgrouppolicy.
33MicrosoftWindows10GPOSAdministrativeGuidance2018MicrosoftConfidential.
Allrightsreserved.
v6.
5.
3ConfiguringwiththeWindowsuserinterface.
336.
6ManagingBluetooth336.
6.
1ConfiguringBluetoothadapterswithMDM.
346.
6.
2EnablingordisablingBluetoothadapterswiththeWindowsUI.
346.
6.
3EnablingordisablingBluetoothadapterswithPowerShell346.
7Managingpasswordsandpasswordpolicy.
356.
7.
1ConfiguringwithMDM.
356.
7.
2Configuringwithgrouppolicy.
356.
7.
3Configuringwithnetaccountsutility.
356.
8Managingsmartcardlogon.
366.
9ManagingWindowsHello.
366.
9.
1ConfiguringbiometricauthenticationwiththeWindowsUI366.
9.
2ConfiguringPINauthenticationwithgrouppolicy.
376.
9.
3ConfiguringPINauthenticationwiththeWindowsUI376.
10Managingscreenlockandsessiontimeout.
386.
10.
1ConfiguringwithMDM.
386.
10.
2Configuringwithgrouppolicy386.
10.
3ConfiguringwiththeWindowsregistry.
396.
10.
4ConfiguringwiththeWindowsuserinterface.
396.
11Managingthelogonbanner406.
11.
1ConfiguringwithMDM.
406.
11.
2Configuringwithgrouppolicy406.
11.
3ConfiguringwiththeWindowsregistry.
406.
12ManagingUSB.
416.
12.
1ConfiguringwiththeWindowsUI.
416.
12.
2ConfiguringwithPowerShell.
41MicrosoftWindows10GPOSAdministrativeGuidance2018MicrosoftConfidential.
Allrightsreserved.
vi6.
12.
3ConfiguringwiththeWindowsregistry.
426.
13Managingupdates.
426.
13.
1ConfiguringusingMDM.
426.
13.
2Configuringusinggrouppolicy.
436.
13.
3ConfiguringusingtheServerConfigurationtool.
436.
13.
4CheckingforOSupdatesusingtheWindowsUI.
436.
13.
5InstallingWindowsupdatesviathecommandline446.
13.
6CheckingforWindowsStoreapplicationupdates446.
14Managingthefirewall.
446.
14.
1ConfiguringwithPowerShell.
446.
15Managingdomains.
456.
15.
1ConfiguringwithPowerShell.
456.
16Managingdateandtime.
456.
16.
1ConfiguringwithPowerShell.
456.
16.
2ConfiguringtheWindowsTimeService466.
17Managingremoteadministration466.
17.
1ConfiguringwithMDM.
466.
17.
2Configuringwithgrouppolicy476.
17.
3ConfiguringwithPowerShell.
476.
18ManagingSoftwareRestrictionPolicies(SRP)476.
18.
1ConfiguringwithSoftwareRestrictionPolicies.
476.
18.
2ConfiguringwithAppLocker.
486.
19Managinghibernation.
496.
19.
1ConfiguringwiththePowercfgutility.
496.
20Managinghealthattestation.
496.
20.
1ConfiguringwithMDM.
49MicrosoftWindows10GPOSAdministrativeGuidance2018MicrosoftConfidential.
Allrightsreserved.
vii6.
20.
2Helperutilityforhealthattestationlogs496.
21Managingauditpolicy.
506.
21.
1Scopeofloggingandauditingsettings506.
21.
2SettingauditpolicywithAuditpol,Secpol,andWevtutil.
516.
22DevelopingApplications.
537Auditevents547.
1Auditevents–GPOSprotectionprofile547.
2Auditevents–WLANclientextendedpackage.
567.
3Eventsmappedtologdetails582ChangehistoryVersionDateDescription1.
0March20,2018AdministrativeGuideforWindows10andWindowsServerFallCreatorsUpdate(1709)2.
0October11,2018AdministrativeGuideforWindows10andWindowsServerApril2018Update(1803)3IntroductionThisadministrativeguideprovidesinformationforWindows10April2018UpdateandWindowsServerversion1803,asrequiredbytheCommonCriteriaGeneralPurposeOperatingSystem(GPOS)protectionprofile.
AllWindows10andWindowsServereditionsmaybereferredtocollectivelyas"Windows"whereappropriate.
ThegoalsofthisadministrativeguidearetoenableanITprofessionaltoconfigureWindowsanditsoperationalenvironmenttomatchtheconfigurationunderwhichtheproductwasevaluatedandtomanagetheWindowsfeaturesinthescopeofevaluation.
TheaudienceofthisdocumentisanITAdministratorfamiliarwithcurrentadministrativepracticesforWindows10andWindowsServer.
ITAdministratorsmustfollowtheguidanceinthisdocumenttoensureadevicematchestheevaluatedconfiguration.
3.
1What'snewThefollowinglistprovidesasummaryofthesubstantivechangesinsincethelastevaluationofWindows10andWindowsServeragainsttheCommonCriteriaGPOSprotectionprofile.
Theadministrativeguidehasbeenre-authoredwithanewtemplate,simplifiedformatting,andadditionalcontextualinformation.
ThescopeofcertificationhasgrowntoincludetheWLANClientExtendedPackageandtheadministrativeguidehasbeenupdatedtomatch.
3.
2HowthisguideisorganizedThesectionsinthisadministrativeguidegroupinformationtogethercategoricallyasfollows:Section3,Introduction,providesanoverviewoftheguide,explainsconventionsinthedocument,andincludesgeneralguidancethatthesubsequentsectionsmayreferbackto.
Section4,Evaluatededitionsandplatforms,identifiesthespecificeditionsofWindows10andWindowsServerthatwereevaluatedandthesetofhardwareplatformstheevaluationwasperformedon.
Section5,Evaluatedconfiguration,coversdeploymentoftheproductandthesetofoperationalprerequisitesandconfigurationchoicesthatmustbefollowedtomatchtheevaluatedWindowsconfiguration.
Section6,Managingevaluatedfeatures,coversmanagementoftheWindowsfeaturesinthescopeofevaluation.
Thisincludesguidanceonrelevantfeatureconfigurationchoicesandapproachestoimplementingthem,organizedbyfeaturearea.
Section7,AuditEvents,providesdetailedinformationontheauditeventsrelevanttotheevaluatedconfigurationthatareavailableinWindowslogs.
Thisinformationenablesadministratorstoperformsecuritymonitoringandforensics.
3.
3LinkstootherresourcesThisdocumentprovidesmanyexternallinkstoTechNetandotherMicrosoftresourcesforadditionalinformationordetailedinstructions.
Note:SomeexternallinksmayhaveoriginallybeenauthoredforearlierversionsofWindows,e.
g.
Windows8.
x.
Inallcases,theinformationalsoappliestotheevaluatedversion.
3.
4SecurityTargetdocumentTheCommonCriteriaevaluationrequiresaSecurityTargetdocumentthatoutlinestheevaluationscope,whichthisguidemayreferto.
ThecorrectmatchingSecurityTargetforthisadministrativeguideistheWindows10andWindowsServer10version1803GPOSSecurityTargetandisavailableonthefollowingsites:MicrosoftpublishesallCommonCriteriaevaluationdocumentationathttps://msdn.
microsoft.
com/en-us/library/dd229319.
aspx.
TheworldwideCommonCriteriaRecognitionArrangementportalprovidesSecurityTargetsforallcertifiedproductsathttps://www.
commoncriteriaportal.
org/products/.
3.
5GuidancespecifictouserrolesThisadministrativeguideidentifieswhatuserroleguidanceistargetedat.
TheevaluatedconfigurationincludesthreeWindowsuserroles:ITAdministrator–aremoteadministratorusingMobileDeviceManagement(MDM)orGroupPolicyObjects(GPO)toadministerWindows.
LocalAdministrator–auseraccountthatisamemberofthelocalAdministratorsgroup.
StandardUser–auseraccountthatisnotamemberofthelocalAdministratorsgroup.
Whereappropriate,thisadministrativeguideprovidesdifferentconfigurationinstructionsforeachuserrole.
Intheintroductionofeachsectionthatprovidesspecificguidance,asummarytablelikethefollowingidentifieswhichroletheguidanceistargetedat:RoleITAdministratorLocalAdministratorStandardUserAccesstouser-accessiblefunctionsiscontrolledbytherightsandprivilegesassignedtotheseuserroles.
Noadditionalmeasuresareneededtocontrolaccesstotheuser-accessiblefunctionsinasecureprocessingenvironment.
Attemptstoaccessuser-accessiblefunctionsthatrequirelocaladministratorrightsorprivilegesaredeniedfortheuserrole.
ThefollowingarticlesdescribelocalaccountsinWindowsandhowtomakeastandarduseraccountamemberofthelocalAdministratorsgroup:Localaccounts:https://docs.
microsoft.
com/en-us/windows/security/identity-protection/access-control/local-accountsAddamembertoalocalgroup:https://docs.
microsoft.
com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772524(v%3dws.
11)3.
6MobiledevicemanagementRoleITAdministratorWindowsEditionsHome,Pro,EnterpriseTheevaluationwasperformedbothwithdevicesenrolledinmobiledevicemanagement(MDM)andwithdevicesnotenrolledinMDM.
Whereappropriate,thisadministrativeguideprovidesconfigurationinstructionsspecifictothemanagementfunctionforITAdministratorsusingMDMtoadministerdevices.
ThisguidewillrefertospecificConfigurationServiceProviders(CSPs)thatenableMDMtoaffectagivenmanagementfunction.
Note:MDMmaybeusedtoadministerdevicesrunningWindows10HomeEdition,butnotallCSPscanaffectmanagementfunctionsonWindows10HomeEdition.
ForeachCSPreferenced,thisguidewillidentifywhichWindowseditionsitisavailableon.
MDMmaynotbeusedtoadministerWindowsServereditions.
ThefollowingarticlesprovidegeneralinformationonusingMDMtoadministerWindows:IntroducingMDMforadministeringWindows10andWindowsServerdevices:https://docs.
microsoft.
com/en-us/windows/client-management/mdm/EnrollingWindowsdevicesforMDM:https://docs.
microsoft.
com/en-us/windows/client-management/mdm/mdm-enrollment-of-windows-devicesNote:MDMsolutionsmayalsohaveprerequisitesforenrollment,forexampletrustingtheMDMcertificate.
GuidanceforMDMprerequisitesareoutofscopeofthisdocumentation.
ITAdministratorsshouldconsulttheMDMdocumentationtomakesurethatprerequisitesareunderstoodandmetbeforeenrollmentisperformed.
3.
7ApproachesforconfiguringWindowspoliciesMultiplesectionsofthisguiderefertoWindowspolicies.
Thissectionoutlinesdifferentapproachesadministratorsmaytaketoconfigureanddeploypolicies.
UsetheapproachthatbestfitstheWindowseditionandoperationalenvironment.
3.
7.
1Settingpolicieswithmobiledevicemanagement(MDM):RoleITAdministratorWindowsEditionsHome,Pro,EnterprisePoliciesmaybeconfiguredbytheITAdministratorusingMDMandthePolicyConfigurationServiceProvider.
SeetheMDMsolutiondocumentationfordetailedconfigurationactions.
ThefollowingarticledetailsthePolicyCSPanditsfunctions:PolicyConfigurationServiceProvider-https://docs.
microsoft.
com/en-us/windows/client-management/mdm/policy-configuration-service-provider.
Note:SomeofthePolicyCSPfunctionsarenotavailableonWindows10HomeEdition.
ThearticleaboveprovidesacompatibilitychartforeachofthePolicyCSPfunctions.
ForareferenceonCSPsbeyondthePolicyCSP,seethefollowingarticle:ConfigurationServiceProviderReference-https://docs.
microsoft.
com/en-us/windows/client-management/mdm/configuration-service-provider-reference3.
7.
2SettingpolicieswithGroupPolicyObjects(GPO):RoleITAdministrator,LocalAdministratorWindowsEditionsPro,Enterprise,ServerStandard,ServerDatacenterGrouppolicymaybeusedtosetWindowspoliciesfordomain-joinedmachines.
PoliciesareconfiguredusingtheGroupPolicyEditor(gpedit.
msc)orLocalSecurityPolicyEditor(secpol.
msc).
Note:ThepolicyeditingtoolsarenotavailableonWindows10HomeEdition.
ForWindows10HomeEditionenablepoliciesbyothermeans,e.
g.
PowerShellcommandsortheWindowsuserinterface.
GroupPolicyEditormayalsobeusedtoremotelyadministratepolicyonamachinebyfollowingthesesteps:1.
Start>Run>mmc2.
File>Add/RemoveSnap-in3.
UndertheStandalonetab,clickAdd.
.
.
4.
ChooseGroupPolicyObjectEditor5.
Inthefollowingwizard,clicktheBrowsebutton6.
ClicktheComputerstab,selecttheAnotherComputerradiobutton,andtypethenameofthecomputerorbrowsetoit.
7.
ClickOK,thenFinish,thenClose,andfinallyOKagain.
3.
7.
3SettingpolicieswithPowerShellscripts:RoleITAdministrator,LocalAdministratorWindowsEditionsAllGrouppoliciesmayalsobesetwithPowerShellscripts.
ThefollowingarticleprovidesanoverviewofthePowerShellcmdletsavailabletodothis:https://docs.
microsoft.
com/en-us/powershell/module/grouppolicy/view=win10-psHereisanexamplePowerShellscripttoenabletheFIPScryptographymode,whichisoneoftheoperationalprerequisitesfortheevaluatedconfiguration.
Toenablethispolicy,runthePowerShellscriptonthetargetmachine.
Enable"Systemcryptography:UseFIPS140…":Set-ItemProperty-PathRegistry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsAlgorithmPolicy-NameEnabled-Value"1"4EvaluatededitionsandplatformsThisadministrativeguideappliestothefollowingWindowsoperatingsystem(OS)editions,eachofwhichwastestedaspartoftheevaluatedconfiguration:MicrosoftWindows10HomeEditionversion1803(April2018Update)MicrosoftWindows10ProEditionversion1803(April2018Update)MicrosoftWindows10EnterpriseEditionversion1803(April2018Update)MicrosoftWindowsServerStandardCore,version1803MicrosoftWindowsServerDatacenterCore,version1803Intheintroductionofeachsectionthatprovidesspecificguidance,asummarytablelikethefollowingidentifieswhichWindowseditionstheguidanceappliesto:WindowsEditionsHome,Pro,Enterprise,ServerStandard,ServerDatacenterTheCommonCriteriaevaluationwasperformedonthefollowingrealandvirtualizedhardwareplatforms:MicrosoftSurfaceBook2MicrosoftSurfaceProLTEMicrosoftSurfaceLaptopMicrosoftSurfaceGoDellLatitude5290DellLatitude12RuggedTabletDellPowerEdgeR7401(representingthe14thgenerationofPowerEdgeservers.
)MicrosoftWindowsServerHyper-VMicrosoftWindowsServer2016Hyper-V5EvaluatedconfigurationThissectionprovidesguidanceondeployingtheoperatingsystemandmeetingtheprerequisitesforoperatingWindows10andWindowsServerintheevaluatedconfiguration.
Tooperatethesysteminasecurestate,administratorsmustutilizetheguidanceinthissectionandinsubsequentsections,whereapplicabletothelocalenvironment,toadministerdevices.
5.
1InstallingtheoperatingsystemTheoperatingsystemmaybepre-installedonthedevicesintheevaluatedconfiguration.
WhenthedeviceisturnedonforthefirsttimetheOutofBoxExperience(OOBE)runstocompletetheinitialconfiguration.
1TheDellPowerEdgeR440,R540,R640,R740XD,T440,T640,R940,R940xa,R840,M640,M640p,FC640,MX740c,MX840c,C6420,C4140,XR2,andDellPrecision7920Rackallusethesameprocessor,memory,chipset,andTPMandcouldbeconsideredequivalent.
Theoperatingsystemmayalsobeinstalledfrominstallationmedia.
ThemethodforcreatingorobtaininginstallationmediadependsontheWindowsedition.
ForalleditionsexceptEnterprise,thefollowingtopicincludesprocedurestodownloadinstallationmediaasanISOfileforinstallation,createbootablemediausingtheISOfile,andinstalltheoperatingsystem:https://www.
microsoft.
com/en-us/software-download/windows10ForWindows10Enterpriseedition,installationmediamustbeobtainedthroughVolumeLicensing.
5.
2OperationalprerequisitesThefollowingoperationalprerequisitesarerequiredtooperateWindows10andWindowsServerintheevaluatedconfiguration.
5.
2.
1TrustedplatformsWindows10andWindowsServermustbeinstalledontrustedhardwareplatformstoensureasecureoperatingstate.
Seesection4,Evaluatededitionsandplatforms,fordetailsonwhichhardwareplatformstheevaluationwasperformedon.
5.
2.
2DeviceadministrationUsersmustuseaseparateaccountthatisamemberofthelocalAdministratorsgrouptoperformtheproceduresinsectionsofthisdocumenttaggedwith"LocalAdministrator"orsetthedeviceupforITadministration.
ForWindows10,ITadministrationisjoiningthedevicetoaWindowsdomainorenrollingthedeviceformobiledevicemanagementinordertoreceiveMDMpolicies.
ForWindowsServerITadministrationisjoiningthedevicetoaWindowsdomaininordertoreceiveddomaingrouppolicy.
5.
2.
3SecurityupdatesForthisevaluation,Windows10andWindowsServerwasevaluatedwithallcriticalupdatesavailableasofJuly30,2018installed.
Seesection1oftheSecurityTargetforrelatedinformation.
ThecurrentlistofupdatesforthisversionofWindows,includingthoseavailableasofJuly30,2018,isavailableathttps://support.
microsoft.
com/en-us/help/4099479/windows-10-update-history.
5.
2.
4ModeofoperationWindows10andWindowsServerhavefourmodesofoperation,aslistedbelow.
TheevaluatedconfigurationforWindowsistheOperationalMode.
OperationalMode–Thenormalmodeofoperationwhenthesystemhasbooted.
Thisistheonlyevaluatedmode.
DebugMode–ThemodewheretheWindowsbootoptionsareconfiguredtoenablekerneldebuggingoftheoperatingsystem.
SafeMode–ThemodewhereWindowsbootoptionsareconfiguredtostarttheoperatingsysteminalimitedstatewhereonlyessentialprogramsareloaded.
Non-OperationalMode–Themodewherethesystemhasnotbootednormally.
Inthismodethesystemisnotoperationalandmustbereinstalled.
5.
2.
5FIPS140cryptographymodeTomatchtheevaluatedconfiguration,WindowscryptographymustbeplacedintotheFIPS140mode.
ChoosingthismodeensuresWindowsusesFIPS140compliantcryptographicalgorithms,includingencryption,hashing,andsigning.
5.
2.
5.
1ConfiguringwithMDMRoleITAdministratorWindowsEditionsPro,EnterpriseSettingFIPS140modemaybeconfiguredbyanITAdministratorusingMDMandtheCryptographyfunctionofthePolicyCSP.
SeetheMDMsolutiondocumentationfordetailedmanagementactions.
ThefollowingarticleprovidesinformationontheCryptographyfunctionofthePolicyCSP:PolicyCSP–Cryptographyhttps://docs.
microsoft.
com/en-us/windows/client-management/mdm/policy-csp-cryptography5.
2.
5.
2ConfiguringwithGroupPolicyRoleITAdministrator,LocalAdministratorWindowsEditionsPro,Enterprise,ServerStandard,ServerDatacenterSettingFIPS140modemaybeconfiguredusingGroupPolicy.
Specifically,enablethefollowingsecuritypolicy:SecurityPolicyPolicySettingLocalPolicies\SecurityOptions\Systemcryptography:UseFIPS140compliantcryptographicalgorithms,includingencryption,hashingandsigningalgorithmEnabledForgeneralinformationonhowtosetpoliciesinWindows,seethesection,SettingpolicieswithGroupPolicyObjects(GPO).
Foradditionalencryptionconfigurationdetailsbeyondthisoperationalprerequisite,seethesection,ManagingTransportLayerSecurity(TLS).
5.
2.
5.
3ConfiguringwiththeWindowsRegistryRoleStandardUserWindowsEditionsHomeTosetFIPSmodeforWindowsHomeedition,makethefollowingchangetotheWindowsregistry:RegistryNodeSettingHKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled15.
2.
6AdditionalcryptographyconfigurationInadditiontoenablingFIPS140mode,thefollowingspecificconfigurationguidancemustbefollowed:Ciphersuiteselectionmustbeconfiguredaccordingtosection6.
3,ManagingTransportLayerSecurity(TLS).
WhenWindowsisconfiguredtouseTLS1.
2,SHA1algorithmsshouldbeprioritizedatthebottomofthealgorithmnegotiationlist.
Seesection6.
3,ManagingTransportLayerSecurity(TLS),forimplementationguidance.
RSAmachinecertificatesmustbeconfiguredwithtemplatestouseaminimum2048bitkeylength.
Seesection6.
3.
6,GeneratingX.
509certificateswithtemplates,forimplementationguidance.
5.
2.
7DeviceaccessThefollowingconfigurationguidancemustbefollowedtoensuredeviceaccessissecured.
Complexpasswordsmustberequired.
Seesection6.
7,Managingpasswordsandpasswordpolicy,forimplementationguidance.
Sessionlockingmustbeenabled.
Seesection6.
10,Managingscreenlockandsessiontimeout,forimplementationguidance.
Hibernationmustbedisabled.
Seesection6.
19,ManagingHibernation,forimplementationguidance.
6ManagingevaluatedfeaturesThissectionprovidesmanagementinformationforthefeaturesinscopefortheevaluation,includingconfigurationdetailsandoptionsforimplementingthem.
Eachsubsectiongroupstheinformationforasinglefeatureoragroupofrelatedfeatures.
6.
1ManagingcryptographyCryptographyfunctionsinWindowsaremanagedbytheCryptographyAPI:NextGeneration(CNG).
ThenotesbelowcalloutalistofspecificmanagementfunctionsrelevanttothisCommonCriteriaevaluationthatarehandledautomaticallybyCNG.
ThesectionsthatfollowinthisAdministrativeGuideprovidecomplementaryinformationonmanagingspecificcryptographyfunctionswithinWindows.
Notes:Keymanagement,includingAESkeysize,storage,anddestructionishandledautomaticallybyCNGandrequiresnoconfiguration.
Unprotectedkeysarenotstoredinnon-volatilememory.
WindowsautomaticallygeneratesasymmetricRSAkeysusingmethodsthatmeetFIPS-PUB186-4AppendixB.
3,noconfigurationisnecessary.
WindowsautomaticallygeneratesasymmetricECCkeysusingmethodsthatmeetFIPS-PUB186-4AppendixB.
4,noconfigurationisnecessary.
WindowsautomaticallyimplementsRSA-basedkeyestablishmentschemesthatmeetSP800-56B,noconfigurationisnecessary.
Windowsautomaticallyimplementsellipticcurve-basedkeyestablishmentschemesthatmeetSP800-56A,noconfigurationisnecessary.
WindowsautomaticallygeneratesrandombitsaccordingtoSP-800-90A,noconfigurationisnecessary.
6.
2ManagingX.
509certificates6.
2.
1ClientcertificatesandCertificateAuthoritiesAnITAdministratormayspecifythelistofCertificateAuthorities(CAs)fromwhichthedevicewillacceptX.
509certificatesandWLANauthenticationservercertificates.
ThefollowingarticleprovidesanoverviewofcertificatemanagementinWindows,includingrequestingcertificates,enrolling,andmanagingcertificatepathvalidation:ManageCertificates:http://technet.
microsoft.
com/en-us/library/cc771377.
aspxTheCertutilcommand-lineutilityisavailabletodumpanddisplaycertificationauthority(CA)configurationinformation,configureCertificateServices,backupandrestoreCAcomponents,andverifycertificates,keypairs,andcertificatechains.
ThefollowingarticleprovidesmoreinformationonCertutil:Certutil:http://technet.
microsoft.
com/library/cc732443.
aspx6.
2.
1.
1ConfiguringwithMDMRoleITAdministratorWindowsEditionsHome,Pro,EnterpriseClientcertificatesmaybemanagedbytheITAdministratorusingMDM.
SeetheMDMsolutiondocumentationfordetailedmanagementactions.
ThefollowingarticledescribestheMDMpolicyforclientcertificatemanagement,includingdeletingcertificates:ClientCertificateInstallCSP-https://docs.
microsoft.
com/en-us/windows/client-management/mdm/clientcertificateinstall-csp6.
2.
1.
2ConfiguringwiththeWindowsUIRoleStandardUserWindowsEditionsHome,Pro,EnterpriseThefollowingarticledescribeshowtomanuallyimportacertificate:ImportaCertificate:http://technet.
microsoft.
com/en-us/library/cc754489.
aspxTheuserobtainsaclientcertificateforauthenticationbyfollowingtheproceduresinthefollowingarticle:ObtainaCertificate:https://technet.
microsoft.
com/en-us/library/cc754246.
aspx6.
2.
2RootcertificatesWindowsispreloadedwithrootcertificatesforseveralCertificationAuthorities(CAs).
Thefollowingarticleprovidesanoverviewofmanagingtrustedrootcertificatesforalocalcomputeroradomain,includinghowtoaddcertificatestothestore:ManageTrustedRootCertificates:https://docs.
microsoft.
com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754841(v=ws.
11)6.
2.
2.
1ConfiguringwithMDMRoleITAdministratorWindowsEditionsHome,Pro,EnterpriseCertificatetrustrelationshipsmaybemanagedbytheITAdministratorusingMDM.
SeetheMDMsolutiondocumentationfordetailedmanagementactions.
ThefollowingarticledescribestheCSPthatenablesMDMtoaffectthepolicyfortrustedrootcertificates:RootCATrustedCertificatesCSP:https://docs.
microsoft.
com/en-us/windows/client-management/mdm/rootcacertificates-csp6.
2.
2.
2ConfiguringwithgrouppolicyRoleITAdministrator,LocalAdministratorWindowsEditionsPro,Enterprise,ServerStandard,ServerDatacenterThefollowingTechNettopicalsodescribeshowtomanagetrustedrootswiththeGroupPolicyEditororLocalSecurityPolicyEditor:ManageTrustedRootCertificates:http://technet.
microsoft.
com/en-us/library/cc754841.
aspxThefollowingTechNettopicdescribeshowtodeleteacertificatewiththeGroupPolicyEditororLocalSecurityPolicyEditor:DeleteaCertificate:http://technet.
microsoft.
com/en-us/library/cc772354.
aspx6.
2.
2.
3ConfiguringwithPowerShellRoleStandardUser,LocalAdministratorWindowsEditionsAllPowerShellprovidesmultiplecmdletstomanagecertificates,asdescribedbelow.
Theremove-itemPowerShellcmdletmaybeusedtodeletecertificatesandwipetheprivatekeysassociatedwiththecertificate.
Thefollowingarticledescribeshowtousethecmdlet:https://docs.
microsoft.
com/en-us/previous-versions/windows/it-pro/windows-powershell-1.
0/ee176938(v=technet.
10)Theimport-pfxcertificatePowerShellcmdletmaybeusedtoimportacertificateandprivatekeyfromaPFXfile.
Thefollowingarticledescribeshowtousethecmdlet:https://docs.
microsoft.
com/en-us/powershell/module/pkiclient/import-certificateview=win10-psTheexport-pfxcertificatemaybeusedtoexportacertificateandprivatekeytoaPFXfile.
Thefollowingarticledescribeshowtousethecmdlet:https://docs.
microsoft.
com/en-us/powershell/module/pkiclient/export-pfxcertificateview=win10-ps6.
2.
3CertificatenamecomparisonWindowsautomaticallycomparesthedomainname(DN)inthecertificatetotheexpecteddomainnameanddoesnotrequireadditionalconfigurationoftheexpecteddomainnamefortheconnection.
ThereferenceidentifiersforTLSaretheDNSnameorIPaddressoftheremoteserver,whichiscomparedagainsttheDNSnameasthepresentedidentifierineithertheSubjectAlternativeName(SAN)ortheSubjectNameofthecertificate.
Thereisnoconfigurationofthereferenceidentifiers.
6.
2.
4CertificatevalidationWhenvalidatingacertificatewithmodernWindowsapplicationstheconnectiontoaconfiguredrevocationservermustbeavailableorthevalidationwillfail.
Thisconfigurationcannotbechanged.
6.
2.
4.
1ConfiguringcertificatevalidationwithPowerShellRoleStandardUser,LocalAdministratorWindowsEditionsAllTheadministratorconfigurescertificatevalidationusingtheSet-NetFirewallSettingPowerShellcmdletasdescribedinthefollowingTechNettopic:Set-NetFirewallSetting:http://technet.
microsoft.
com/en-us/library/jj554878.
aspx6.
2.
4.
2ConfiguringcertificatevalidationforEAP-TLSRoleStandardUser,LocalAdministratorWindowsEditionsAllTheadministratorconfigurescertificatevalidationfornetworkconnectionsbasedonEAP-TLSusingthe"SetUpaConnectionorNetwork"wizardinthe"SmartCardorOtherCertificateProperties"and"ConfigureCertificateSelection"screensasdescribedinthefollowingarticle:ExtensibleAuthenticationProtocol(EAP)SettingsforNetworkAccess(seeSmartCardorotherCertificatePropertiesconfigurationitems):https://technet.
microsoft.
com/en-us/library/hh945104.
aspx6.
2.
4.
3ConfiguringcertificatevalidationforHTTPSinwebbrowsersRoleStandardUser,LocalAdministratorWindowsEditionsHome,Pro,EnterpriseForInternetExplorer:OpentheControlPanelNavigatetoInternetOptions>InternetProperties>AdvancedTabConfigurecertificatevalidationusingthecheckboxoptions.
TheWarnaboutcertificateaddressmismatchsettingconfigureswhethertheWebaddressmustmatchthecertificatesubjectfieldandwarnstheuserofamismatchThefollowingMSDNBlogarticleprovidesmoreinformationonhowInternetExplorerperformscertificaterevocationchecksspecifically:UnderstandingCertificateRevocationChecks:http://blogs.
msdn.
com/b/ieinternals/archive/2011/04/07/enabling-certificate-revocation-check-failure-warnings-in-internet-explorer.
aspxForMicrosoftEdge:TheadministratorcannotconfigurecertificatevalidationforHTTPSforMicrosoftEdge.
IftheWebaddressdoesnotmatchthecertificatesubjectfield,thentheuseriswarnedofamismatch.
Inallcases:WhenusingHTTPSinabrowsingscenariotheusermaychoosetoignoreafailedcertificatevalidationandcontinuetheconnection.
6.
2.
4.
4CertificatevalidationandcodesigningTheadministratorcannotconfigurecertificatevalidationforcodesigningpurposes.
6.
3ManagingTransportLayerSecurity(TLS)6.
3.
1AvailableciphersuitesTheciphersuiteslistedintheSecurityTargetcorrelatewiththoseavailableinWindows10andWindowsServerasfollows:CiphersuiteslistedintheSecurityTargetSettingnamefortheciphersuiteinWindowsTLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHAasdefinedinRFC5246TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_256_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHAasdefinedinRFC4492TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAasdefinedinRFC4492TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256CiphersuiteslistedintheSecurityTargetSettingnamefortheciphersuiteinWindowsTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384SeethefollowingtopicforadditionalinformationonTLSciphersuites,seeTLSCiphersuitesinWindows101803:https://docs.
microsoft.
com/en-us/windows/desktop/SecAuthN/tls-cipher-suites-in-windows-10-v18036.
3.
2AvailableTLS-EAPciphersuitesTheTLS-EAPciphersuiteslistedintheSecurityTargetcorrelatewiththoseavailableinWindows10andWindowsServerasfollows:CiphersuiteslistedintheSecurityTargetSettingnamefortheciphersuiteinWindowsTLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHAasdefinedinRFC5246TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_256_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5430TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5430TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384ThefollowingarticleprovidesmoreinformationonciphersuitesinTLS/SSL(SchannelSSP):https://docs.
microsoft.
com/en-us/windows/desktop/SecAuthN/cipher-suites-in-schannel6.
3.
3ConfiguringwithMDMRoleITAdministratorWindowsEditionsPro,EnterpriseTLSciphersuitepriorityandrestrictinguseofcertaincryptographicalgorithmsmaybeconfiguredbytheITAdministratorusingMDM.
SeetheMDMsolutiondocumentationfordetailedconfigurationactions.
ThefollowingarticledescribestheCSPusedwithMDMtosetpolicyforTLSciphersuites:PolicyCSP,Cryptography/TLSCiphersuitesfunction:https://docs.
microsoft.
com/en-us/windows/client-management/mdm/policy-csp-cryptography#cryptography-tlsciphersuites6.
3.
4ConfiguringwithgrouppolicyRoleITAdministrator,LocalAdministratorWindowsEditionsPro,Enterprise,ServerStandard,ServerDatacenterThefollowingarticlesexplainhowanadministratormodifiesthesetofTLSciphersuitesforpriorityandavailability:PrioritizingSchannelCiphersuites:https://msdn.
microsoft.
com/en-us/library/windows/desktop/bb870930(v=vs.
85).
aspxHowtorestricttheuseofcertaincryptographicalgorithmsandprotocolsinSchannel.
dll:https://support.
microsoft.
com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocNote:TheconfigurationforellipticcurvesusesanSSLciphersuiteorderlistandanECCcurveorderlistdisplayedintheGroupPolicyEditorandtheLocalSecurityPolicyEditor.
Enable/orderthedesiredciphersuitesinthefirstlistandenable/ordertheellipticcurvesinthesecond.
Forexample,toconfigureonlyTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256ciphersuiteandsecp256r1curve,editthefirstlisttoonlyincludeTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256andthecurveorderlisttoonlyincludesecp256r1(orNistP256asitisshowninthepolicyeditor).
Additionalciphersuitesandcurvesineachlistwillgenerateadditionaloptionsintheclient.
Arebootofthesystemisrequiredafterchangingtheciphersuiteorellipticcurvesconfiguration.
6.
3.
5ConfiguringwithPowerShellRoleStandardUser,LocalAdministratorWindowsEditionsAllManageTLSciphersuitesandellipticcurvesusingthefollowingPowerShellcmdlets:Enable-TlsCipherSuiteDisable-TlsCipherSuiteEnable-TlsEccCurveDisable-TlsEccCurve6.
3.
6GeneratingX.
509certificateswithtemplatesKeylengthsofkeysusedwithcertificatesareconfiguredinthecertificatetemplatesontheCertificateAuthorityusedduringenrollmentandarenotconfiguredbytheuseroradministrator.
`TheITadministratorconfigurescertificatetemplatesforTLSclientauthenticationasdescribedinthefollowingarticles:ManagingCertificateTemplates:https://technet.
microsoft.
com/en-us/library/cc772457.
aspxCryptography(forconfiguringthealgorithmthattheissuedcertificate'skeypairwillsupport):https://docs.
microsoft.
com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770477(v=ws.
11)PowerShellcommandsforconfiguringthealgorithmthattheissuedcertificate'skeypairwillsupport:https://docs.
microsoft.
com/en-us/powershell/module/tls/view=win10-psTheadministratorconfiguresthecorrectalgorithmsforthegivenciphersuitesaccordingtothefollowingtable):Ciphersuites(perSecurityTarget)SelectionsinthecertificatetemplateTLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246TLS_RSA_WITH_AES_256_CBC_SHAasdefinedinRFC5246TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_256_CBC_SHAasdefinedinRFC5246TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246ProviderCategory=KeyStorageProviderAlgorithmName=RSACiphersuites(perSecurityTarget)SelectionsinthecertificatetemplateTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHAasdefinedinRFC4492TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289ProviderCategory=KeyStorageProviderAlgorithmName=ECDSA_P256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAasdefinedinRFC4492TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289ProviderCategory=KeyStorageProviderAlgorithmName=ECDSA_P384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAasdefinedinRFC4492TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289ProviderCategory=KeyStorageProviderAlgorithmName=ECDSA_P5216.
3.
7ManagingsignaturealgorithmswiththeWindowsregistryRoleStandardUser,LocalAdministratorWindowsEditionsAllThesignaturealgorithmsetthatisacceptabletotheclient(offeredinthesignature_algorithmextensionduringclienthello)isconfigurablebyeditingthefollowingregistrykey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003Removethesignaturealgorithmthatshouldnotbeused.
Noadditionalalgorithmsotherthanthedefaultsetmaybespecified.
6.
3.
8ChoosingTLSinawebbrowserRoleStandardUserWindowsEditionsAllUsersmaychooseusingTLSwithHTTPSbyusinghttpsintheURLtypedintothebrowser.
6.
4ManagingnetworkconnectionsThissectioncollectsconfigurationinformationfornetworking,includingbothwiredLocalAreaNetwork(LAN)connectionsandWirelessLocalAreaNetwork(WLANorWi-Fi)connections.
6.
4.
1EnablingordisablingnetworkconnectionswiththeWindowsUIRoleStandardUser,WindowsEditionsHome,Pro,EnterpriseThefollowingarticleprovidesdetailsonenablinganddisablingwiredandwirelessnetworkconnectionswiththeWindowsuserinterface:Enableordisableanetworkconnection:https://technet.
microsoft.
com/en-us/library/cc771762(v=ws.
10).
aspx6.
4.
2EnablingordisablingnetworkconnectionswithPowerShellRoleStandardUser,LocalAdministratorWindowsEditionsAllNetworkconnectionsmayalsobeenabledanddisabledusingPowerShell.
ThefollowingarticlesprovideinformationonhowtoenableanddisablenetworkadapterswithPowerShell:Disable-NetAdapter:https://docs.
microsoft.
com/en-us/powershell/module/netadapter/disable-netadapterview=win10-psEnable-NetAdapter:https://docs.
microsoft.
com/en-us/powershell/module/netadapter/enable-netadapterview=win10-ps6.
4.
3ConfiguringWi-FiaccesswithMDMRoleITAdministratorWindowsEditionsHome,Pro,EnterpriseTheavailabilityofWi-FiandseveralWi-FisettingsmaybeconfiguredbytheITAdministratorusingMDM.
SeetheMDMsolutiondocumentationfordetailedconfigurationactions.
ThefollowingarticlesprovideinformationonthetworelevantCSPsformanagingWi-FiwithMDM:https://docs.
microsoft.
com/en-us/windows/client-management/mdm/policy-csp-wifihttps://docs.
microsoft.
com/en-us/windows/client-management/mdm/wifi-csp6.
4.
4ConfiguringWi-FiaccesswiththeWindowsuserinterfaceRoleStandardUserWindowsEditionsHome,Pro,EnterpriseThewirelessnetworkadapterisenabledordisabledviatheWindowsSettingsapp.
OpenSettingsNavigatetoNetwork&Internet>Status>ChangeadapteroptionsIntheNetworkConnectionswindow,selecttheWi-FiadapterandclicktheDisablethisnetworkdeviceorEnablethisnetworkdevicebutton.
ThearticlesbelowprovideadditionalinformationonconfiguringWi-Fiandtroubleshooting:https://support.
microsoft.
com/en-us/help/17137/windows-setting-up-wireless-networkhttps://support.
microsoft.
com/en-us/help/4000432/windows-10-fix-wi-fi-problems6.
4.
5ConfiguringallowedWi-FinetworkswithMDMRoleITAdministratorWindowsEditionsHome,Pro,EnterpriseAnITAdministratormayspecifythesetofwirelessnetworks(SSIDs)thataclientisallowedtoconnecttousingMDM.
SeetheMDMsolutiondocumentationfordetailedconfigurationactions.
ThefollowingarticleprovidesinformationontherelevantCSPforconfiguringallowedSSIDs.
https://docs.
microsoft.
com/en-us/windows/client-management/mdm/wifi-csp6.
4.
6ConfiguringallowedWi-FinetworkswithGroupPolicyRoleITAdministrator,LocalAdministratorWindowsEditionsPro,Enterprise,ServerStandard,ServerDatacenterGrouppolicycanbeusedtospecifythewirelessnetworks(SSIDs)thatausermayconnectto.
ConfigureNetworkPermissionsandConnectionPreferences:https://msdn.
microsoft.
com/en-us/library/dd759204.
aspx6.
4.
7SelectingasecureWi-FiconnectionwiththeWindowsUIRoleStandardUserWindowsEditionsHome,Pro,EnterpriseThefollowingstepsoutlinehowtoselectandconnecttoanavailableWi-Finetworkusingahigherlevelofsecurity:OpentheStartbuttonNavigatetoSettings>Network&Internet>Wi-Fi>ShowavailablenetworksChoosethenetworkyouwanttoconnectto,selectConnect,typethenetworkpasswordifnecessary,thenselectNextIftheWi-Ficonnectionisunintentionallybroken,Windowswillautomaticallyattempttoreconnecttothesameconnectionwhenitbecomesavailableagain.
Noactionisrequiredbytheuser.
6.
4.
8ConfiguringaWi-FiconnectionprofilewiththeWindowsUIRoleStandardUserWindowsEditionsHome,Pro,EnterpriseThefollowingstepsprovideinformationonhowtomanuallyconfigureaWLANconnectionprofile(e.
g.
EAP-TLSusingWPA2-Enterprise)usingtheWindowsuserinterface.
Note:Configurationoptionsmaybedifferentdependingonthespecificselectionsforyourenvironment.
OpentheControlPanelNavigatetoNetworkandSharingCenterSelectSetupanewconnectionornetworkSelectManuallyconnecttoawirelessnetworktocreateanewWLANprofileIntheNetworknamebox,enterthenameoftheSSIDtoconnecttoFromtheSecuritytypelist,choosethesecuritytype(e.
g.
WPA2Enterprise)SelectNextandthenChangeconnectionsettingstoopentheWirelessNetworkPropertieswindowSelecttheSecuritytabChoosetheauthenticationmethodfromtheChooseanetworkauthenticationmethodlist(e.
g.
forEAP-TLScertificate-basedauthenticationchoose"Microsoft:Smartcardorothercertificate")SelectAdvancedSettings,whichwillbringupawindowwiththe802.
1XsettingstabChecktheSpecifyauthenticationmodecheckboxandthenselectthetypeofauthenticationcertificatethathasbeenconfigured(e.
g.
"Userauthentication"foraclientauthenticationcertificate)Inthesamewindow,configurethePMKcachingifdesiredInthesamewindow,configurepre-authenticationfortheWLANnetworkifdesiredSelectOKtoreturntotheWirelessNetworkPropertieswindowOntheSecuritytabclickSettingstoopentheSmartCardorotherCertificatePropertieswindowCheckUseacertificateonthiscomputerandclicktheAdvancedbuttontoopentheConfigureCertificateSelectionwindowChecktheCertificateIssuercheckboxandthenintheSelectoneormultiplecertificateissuerstobeusedforthecertificatelist,checktheCertificateAuthoritythatissuedtheauthenticationcertificate(s)configuredontheclientClickOKtoreturntotheSmartCardorotherCertificatePropertieswindowChecktheVerifytheserver'sidentitybyvalidatingthecertificateifdesiredChecktheConnecttotheseservers…checkboxifdesiredandentertheFQDNofacceptableWLANserverauthenticationservercertificatesinthetextboxChecktheCertificateAuthoritycorrespondingtothecertificateissuerfortheservercertificateconfiguredontheWLANauthenticationserverandthenclickOKClickClosetocompleteconfigurationfortheWLANconnectionprofile6.
5ManagingpersonalhotspotsThissectionprovidesinformationonallowingordisallowingpersonalhotspots,orinternetsharing,onadevice.
6.
5.
1ConfiguringwithMDMRoleITAdministratorWindowsEditionsHome,Pro,EnterpriseSharingapersonalhotspotmaybeenabled/disabledmaybemanagedbytheITAdministratorusingMDM.
SeetheMDMsolutiondocumentationfordetailedmanagementactions.
ThefollowingarticledescribestheCSPthatenablesMDMtoaffectthepolicyforpersonalhotspots:Wi-FiCSP:https://docs.
microsoft.
com/en-us/windows/client-management/mdm/policy-csp-wifi#wifi-allowinternetsharing6.
5.
2ConfiguringwithgrouppolicyRoleITAdministrator,LocalAdministrator,WindowsEditionsPro,Enterprise,ServerStandard,ServerDatacenterAdministratorscanusegrouppolicytoenableordisabletheuseofhotspotsharing.
Thepolicyobjectsarefoundunder:Computerconfiguration>Administrativetemplates>Network>NetworkConnectionsThetwogrouppolicyobjectsare:ProhibituseofInternetConnectionSharingonyourDNSDomainnetworkProhibitinstallationandconfigurationofNetworkBridgeonyourDNSDomainnetwork6.
5.
3ConfiguringwiththeWindowsuserinterfaceRoleStandardUserWindowsEditionsHome,Pro,EnterpriseStandarduserscanenableordisablehotspotsharingviaWindowsSettings:OpentheStartmenuNavigatetoSettings>Network&Internet>MobilehotspotSelectaconnectionfromthedropdown,SharemyinternetconnectionfromIfdesired,taptheEditbuttontoconfiguretheSSIDnameandpasswordTurnMobilehotspottoOn6.
6ManagingBluetoothThissectionprovidesvariousconfigurationinstructionsformanagingBluetooth.
NoadditionalconfigurationisnecessarytoensuretheBluetoothservicesprovidedbeforeloginarelimited.
NoadditionalconfigurationisnecessarytoensureBluetoothpairingusesaprotectedcommunicationchannel.
6.
6.
1ConfiguringBluetoothadapterswithMDMRoleITAdministratorWindowsEditionsPro,EnterpriseTheBluetoothradiomayalsobeconfiguredbytheITAdministratorusingMDM.
SeetheMDMsolutiondocumentationfordetailedconfigurationactions.
ThefollowingarticledescribestheCSPthatenablesMDMtoaffectthepolicyforBluetooth:PolicyCSP,Connectivityfunction:https://docs.
microsoft.
com/en-us/windows/client-management/mdm/policy-csp-connectivity#connectivity-allowbluetooth.
6.
6.
2EnablingordisablingBluetoothadapterswiththeWindowsUIRoleStandardUserWindowsEditionsHome,Pro,EnterpriseAuseroradministratormayenableordisabletheBluetoothadapterwiththeWindowsDeviceManager.
Thestepstodosoare:OpenDeviceManagerLocatetheBluetoothnodeandexpanditRight-clickontheappropriateBluetoothadapterandchoosePropertiesSelecttheDrivertabChooseDisableDevicetodisableitorEnableDevicetoenableit6.
6.
3EnablingordisablingBluetoothadapterswithPowerShellRoleStandardUser,LocalAdministratorWindowsEditionsAllAuseroradministratormayenableordisabletheBluetoothadapterwithaPowerShellscriptthatleveragesWindowsDeviceManagerextensibility.
Thefollowingarticleprovidesthedetailsonthescript:DisableBluetoothinWindows10:https://blogs.
technet.
microsoft.
com/letsdothis/2017/06/20/disable-bluetooth-in-windows-10-updated/6.
7Managingpasswordsandpasswordpolicy6.
7.
1ConfiguringwithMDMRoleITAdministratorWindowsEditionsAllPasswordpolicymaybeconfiguredbytheITAdministratorusingMDM.
SeetheMDMsolutiondocumentationfordetailedactions.
TheDeviceLockpolicies,partofthePolicyCSP,provideavarietyofmanagementfunctionsforpasswordpolicy.
NotethatsomeDeviceLockfunctionsmaynotbeavailableonWindowsHome.
Thedocumentationforeachfunctionnoteswhicheditionsthefunctionmaybeusedwith.
Thefollowingarticlesprovidethedocumentation:PolicyCSP–DeviceLockpolicyfunctions:https://docs.
microsoft.
com/en-us/windows/client-management/mdm/policy-csp-devicelockPolicyCSP–overview,includingalistofallDeviceLockpolicies:https://docs.
microsoft.
com/en-us/windows/client-management/mdm/policy-configuration-service-provider6.
7.
2ConfiguringwithgrouppolicyRoleITAdministrator,LocalAdministratorWindowsEditionsPro,Enterprise,ServerStandard,ServerDatacenterTheGroupPolicyEditororLocalSecurityPolicyEditormayalsobeusedtosetpasswordsecuritypoliciesonWindows10Enterprise,Windows10Pro,.
Thefollowingarticleprovidesanoverviewofpasswordsecuritypoliciesandlinkstoinformationforeachsecuritypolicysetting:PasswordPolicy:https://technet.
microsoft.
com/en-us/library/hh994572(v=ws.
10).
aspxTheAdministratormaydisableunauthenticatedlogonbyconfiguringuseraccountstohaveapassword.
TheOOBErequiresuseraccountstobecreatedwithapassword.
6.
7.
3ConfiguringwithnetaccountsutilityRoleITAdministrator,LocalAdministratorWindowsEditionsAllThefollowingarticleexplainsthenetaccountscommandlineutilityforstandalonecomputers,whichprovidescommand-lineoptionsformanagingpasswordandaccountlockoutpolicy:NetAccounts:http://technet.
microsoft.
com/en-us/library/bb490698.
aspxInadditiontotheparametersgiveninthereferencedarticlethefollowingarealsovalidoptions:/lockoutthreshold:number:Setsthenumberoftimesabadpasswordmaybeentereduntiltheaccountislockedout.
Ifsetto0thentheaccountisneverlockedout.
/lockoutwindow:minutes:Setsthenumberofminutesofthelockoutwindow.
/lockoutduration:minutes:Setsthenumberofminutestheaccountwillbelockedoutfor.
6.
8ManagingsmartcardlogonRoleITAdministrator,LocalAdministratorWindowsEditionsPro,Enterprise,ServerStandard,ServerDatacenterSmartcardlogonissupportedonWindowsdomain-joineddevices.
ITadministratorsmustenableanaccountforsmartcardlogonandissueasmartcardtoauser.
FormoreinformationabouthowsmartcardauthenticationworksinWindowsandhowtoenableit,seethefollowingtopicanditssub-topics:HowSmartCardSign-inWorksinWindows:https://docs.
microsoft.
com/en-us/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windowsFormoreinformationonhowanITadministratormayconfigureWindowstorequireasmartcardforinteractivelogon,seethefollowingtopic:https://docs.
microsoft.
com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card6.
9ManagingWindowsHello6.
9.
1ConfiguringbiometricauthenticationwiththeWindowsUIRoleStandardUserWindowsEditionsHome,Pro,EnterpriseToenableWindowsHelloandaddauthenticationmechanismsotherthanpassword,followthesesteps.
LogintotheuseraccountNavigatetoSettings>Accounts>Sign-inoptionsReviewtheWindowsHellooptionsandselecteitherFingerprintorFaceRecognitionFollowtheinstructionsintheWindowsHellosetupwizardSignout6.
9.
2ConfiguringPINauthenticationwithgrouppolicyRoleITAdministrator,LocalAdministratorWindowsEditionsPro,Enterprise,ServerStandard,ServerDatacenterToenableusingaPINinplaceofpasswordsondomain-joineddevices,thefollowingsecuritypolicymustbeenabledusingtheGroupPolicyEditor:AdministrativeTemplates\System\Logon\TurnonconveniencePINsign-in.
6.
9.
3ConfiguringPINauthenticationwiththeWindowsUIRoleStandardUserWindowsEditionsHome,Pro,EnterpriseToenableaPINinplaceofpasswords,followthesesteps:LogintotheuseraccountNavigatetoSettings>Accounts>Sign-inoptionsUnderthePINheadingtaptheAddbuttonChooseanewPINvalueintheSetaPINwindow.
ThisrequiresenteringausernameandpasswordtoconfirmtheoperationSignoutNote:ThePINsign-inoptionsuserinterfaceisnotdisplayedwhenthedeviceisloggedonremotelyviaRemoteDesktopProtocolorwhenitishostedinaHyper-VvirtualmachineinEnhancedSessionmode.
6.
10Managingscreenlockandsessiontimeout6.
10.
1ConfiguringwithMDMRoleITAdministratorWindowsEditionsAllScreenlockandsessiontimeoutbeconfiguredbytheITAdministratorusingMDM.
SeetheMDMsolutiondocumentationfordetailedactions.
TheDeviceLockpolicies,partofthePolicyCSP,provideavarietyofmanagementfunctionsforscreenlockandsessiontimeout.
NotethatsomeDeviceLockfunctionsmaynotbeavailableonWindowsHome.
Thedocumentationforeachfunctionnoteswhicheditionsthefunctionmaybeusedwith.
Thefollowingarticlesprovidethedocumentation:PolicyCSP–DeviceLockpolicyfunctions:https://docs.
microsoft.
com/en-us/windows/client-management/mdm/policy-csp-devicelockPolicyCSP–overview,includingalistofallDeviceLockpolicies:https://docs.
microsoft.
com/en-us/windows/client-management/mdm/policy-configuration-service-provider6.
10.
2ConfiguringwithgrouppolicyRoleITAdministrator,LocalAdministratorWindowsEditionsPro,Enterprise,ServerStandard,ServerDatacenterScreenlockandsessiontimeoutcanbothbeconfiguredbyaWindowssecuritypolicy.
Therelevantpoliciesare:Forlocalsessionlocking,usethesecuritypolicyInteractivelogon:Machineinactivitylimit.
ThefollowingarticleprovidesdetailsinthesectiontitledNewandchangedfunctionality:SecurityPolicySettingsOverview:http://technet.
microsoft.
com/en-us/library/2fdcbb11-8037-45b1-9015-665393268e36Forremotesessionlocking,usethesecuritypolicySettimelimitforactivebutidleRemoteDesktopServicessession.
Thefollowingarticleincludesdetails:SessionTimeLimits:https://technet.
microsoft.
com/en-us/library/ee791741.
aspx6.
10.
3ConfiguringwiththeWindowsregistryRoleLocalAdministrator,StandardUserWindowsEditionsAllThefollowingarticlesprovideinformationonregistrysettingswhichmaybeusedtoconfigurescreenlock:ScreenSaveActive:https://technet.
microsoft.
com/en-us/library/cc978620.
aspxScreenSaverIsSecure:https://technet.
microsoft.
com/en-us/library/cc959646.
aspxScreenSaveTimeout:https://technet.
microsoft.
com/en-us/library/cc978621.
aspx6.
10.
4ConfiguringwiththeWindowsuserinterfaceRoleStandardUserWindowsEditionsHome,Pro,EnterpriseTherearemultipleuser-configurablesettingsinWindowsthatenablecontroloverdifferentaspectsoflockingnotificationswhileinalockedstate.
Toconfigurescreenlocktimeout,usetheSettingsapp:GotoSettingsNavigatetoSystem>Power&sleep>Additionalpowersettings>ChangewhenthecomputersleepsChooseatimeoutdurationTheusercansetthescopeofnotificationsshownonscreeninalockedstateviatheSettingsapp:GotoSettingsNavigatetoSystem>Notifications&actionsTheuserhastwooptionstoinitiateascreenlockmanually:ClickontheStartbutton>clickontheuserpicture(upperleftinStartMenu)>clickLock.
-or–typetheWindowslogokey+L6.
11Managingthelogonbanner6.
11.
1ConfiguringwithMDMRoleITAdministratorWindowsEditionsPro,EnterpriseThelogonbannermessagetousersmaybeconfiguredbytheITadministratorusingMDM.
SeetheMDMsolutiondocumentationfordetailedconfigurationactions.
.
ThefollowingarticledescribestheCSPtomanagethelogonbanner:PolicyCSP–LocalPoliciesSecurityOptions:https://docs.
microsoft.
com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked.
6.
11.
2ConfiguringwithgrouppolicyRoleITAdministrator,LocalAdministratorWindowsEditionsPro,Enterprise,ServerStandard,ServerDatacenterThefollowingarticlesdescribehowtoconfigureamessagetousersattemptingtologonwiththeGroupPolicyEditororLocalSecurityPolicyEditor:Interactivelogon:Messagetitleforusersattemptingtologon:https://docs.
microsoft.
com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-onInteractivelogon:Messagetextforusersattemptingtologon:https://docs.
microsoft.
com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on6.
11.
3ConfiguringwiththeWindowsregistryRoleLocalAdministratorWindowsEditionsAllThelogonbannermessagemayalsobeconfiguredbymodifyingthefollowingWindowsregistrykeyvalues,whichaffecttheusernotificationthatdisplaysatlogon.
Notethatarebootofthemachineisrequiredaftermodifyingthekeystoseetheupdatedlogonbanner.
Thetworegistrykeysare:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption–affectsthestringthatdisplaysasthecaptionofthelegalnoticedialogboxHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext–affectsthestringthatdisplaysasthemessageofthelegalnoticedialogbox6.
12ManagingUSB6.
12.
1ConfiguringwiththeWindowsUIRoleStandardUserWindowsEditionsHome,Pro,EnterpriseAnadministratororusermayenableordisableUSBportsusingtheWindowsDeviceManager.
Todoso,followthesesteps:OpentheDeviceManagerFindtheUniversalSerialBuscontrollersnodeandexpanditRight-clickontheUSBRootHubchildnodeandselectthePropertiesmenuitemtoopentheUSBRootHubPropertieswindowSelecttheDrivertabandclicktheEnableorDisablebutton6.
12.
2ConfiguringwithPowerShellRoleStandardUser,LocalAdministratorWindowsEditionsAllUSBcontrollersmaybeenabledordisabledwithPowerShell.
ThefollowingarticlesdescribethePowerShellcmdletsthatmaybeusedtodisableUSBcontrollers:Get-PnpDevice:https://docs.
microsoft.
com/en-us/powershell/module/pnpdevice/get-pnpdeviceview=win10-psDisable-PnpDevice:https://docs.
microsoft.
com/en-us/powershell/module/pnpdevice/disable-pnpdeviceview=win10-psEnable-PnpDevice:https://docs.
microsoft.
com/en-us/powershell/module/pnpdevice/enable-pnpdeviceview=win10-ps6.
12.
3ConfiguringwiththeWindowsregistryRoleLocalAdministratorWindowsEditionsAllTheWindowsregistrymayalsobeusedtomanageUSB.
Specifically,todisabletheuseofUSBstoragedevices:Findtheregistrykey,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStorChangetheStartREG_DWORDvalueto4.
(Thedefaultis3.
)Restartthemachine.
FormoreinformationontheCurrentControlSet\Servicesregistrytree,seethistopic:HKLM\SYSTEM\CurrentControlSet\ServicesRegistryTree:https://docs.
microsoft.
com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree6.
13ManagingupdatesThefollowingarticleprovidesanoverviewofWindowsUpdateandmatchingFAQlist:WindowsUpdateFAQ:https://support.
microsoft.
com/en-us/help/12373/windows-update-faqNote:WindowsUpdatemaybeconfiguredtouseenterpriseWindowsServerUpdateServices(WSUS)ratherthedefaultMicrosoftUpdate.
ConfiguringWSUSisoutsidethescopeofthisdocument.
6.
13.
1ConfiguringusingMDMRoleITAdministratorWindowsEditionsPro,EnterpriseTheITadministratormayconfigureAutomaticUpdatesorWindowsServerUpdateServices(WSUS)usingtheMDM.
SeetheMDMsolutiondocumentationfordetailedactions.
ThefollowingarticledescribestheCSPpolicyformanagingupdates:PolicyCSP–Update:https://docs.
microsoft.
com/en-us/windows/client-management/mdm/policy-csp-update#update-policies6.
13.
2ConfiguringusinggrouppolicyRoleITAdministrator,LocalAdministratorWindowsEditionsPro,Enterprise,ServerStandard,ServerDatacenterThefollowingarticleprovidesdetailsonconfiguringupdatesusingdomaingrouppolicy:ConfigureGroupPolicySettingsforAutomaticUpdates:https://docs.
microsoft.
com/en-us/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates6.
13.
3ConfiguringusingtheServerConfigurationtoolRoleLocalAdministratorWindowsEditionsServerStandardCore,ServerDatacenterCoreTheServerConfigurationtool(sconfig.
cmd)isavailabletoconfigureWindowsUpdateandotherfeaturesonWindowsServerinstallations.
ThefollowingtopicdescribeshowtousesconfigtoconfigureWindowsServer,includingtheWindowsUpdatesettings:ConfigureaServerCoreinstallationofWindowsServer2016orWindowsServer,version1709,withSconfig.
cmd:https://docs.
microsoft.
com/en-us/windows-server/get-started/sconfig-on-ws2016#windows-update-settings6.
13.
4CheckingforOSupdatesusingtheWindowsUIRoleStandardUserWindowsEditionsHome,Pro,Enterprise,ServerStandardTocheckforWindowsupdates,followthesesteps:OpenSettingsNavigatetoUpdate&securityClicktheCheckforupdatesbutton.
6.
13.
5InstallingWindowsupdatesviathecommandlineRoleLocalAdministratorWindowsEditionsAllWindowsupdatepackagesmaybeinstalledmanuallyviathecommandlineinterfaceonWindows10andWindowsServereditions.
TheWindowsUpdateStandaloneInstaller(Wusa.
exe)providesfeaturesthatenablemanualinstallation.
FordetailsonhowtouseWusa.
exeto,seethefollowingtopics:PatchaServerCoreinstallation:https://docs.
microsoft.
com/en-us/windows-server/administration/server-core/server-core-servicing(forServerCore)WindowsUpdateStandaloneInstallerinWindows:https://support.
microsoft.
com/en-us/help/934307/description-of-the-windows-update-standalone-installer-in-windows(foralleditions)6.
13.
6CheckingforWindowsStoreapplicationupdatesRoleStandardUserWindowsEditionsHome,Pro,EnterpriseThefollowingarticledescribeshowtocheckforupdatestoapplicationsinstalledfromtheWindowsStore:CheckforupdatesforappsandgamesfromWindowsStore:https://support.
microsoft.
com/en-us/help/4026259/microsoft-store-check-updates-for-apps-and-games6.
14Managingthefirewall6.
14.
1ConfiguringwithPowerShellRoleStandardUser,LocalAdministratorWindowsEditionsAllThefollowingarticledescribeshowtheWindowsFirewallismanagedusingPowerShellcmdlets:NetworkSecurityCmdletsinWindowsPowerShell:https://docs.
microsoft.
com/en-us/powershell/module/netsecurity/view=win10-ps6.
15ManagingdomainsThefollowingarticleprovidesanoverviewofhowtojoinaclientcomputertoanActiveDirectorydomain:HowtoJoinYourComputertoaDomain:https://docs.
microsoft.
com/en-us/windows-server/identity/ad-fs/deployment/join-a-computer-to-a-domainThenameofthedomainthatisindicatedfortheDomainentryinstep(2)shouldbeprovidedbyyourITadministrator.
Note:ChoosingadomainisequivalenttochoosingaManagementServer.
6.
15.
1ConfiguringwithPowerShellRoleStandardUser,LocalAdministratorWindowsEditionsAllThefollowingarticledescribeshowtojoinacomputertoadomainusingPowerShell:Add-Computer:https://docs.
microsoft.
com/en-us/powershell/module/microsoft.
powershell.
management/add-computerview=powershell-5.
16.
16Managingdateandtime6.
16.
1ConfiguringwithPowerShellRoleStandardUser,LocalAdministratorWindowsEditionsAllAnadministratororusermaysetthedateandtimeonaclientusingtheSet-DatePowerShellcmdletthatisdocumentedhere:UsingtheSet-DateCmdlet:https://docs.
microsoft.
com/en-us/powershell/module/microsoft.
powershell.
utility/set-dateview=powershell-66.
16.
2ConfiguringtheWindowsTimeServiceRoleAllWindowsEditionsAllAdedicatedsetoftoolsareavailabletoadministratorstomanagetheWindowsTimeServiceandrelatedsettings,includingconfiguringthenameandaddressofthetimeserver.
ThefollowingarticledescribestheW32tmcommand,usedtosynchronizewithatimeserver:WindowsTimeServiceToolsandSettings:https://docs.
microsoft.
com/en-us/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings6.
17ManagingremoteadministrationThefollowingarticlesprovideoverviewinformationremotedesktopservicesandclients,includinghowtoestablishatrustedremotesession:RemoteDesktopServicesOverview:https://technet.
microsoft.
com/en-us/library/hh831447.
aspxMicrosoftRemoteDesktopClients:https://technet.
microsoft.
com/en-us/library/dn473009(v=ws.
11).
aspxSecuringremotesessions(RDPsessionsecurity)iscontrolledbytheRDPhostinmostcases.
ThefollowinglinkprovidesinformationonhowtorequireTLSforRDPsessions:ConfigureServerAuthenticationandEncryptionLevels:https://technet.
microsoft.
com/en-us/library/cc770833.
aspxNotethatTLS1.
2willbenegotiatedusingtheabovesettings.
ThefollowinglinkprovidesinformationonconfiguringSessionTimeLimitsforremoteconnections:SessionTimeLimits:https://technet.
microsoft.
com/en-us/library/cc753112.
aspx6.
17.
1ConfiguringwithMDMRoleITAdministratorWindowsEditionsPro,EnterpriseRemoteadministrationmaybemanagedremotelybytheITAdministratorusingMDM.
SeetheMDMsolutiondocumentationfordetailedconfigurationactions.
ThefollowingarticledescribesthecorrectfunctioninthePolicyCSPtouse:PolicyCSP–RemoteDesktopServices:https://docs.
microsoft.
com/en-us/windows/client-management/mdm/policy-csp-remotedesktopservices6.
17.
2ConfiguringwithgrouppolicyRoleITAdministrator,LocalAdministratorWindowsEditionsPro,Enterprise,ServerStandard,ServerDatacenterWindowsmaybemanagedremotelybytheITAdministratorusingdomaingrouppolicy.
ThefollowinglinkdescribesManagingGroupPolicy:ManagingGroupPolicy:https://technet.
microsoft.
com/en-us/library/cc978280.
aspx6.
17.
3ConfiguringwithPowerShellRoleStandardUser,LocalAdministratorWindowsEditionsAllWindowsmayalsoberemotelymanagedusingPowerShellRemoting.
PowerShellRemotingmustbeperformedoveraHTTPSconnection.
ThefollowinglinkprovidesinformationaboutPowerShellRemotingSecurityConsiderations:https://docs.
microsoft.
com/en-US/powershell/scripting/setup/winrmsecurityview=powershell-66.
18ManagingSoftwareRestrictionPolicies(SRP)6.
18.
1ConfiguringwithSoftwareRestrictionPoliciesRoleLocalAdministratorWindowsEditionsPro,Enterprise,ServerStandard,ServerDatacenterDeviceGuardisusedtomanageSoftwareRestrictionPolicies.
SeethelinkbelowforinformationonDeviceGuard:DeviceGuard:WindowsDefenderApplicationControlandvirtualization-basedprotectionofcodeintegrity:https://docs.
microsoft.
com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-controlThefollowingsamplePowerShellscriptdemonstratesaDeviceGuardpolicytodenyexecutingtheMicrosoftEdgebrowserapplication:#BydefaultnobinariesareallowedtorunsoweneedtoallowmostWindowsbinariestorunfirst.
#Thiswillnotallowunsignedbinariestoexecute.
#Addthesetofsignedbinariesin"ProgramFiles"and"Windows"foldersandallowthemtoexecute.
New-CIPolicy-LevelPcaCertificate-UserPEs-ScanPath'C:\ProgramFiles'-FilePathallowProgramFiles.
xmlNew-CIPolicy-LevelPcaCertificate-UserPEs-ScanPathC:\Windows-FilePathallowWindows.
xml#denytheMicrosoftEdgeapp(whichwouldotherwisebewhitelistedbytheaboverule)New-CIPolicy-LevelFileName-UserPEs-Deny-ScanPathC:\Windows\SystemApps\Microsoft.
MicrosoftEdge_8wekyb3d8bbwe-FilePathdenyEdge.
xml#enforcetherulesSet-RuleOption–Delete3–FilePathallowProgramFiles.
xmlSet-RuleOption–Delete3–FilePathallowWindows.
xmlSet-RuleOption–Delete3–FilePathdenyEdge.
xml#mergethethreepolicyfilesanddeploythepolicyMerge-CIPolicy-PolicyPaths'.
\denyEdge.
xml','.
\allowWindows.
xml','allowProgramFiles.
xml'-OutputFilePathmergedPolicy.
xmlconvertFrom-CIPolicymergedPolicy.
xmlmergedPolicy.
bincopymergedPolicy.
binc:\windows\system32\codeintegrity\sipolicy.
p7b6.
18.
2ConfiguringwithAppLockerRoleLocalAdministratorWindowsEditionsEnterpriseAppLockermayalsobeusedtomanageSoftwareRestrictionPolicies.
Dependingontheenvironmentandbusinessrequirements,administratorsmaychoosetousebothDeviceGuardandAppLocker.
SeethetopicsbelowforinformationonAppLockerandondecidingwhethertouseAppLocker,DeviceGuard,orboth:AppLockerOverview:https://docs.
microsoft.
com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overviewWindowsDefenderDeviceGuardwithAppLocker:https://docs.
microsoft.
com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applockerNote:AppLockerisonlysupportedinWindows10Enterpriseedition.
Alleditions,exceptEnterprise,shoulduseDeviceGuardtomanageSoftwareRestrictionPolicies6.
19Managinghibernation6.
19.
1ConfiguringwiththePowercfgutilityRoleLocalAdministratorWindowsEditionsAllThefollowingarticledescribeshowtomanagepowerconfiguration,includingdisablingthehibernatefunction:PowercfgCommand-LineOptions:https://docs.
microsoft.
com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options6.
20Managinghealthattestation6.
20.
1ConfiguringwithMDMRoleITAdministratorWindowsEditionsPro,EnterpriseHealthattestationpoliciescanbemanagedtodeterminethehealthofenrolledWindows10andWindowsServerdevicesusingMDM.
SeetheMDMsolutiondocumentationfordetailedconfigurationactions.
ThefollowingarticleprovidesdetailsonthecorrectCSPtousetomanagehealthattestationpolicieswithMDM:DeviceHealthAttestationCSP:https://docs.
microsoft.
com/en-us/windows/client-management/mdm/healthattestation-csp6.
20.
2HelperutilityforhealthattestationlogsRoleLocalAdministratorWindowsEditionsAllThedevicewillcreateahealthattestationlogeverytimethesystemboots.
Thelogsarefoundinthefollowingdirectory:%windir%\Logs\MeasuredBootThelogsareinabinaryformat.
Todecodethelogs,usetheTPMPlatformCryptoProviderandToolkitutility,availablefordownloadfromMicrosofthere:TPMPlatformCryptoProviderandToolkit:https://www.
microsoft.
com/en-us/download/details.
aspxid=52487&from=http%3A%2F%2Fresearch.
microsoft.
com%2Fen-us%2Fdownloads%2F74c45746-24ad-4cb7-ba4b-0c6df2f92d5d%2F6.
21ManagingauditpolicyRoleAllWindowsEditionsAllThissectionprovidesmoreinformationforITAdministratorsoneventauditingfunctionalityinWindows,includingsolutionsavailabletoadjustloggingscopeandsettings.
ThisinformationisprovidedtoenableITAdministratorstoimplementsecuritymonitoringandforensicsrequiredbytheirorganization.
6.
21.
1ScopeofloggingandauditingsettingsThefollowingloglocationsarealwaysenabled:WindowsLogs->SystemWindowsLogs->SetupWindowsLogs->Security(forstartupandshutdownoftheauditfunctionsandoftheOSandkernel,andclearingtheauditlog)Thefollowingarticleprovidesmoreinformationonsecurityauditpolicies,includingplanninganddeployingthepolicies:Advancedsecurityauditpolicies:https://docs.
microsoft.
com/en-us/windows/security/threat-protection/auditing/advanced-security-auditing6.
21.
2SettingauditpolicywithAuditpol,Secpol,andWevtutilTheAuditpolcommanddisplaysinformationaboutandperformsfunctionstomanipulateauditpolicies.
ThefollowingarticleprovidesanoverviewoftheAuditpolcommand,includingalistofallitscommandsandtheirsyntax:Auditpol:https://docs.
microsoft.
com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731451(v%3dws.
11)TheAuditpolsetcommandsetstheper-userauditpolicy,systemauditpolicy,orauditingoptions.
ThefollowingarticleprovidesinformationonhowtouseAuditpolset:Auditpolset:https://docs.
microsoft.
com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc755264(v%3dws.
11)Forexample,toenableallauditsinthegivensubcategoriesoftheWindowsLogs->Securitylogrunthefollowingcommandsatanelevatedcommandprompt:Logonoperations:auditpol/set/subcategory:"Logon"/success:enable/failure:enableAuditpolicychanges:auditpol/set/subcategory:"AuditPolicyChange"/success:enable/failure:enableConfiguringIKEv1andIKEv2connectionproperties:auditpol/set/subcategory:"FilteringPlatformPolicyChange"/success:enable/failure:enableauditpol/set/subcategory:"OtherPolicyChangeEvents"/success:enable/failure:enableRegistrychanges(modifyingTLSCiphersuitepriority):auditpol/set/subcategory:"Registry"/success:enable/failure:enableTheLocalSecurityPolicy(secpol.
msc)utilityisusedasanalternativetotheauditpolutilityformanagingSecurityaudits.
ThefollowingarticledescribeshowtousetheLocalSecurityPolicyutility:Administersecuritypolicysettings:https://docs.
microsoft.
com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966254(v=ws.
11)Inadditiontoenablingauditpolicyasnotedabove,eachregistrykeyorfileobjecttobeauditedmustalsohaveitsauditingpermissionssetbychangingtheSystemAccessControlList(SACL)forthatobject.
Theprocessisslightlydifferentforeachobjecttypetobeaudited.
Forexample,tosettheSACLforaregistryobject:1.
Starttheregistryeditortoolbyexecutingthecommandregedit.
exeasanadministrator2.
Navigatetotheregistrypathforthekeythatshouldbeaudited,right-clickthekey'snodeandselectPermissions…onthekey'scontextmenutoopenthePermissionsdialog3.
ClicktheAdvancedbuttontoopentheAdvancedSecuritySettingsdialog,clickontheAuditingtabandclicktheAddbuttontoopentheAuditingEntrydialog4.
ClicktheSelectaprincipaltoopentheSelectUserorGroupdialogtoselectauser(e.
g.
Administrator)andclicktheOKbutton.
5.
ChoosethedesiredauditsusingtheType,AppliestoandBasicPermissionsattributesandclickOK6.
ClickOKontheAdvancedSecuritySettingsdialog7.
ClickOKonthePermissionsdialogForafileobject,openthepropertiesdialogforthefileobject,clickSecurity,clickAdvanced,andclickAuditing.
PowerShellmayalsobeusedtosettheSACLonthefileobjectusingPowershellGet-Acl:https://docs.
microsoft.
com/en-us/powershell/module/microsoft.
powershell.
security/get-aclview=powershell-6Set-Acl:https://docs.
microsoft.
com/en-us/powershell/module/microsoft.
powershell.
security/set-aclview=powershell-6Formoreinformation,thefollowingTechNettopicdescribesSystemAccessControlListsingeneral:AccessControlLists:https://docs.
microsoft.
com/en-us/windows/desktop/secauthz/access-control-listsWevtutilisasystemutilitythatperformsmanyofthemanagementfunctionsrelatedtosystemandauditlogonsincludingthefollowing:configurelocalauditstoragecapacityconfigureauditrules(includesenable/disableeventloggingforoptionallogging)enumeratethelognamesconfigureAnalyticandDebuglogsasenabled(e.
g.
Microsoft-Windows-CodeIntegrity/Verbose)SeethefollowingarticleformoreinfoonWevtutil:Wevtutil:https://docs.
microsoft.
com/en-us/windows-server/administration/windows-commands/wevtutilThePowerShellGet-WinEventcmdletcanbeusedtoretrieveandviewauditlogs.
ForinformationonhowtouseGet-WinEvent,seethefollowingtopic:Get-WinEventhttps://docs.
microsoft.
com/en-us/powershell/module/microsoft.
powershell.
diagnostics/get-wineventview=powershell-66.
22DevelopingApplicationsThissectionoftheoperationalguidanceisprovidedforapplicationdevelopersandisnotrelatedtothemanagementfunctionsthatmaybeperformedbytheadministratororuserrolesdescribedintheothersectionsofthisdocument.
DevelopersmayuseMicrosoftVisualStudio2017fordevelopmentofapplications.
ThefollowingisalinktodocumentationforMicrosoftVisualStudio2017:VisualStudio:https://docs.
microsoft.
com/en-us/visualstudio/ide/visual-studio-ideApplicationsdevelopedinMicrosoftVisualStudio2017willbydefaulthavethe/GSflagset.
Thefollowingisalinktodocumentationaboutthe/GSflaginMicrosoftVisualStudio:/GS(BufferSecurityCheck):https://docs.
microsoft.
com/en-us/cpp/build/reference/gs-buffer-security-checkMicrosoftWindows10GPOSAdministrativeGuidance7AuditeventsThissectionprovidesareferencefortheWindowsauditrecordsthatcanbeusedforsecurityauditingandforensicinvestigation,asrequiredfortheCommonCriteriaevaluation.
TheeventinformationforacollectionofsecurityfunctionsaregroupedtogetherandthenindexedunderaheadingthatreferstothelabelintheSecurityTarget.
Thelogdetails,i.
e.
whereaneventisfoundandwhatitssyntaxinthelogis,areincludedinasubsequenttableandlistedbyeventID:Eventsmappedtologdetails.
7.
1Auditevents–GPOSprotectionprofileThefollowingtableliststheauditeventsfromtheGPOSprotectionprofileandimplementedbyWindows.
Refertothetable,Eventsmappedtologdetails,forwheretofindeacheventwithintheWindowslogs.
AlltheeventslistedinthistablearefoundintheWindowsSecuritylog.
DescriptionContext:EventID(Detail)Note–alleventsareintheSecuritylog.
Start-upandshut-downoftheauditfunctionsStart-up:4608Shut-down:1100Authenticationevents(Success/Failure)Success:4624Failure:4625Useofprivileged/specialrightsevents(Successfulandunsuccessfulsecurity,audit,andconfigurationchanges)WRITE_DAC:4670Allotherobjectaccesswrites:4656Privilegeorroleescalationevents(Success/Failure)Success:4673MicrosoftWindows10GPOSAdministrativeGuidanceDescriptionContext:EventID(Detail)Note–alleventsareintheSecuritylog.
Failure:4674Fileandobjectevents(Successfulandunsuccessfulattemptstocreate,access,delete,modify,modifypermissions)4656UserandGroupmanagementevents(Successfulandunsuccessfuladd,delete,modify,disable)adduser:4720addusertogroup:4732deleteuser:4726deleteuserfromgroup:4733addgroup:4731deletegroup:4734modifygroup:4735modifyuseraccount:4738disableuser:4725LockandunlockauseraccountLock:4740Unlock:4767Auditandlogdataaccessevents(Success/Failure)Success,Failure:4673Cryptographicverificationofsoftware(Success/Failure)Failure:3Success:2MicrosoftWindows10GPOSAdministrativeGuidanceDescriptionContext:EventID(Detail)Note–alleventsareintheSecuritylog.
Programinitiations(Success/Failuree.
g.
duetosoftwarerestrictionpolicy)Success:3038(DeviceGuard),8020(AppLocker)Failure:3077(DeviceGuard),8022(AppLocker)StartupandshutdownoftheRichOS,IESystemreboot,restart,andshutdownevents(Success/Failure),Start-up:4608Shut-down:1100Kernelmoduleloadingandunloadingevents(Success/Failure),Success:3038(Otherkernelmodules),WindowsBootConfigurationLog(Bootkernelmoduleloading)Failure:3004(Otherkernelmodules),RecoveryScreen(Bootkernelmoduleloading)Administratororroot-levelaccessevents(Success/Failure),Success:4624Failure:46257.
2Auditevents–WLANclientextendedpackageThefollowingtableliststheauditeventsfromtheWLANClientExtendedPackageandimplementedbyWindows.
Refertothesubsequenttable,Eventsmappedtologdetails,forguidanceonwheretofindeacheventwithintheWindowslogs.
RequirementAuditableEventsAdditionalAuditRecordContentsLogName:EventID(Detail)FAU_GEN.
1/WLANNone.
MicrosoftWindows10GPOSAdministrativeGuidanceRequirementAuditableEventsAdditionalAuditRecordContentsLogName:EventID(Detail)FCS_CKM.
1/WLANNone.
FCS_CKM.
2/WLANNone.
FCS_CKM_EXT.
4None.
FCS_TLSC_EXT.
1/WLANFailuretoestablishanEAP-TLSsession.
ReasonforfailureSystem:36888Microsoft-Windows-CAPI2/Operational:11,30Establishment/terminationofanEAP-TLSsession.
Non-TOEendpointofconnection.
System:36880(Establishment)Microsoft-Windows-SChannel-Events/Perf:1793(Termination)FIA_PAE_EXT.
1None.
FMT_SMF_EXT.
1/WLANNone.
FIA_X509_EXT.
2/WLANNone.
FPT_TST_EXT.
1/WLANExecutionofthissetofTSFself-tests.
[Selection:detectedintegrityviolation].
[Selection:TheTSFbinaryfilethatcausedtheintegrityviolation].
System:20MicrosoftWindows10GPOSAdministrativeGuidanceRequirementAuditableEventsAdditionalAuditRecordContentsLogName:EventID(Detail)FTA_WSE_EXT.
1Allattemptstoconnecttoaccesspoints.
Identityofaccesspointbeingconnectedtoaswellassuccessandfailures(includingreasonforfailure).
Microsoft-Windows-WLAN-AutoConfig/Operationallogevent:8001(successfulWLANconnection)8002(WLANconnectionfailure)8003(successfulWLANdisconnection)8004(wirelessnetworkblocked)11005(wirelesssecuritysucceeded)11006(wirelesssecurityfailed)12013(failureduetouseraccount)FTP_ITC_EXT.
1/WLANAllattemptstoestablishatrustedchannel.
Identificationofthenon-TOEendpointofthechannel.
EAP-TLS/802.
1x/802.
11-2012:Microsoft-Windows-WLAN-AutoConfig/Operational:8001,80037.
3EventsmappedtologdetailsThefollowingtablemapstheeventIDsreferencedintheprecedingtablestospecificWindowslogs,includingdetailsonwheretofindtheinformationinthelog,thespecificlogmessage,andthefieldsincluded.
ThefieldsinthetablerefertothehierarchicalfieldnamesusedinEventViewereventdata,ontheDetailstab,whentheFriendlyViewradiobuttonisselected.
ThefieldnamesalsocorrespondtothenodenamesinXMLfilesprovidedasevidence.
TheMessagevaluescorrespondtothemessagedisplayedintheGeneraltab.
MicrosoftWindows10GPOSAdministrativeGuidanceEventIDLocationinLogMessageFields2PackagewassuccessfullychangedtotheInstalledstateSystem->TimeCreated[SystemTime]:System->Provider[Name]:System->Security[UserID]:System->Level:3Windowsupdatecouldnotbeinstalledbecause…"Thedataisinvalid"WindowsLogs->Setup11Microsoft-Windows-CAPI2/OperationalBuildChainSystem->TimeCreated[SystemTime]:System->Provider[Name]:System->Level:System->Security[UserID]:UserData->Result:20WindowsLogs->SystemThelastboot'ssuccesswas.
System->TimeCreated[SystemTime]:System->Provider[Name]:System->Security[UserID]:EventData->LastBootGood:MicrosoftWindows10GPOSAdministrativeGuidanceEventIDLocationinLogMessageFields30Microsoft-Windows-CAPI2/OperationalVerifyChainPolicySystem->TimeCreated[SystemTime]:System->Provider[Name]:System->Level:System->Security[UserID]:UserData->CertVerifyCertificateChainPolicy->Certificate:1100TheeventloggingservicehasshutdownWindowsLogs->Setup1793Microsoft-Windows-SChannel-Events/PerfATLSSecurityContexthandleisbeingdeletedSystem->TimeCreated[SystemTime]:System->Provider[Name]:System->Security[UserID]:System->Level:EventData->ContextHandle:3004Windowsisunabletoverifytheimageintegrityofthefilebecausethefilehashcouldnotbefoundonthesystem.
WindowsLogs->SecuritySubcategory:SecurityStateChangeMicrosoftWindows10GPOSAdministrativeGuidanceEventIDLocationinLogMessageFields3038ApplicationandServicesLogs->Microsoft->Windows->CodeIntegrity->VerboseCodeIntegritystartedvalidagingimageheaderoffileApplicationandServicesLogs->Microsoft->Windows->CodeIntegrity->Operational3077ApplicationandServicesLogs->Microsoft->Windows->CodeIntegrity->OperationalCodeIntegritydeterminedthataprocessattemptedtoloadthatdidnotmeettheEnterprisesigninglevelrequirementsorviolatedcodeintegritypolicy.
System->TimeCreated[SystemTime]:System->Provider[Name]:System->Level:System->Security[UserID]:4608WindowsLogs->SecuritySubcategory:SecurityStateChangeStartupofauditfunctionsSystem->TimeCreated[SystemTime]:System->Task:System->Keywords:N/A:4624WindowsLogs->SecuritySubcategory:LogonAnaccountwassuccessfullyloggedon.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->TargetUserSid:MicrosoftWindows10GPOSAdministrativeGuidanceEventIDLocationinLogMessageFields4625WindowsLogs->SecuritySubcategory:LogonAnaccountfailedtologon.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->TargetUserSid:4656WindowsLogs->SecuritySubcategory:HandleManipulationAhandletoanobjectwasrequested.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->SubjectUserSid:4670WindowsLogs->SecuritySubcategory:PolicyChangePermissionsonanobjectwerechanged.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->SubjectUserSid:4673WindowsLogs->SecuritySubcategory:SensitivePrivilegeUseAprivilegedservicewascalled.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->SubjectUserSid:MicrosoftWindows10GPOSAdministrativeGuidanceEventIDLocationinLogMessageFields4674WindowsLogs->SecuritySubcategory:SensitivePrivilegeUseAnoperationwasattemptedonaprivilegedobject.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->SubjectUserSid:4720WindowsLogs->SecuritySubcategory:UserAccountManagementAuseraccountwascreated.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->SubjectUserSid:4725WindowsLogs->SecuritySubcategory:UserAccountManagementAuseraccountwasdisabled.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->SubjectUserSid:4726WindowsLogs->SecuritySubcategory:UserAccountManagementAuseraccountwasdeleted.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->SubjectUserSid:MicrosoftWindows10GPOSAdministrativeGuidanceEventIDLocationinLogMessageFields4731WindowsLogs->SecuritySubcategory:UserAccountManagementAsecurity-enabledlocalgroupwascreated.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->SubjectUserSid:4732WindowsLogs->SecuritySubcategory:UserAccountManagementAmemberwasaddedtoasecurity-enabledgroup.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->SubjectUserSid:4733WindowsLogs->SecuritySubcategory:UserAccountManagementAmemberwasremovedfromasecurity-enabledgroup.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->SubjectUserSid:4734WindowsLogs->SecuritySubcategory:UserAccountManagementAsecurity-enabledlocalgroupwasdeleted.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->SubjectUserSid:MicrosoftWindows10GPOSAdministrativeGuidanceEventIDLocationinLogMessageFields4735WindowsLogs->SecuritySubcategory:UserAccountManagementAsecurity-enabledlocalgroupwaschanged.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->SubjectUserSid:4738WindowsLogs->SecuritySubcategory:UserAccountManagementAuseraccountwaschangedSystem->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->SubjectUserSid:4740WindowsLogs->SecuritySubcategory:AccountLockoutAuseraccountwaslockedout.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->SubjectUserSid:4767WindowsLogs->SecuritySubcategory:AccountLockoutAuseraccountwasunlocked.
System->TimeCreated[SystemTime]:System->Task:System->Keywords:EventData->SubjectUserSid:MicrosoftWindows10GPOSAdministrativeGuidanceEventIDLocationinLogMessageFields8001Microsoft-Windows-WLAN-AutoConfig/OperationalWLANAutoConfigservicehassuccessfullyconnectedtoawirelessnetworkSystem->TimeCreated[SystemTime]:System->Provider[Name]:System->Level:System->Security[UserID]:EventData->PHYType,AuthenticationAlgorithm:EventData->SSID:8002Microsoft-Windows-WLAN-AutoConfig/OperationalWLANAutoConfigservicefailedtoconnecttoawirelessnetworkSystem->TimeCreated[SystemTime]:System->Provider[Name]:System->Level:System->Security[UserID]:EventData->PHYType,AuthenticationAlgorithm:EventData->SSID:MicrosoftWindows10GPOSAdministrativeGuidanceEventIDLocationinLogMessageFields8003Microsoft-Windows-WLAN-AutoConfig/OperationalWLANAutoConfigservicehassuccessfullydisconnectedfromawirelessnetworkSystem->TimeCreated[SystemTime]:System->Provider[Name]:System->Level:System->Security[UserID]:EventData->ConnectionId:EventData->SSID:8004Microsoft-Windows-WLAN-AutoConfig/OperationalWirelessnetworkisblockedduetoconnectionfailure.
System->TimeCreated[SystemTime]:System->Provider[Name]:System->Level:System->Security[UserID]:EventData->FailureReason:EventData->SSID:8020ApplicationandServicesLogs->Microsoft->Windows->AppLocker->Packagedapp-Executionwasallowedtorun.
System->TimeCreated[SystemTime]:System->Provider[Name]:System->Level:System->Security[UserID]:MicrosoftWindows10GPOSAdministrativeGuidanceEventIDLocationinLogMessageFields8022ApplicationandServicesLogs->Microsoft->Windows->AppLocker->Packagedapp-Executionwaspreventedfromrunning.
System->TimeCreated[SystemTime]:System->Provider[Name]:System->Level:System->Security[UserID]:11005Microsoft-Windows-WLAN-AutoConfig/OperationalWirelesssecuritysucceeded.
System->TimeCreated[SystemTime]:System->Provider[Name]:System->Level:System->Security[UserID]:EventData->SSID:11006Microsoft-Windows-WLAN-AutoConfig/OperationalWirelesssecurityfailed.
System->TimeCreated[SystemTime]:System->Provider[Name]:System->Level:System->Security[UserID]:EventData->SSID:EventData->ReasonText:EventData->ReasonCode:MicrosoftWindows10GPOSAdministrativeGuidanceEventIDLocationinLogMessageFields12013Microsoft-Windows-WLAN-AutoConfig/OperationalWireless802.
1xauthenticationfailed.
System->TimeCreated[SystemTime]:System->Provider[Name]:System->Level:System->Security[UserID]:EventData->SSID:36880WindowsLogs->SystemAnTLSserverhandshakecompletedsuccessfully.
Thenegotiatedcryptographicparametersareasfollows:System->TimeCreated[SystemTime]:System->Provider[Name]:System->Security[UserID]:UserData->EventXML->TargetName:MicrosoftWindows10GPOSAdministrativeGuidanceEventIDLocationinLogMessageFields36888WindowsLogs->SystemAfatalalertwasgeneratedandsenttotheremoteendpoint.
Thismayresultinterminationoftheconnection.
TheTLSprotocoldefinedfatalerrorcodeis%1.
System->TimeCreated[SystemTime]:System->Provider[Name]:System->Security[UserID]:UserData->EventXML->TargetName:UserData->EventXML->AlertDesc:UserData->EventXML->ErrorState:Thefollowingarethepossibleerrorcodes:10Unexpectedmessage20BadrecordMAC22Recordoverflow30Decompressionfail40Handshakefailure47Illegalparameter48UnknownCA49Accessdenied50Decodeerror51Decrypterror70Protocolversion71Insufficientsecurity80Internalerror110UnsupportedextensionMicrosoftWindows10GPOSAdministrativeGuidance