microsoft windows common criteria evaluation · 22 enable/disable all data signaling over [usb...
TRANSCRIPT
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 1 of 54
Microsoft Windows
Common Criteria Evaluation Microsoft Windows 10
Windows 10 Mobile Device Operational Guidance
Document Information Version Number 1.0 Updated On January 12, 2016
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 2 of 54
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. se
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.
© 2016 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, the Windows logo, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 3 of 54
TABLE OF CONTENTS
1 INTRODUCTION .......................................................................................................................................................................................................................................................9
1.1 CONFIGURATION .........................................................................................................................................................................................................................................................9
1.1.1 EVALUATED CONFIGURATION ............................................................................................................................................................................................................................................................. 9
1.1.2 MOBILE DEVICE MANAGEMENT SOLUTIONS ....................................................................................................................................................................................................................................... 10
2 MANAGEMENT FUNCTIONS ................................................................................................................................................................................................................................... 10
3 MANAGING AUDITS .............................................................................................................................................................................................................................................. 11
3.1 AUDIT EVENTS .......................................................................................................................................................................................................................................................... 12
3.2 MANAGING AUDIT POLICY........................................................................................................................................................................................................................................... 31
3.2.1 LOCAL ADMINISTRATOR GUIDANCE ................................................................................................................................................................................................................................................... 31
4 MANAGING WIPE .................................................................................................................................................................................................................................................. 33
4.1 IT ADMINISTRATOR ................................................................................................................................................................................................................................................... 33
4.2 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 33
5 MANAGING EAP-TLS .............................................................................................................................................................................................................................................. 33
5.1 IT ADMINISTRATOR GUIDANCE ..................................................................................................................................................................................................................................... 34
5.2 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 34
5.3 USER GUIDANCE ....................................................................................................................................................................................................................................................... 35
6 MANAGING TLS ..................................................................................................................................................................................................................................................... 35
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 4 of 54
6.1 IT ADMINISTRATOR GUIDANCE ..................................................................................................................................................................................................................................... 35
6.2 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 35
6.3 USER GUIDANCE ....................................................................................................................................................................................................................................................... 37
7 MANAGING APPS .................................................................................................................................................................................................................................................. 37
7.1 IT ADMINISTRATOR GUIDANCE ..................................................................................................................................................................................................................................... 37
7.2 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 37
7.3 USER GUIDANCE ....................................................................................................................................................................................................................................................... 37
8 MANAGING VOLUME ENCRYPTION ........................................................................................................................................................................................................................ 38
8.1 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 38
8.2 USER GUIDANCE ....................................................................................................................................................................................................................................................... 39
9 MANAGING VPN ................................................................................................................................................................................................................................................... 39
10 MANAGING ACCOUNTS ......................................................................................................................................................................................................................................... 39
10.1 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 39
11 MANAGING BLUETOOTH ....................................................................................................................................................................................................................................... 40
11.1 IT ADMINISTRATOR ................................................................................................................................................................................................................................................... 40
11.2 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 40
11.3 USER GUIDANCE ....................................................................................................................................................................................................................................................... 40
12 MANAGING PASSWORDS ...................................................................................................................................................................................................................................... 41
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 5 of 54
12.1 STRONG PASSWORDS ................................................................................................................................................................................................................................................. 41
12.1.1 IT ADMINISTRATOR GUIDANCE ......................................................................................................................................................................................................................................................... 41
12.1.2 LOCAL ADMINISTRATOR GUIDANCE ................................................................................................................................................................................................................................................... 41
12.2 PROTECTING PASSWORDS ........................................................................................................................................................................................................................................... 41
12.2.1 USER GUIDANCE ............................................................................................................................................................................................................................................................................. 41
12.3 LOGON/LOGOFF PASSWORD POLICY .............................................................................................................................................................................................................................. 42
12.3.1 LOCAL ADMINISTRATOR GUIDANCE ................................................................................................................................................................................................................................................... 42
12.3.2 USER GUIDANCE ............................................................................................................................................................................................................................................................................. 43
13 MANAGING CERTIFICATES ..................................................................................................................................................................................................................................... 43
13.1 DEVELOPER GUIDANCE ............................................................................................................................................................................................................................................... 43
13.2 IT ADMINISTRATOR GUIDANCE ..................................................................................................................................................................................................................................... 43
13.3 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 44
13.4 USER GUIDANCE ....................................................................................................................................................................................................................................................... 45
13.5 CUSTOM CERTIFICATE REQUESTS ................................................................................................................................................................................................................................... 45
14 MANAGING TIME .................................................................................................................................................................................................................................................. 45
14.1 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 46
15 GETTING VERSION INFORMATION ......................................................................................................................................................................................................................... 46
15.1 USER GUIDANCE ....................................................................................................................................................................................................................................................... 46
16 LOCKING A DEVICE ................................................................................................................................................................................................................................................ 47
16.1 IT ADMINISTRATOR GUIDANCE ..................................................................................................................................................................................................................................... 47
16.2 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 47
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 6 of 54
16.3 USER GUIDANCE ....................................................................................................................................................................................................................................................... 47
16.4 MANAGING NOTIFICATIONS PRIOR TO UNLOCKING A DEVICE ............................................................................................................................................................................................... 48
16.4.1 LOCAL ADMINISTRATOR GUIDANCE ................................................................................................................................................................................................................................................... 48
17 MANAGING AIRPLANE MODE ................................................................................................................................................................................................................................ 48
17.1 USER GUIDANCE ....................................................................................................................................................................................................................................................... 48
18 MANAGING DEVICE ENROLLMENT ......................................................................................................................................................................................................................... 48
18.1 IT ADMINISTRATOR ................................................................................................................................................................................................................................................... 48
18.2 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 49
18.3 USER GUIDANCE ....................................................................................................................................................................................................................................................... 49
19 MANAGING UPDATES ............................................................................................................................................................................................................................................ 49
19.1 IT ADMINISTRATOR ................................................................................................................................................................................................................................................... 50
19.2 LOCAL ADMINISTRATOR .............................................................................................................................................................................................................................................. 50
20 MANAGING HEALTH ATTESTATION ........................................................................................................................................................................................................................ 50
20.1 IT ADMINISTRATOR ................................................................................................................................................................................................................................................... 50
21 MANAGING COLLECTION DEVICES ......................................................................................................................................................................................................................... 50
21.1 IT ADMINISTRATOR ................................................................................................................................................................................................................................................... 50
21.1.1 LOCAL AMINISTRATOR GUIDANCE ..................................................................................................................................................................................................................................................... 50
21.1.2 USER GUIDANCE ............................................................................................................................................................................................................................................................................. 51
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 7 of 54
22 MANAGING USB .................................................................................................................................................................................................................................................... 51
22.1 LOCAL ADMINISTRATOR .............................................................................................................................................................................................................................................. 51
23 MANAGING BACKUP ............................................................................................................................................................................................................................................. 51
23.1 LOCAL ADMINISTRATOR .............................................................................................................................................................................................................................................. 51
23.2 USER GUIDANCE ....................................................................................................................................................................................................................................................... 52
24 MANAGING DEVELOPER MODE ............................................................................................................................................................................................................................. 52
24.1 IT ADMINISTRATOR ................................................................................................................................................................................................................................................... 52
24.2 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 52
25 MANAGING CRYPTOGRAPHIC ALGORITHMS .......................................................................................................................................................................................................... 52
26 MANAGING INTERNET CONNECTION SHARING (ICS) ............................................................................................................................................................................................... 53
26.1 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 53
27 MANAGING LOCATION SERVICES (GPS) .................................................................................................................................................................................................................. 53
27.1 IT ADMINISTRATOR ................................................................................................................................................................................................................................................... 53
27.2 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 53
28 MANAGING WI-FI .................................................................................................................................................................................................................................................. 53
28.1 IT ADMINISTRATOR ................................................................................................................................................................................................................................................... 53
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 8 of 54
28.2 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 53
29 MANAGING MOBILE BROADBAND ......................................................................................................................................................................................................................... 54
29.1 USER GUIDANCE ....................................................................................................................................................................................................................................................... 54
30 MANAGING HEALTH ATTESTATION ........................................................................................................................................................................................................................ 54
30.1 IT ADMINISTRATOR GUIDANCE ..................................................................................................................................................................................................................................... 54
30.2 LOCAL ADMINISTRATOR GUIDANCE ............................................................................................................................................................................................................................... 54
31 NATIVELY INSTALLED APPLICATIONS ...................................................................................................................................................................................................................... 54
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 9 of 54
1 Introduction This document provides operational guidance information for a Common Criteria evaluation describing only the security functionality which the administrator should use – any security
functionality not described in this document is not part of the evaluation.
1.1 Configuration
1.1.1 Evaluated Configuration
The Common Criteria evaluation includes a specific configuration of Windows, the “evaluated configuration”. To run Windows deployments using the evaluated configuration follow the
deployment steps and apply the security policies and security settings indicated below. The Security Target section 1.1 describes the Windows editions and security patches included in the
evaluated configuration.
The operating system is pre-installed on the devices in the evaluated configuration. When the device is turned on for the first time the Out of Box Experience (OOBE) runs to complete the
configuration.
The following security policies are applied after completing the OOBE:
Security Policy Policy Setting
Local Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithm Enabled
Administrative Template\Windows Components\Credentials User Interface\Do not display the password reveal button Enabled
The following security settings are applied to create the evaluated configuration:
Cipher suite selection is configured according to section 5 Managing TLS
Volume encryption is enabled according to section 8 Managing Volume Encryption
VPN connections route all traffic through the VPN tunnel as described section 9 Managing VPN
Passwords use a minimum of six alphanumeric characters and symbols according to section 12.1 Strong Passwords
RSA machine certificates are configured according to section 13 Managing Certificates to use a minimum 2048 bit key length
Session locking is enabled according to section 16 Locking a Device
Devices are enrolled for device management according to section 18 Device Enrollment
Enrolled policy must have the Enterprise Data Protection settings enabled
The following Windows Update package must be installed: KB3074683.
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 10 of 54
Some of the links in this document may be written for Windows versions that are earlier than Windows 10. The content in all these links apply to the Windows 10 version.
1.1.2 Mobile Device Management Solutions
Many of the configurations described in this guide for the IT Administrator role are applied to the device through a Mobile Device Management (MDM) solution. The specific steps to perform a
configuration through the MDM are solution-specific and are not described in this document. Examples of possible configuration option text are provided in this document, but are not
guaranteed to match any specific MDM solution. See the MDM solution documentation for detailed configuration actions.
2 Management Functions The following table maps management functions to roles:
Management Function User Guidance
Local Administrator
Guidance IT Administrator Guidance
1 Configure password policy √ √
2 Configure session locking policy √ √
3 Enable/disable the VPN protection
√ √
4 Enable/disable [GPS, Wi-Fi, mobile broadband radios, Bluetooth]
√ √ 5 Enable/disable [camera, microphone]
√ √
6 Specify wireless networks (SSIDs) to which the TSF may connect √ √
7 Configure security policy for connecting to wireless networks √ √
8 Transition to the locked state √ √
9 TSF10 wipe of protected data
√
10 Configure application installation policy √ √
11 Import keys/secrets into the secure key storage √ √
12 Destroy imported keys/secrets and any other keys/secrets in the secure key storage √ √
13 Import X.509v3 certificates into the Trust Anchor Database √ √
14 Remove imported X.509v3 certificates and any other X.509v3 certificates in the Trust Anchor
Database √
15 Enroll the TOE in management √
16 Remove applications √
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 11 of 54
17 Update system software √ √
18 Install applications √ √
19 Remove Enterprise applications √ √
20 Configure the Bluetooth trusted channel √ √
21 Enable/disable display notification in the locked state √
22 Enable/disable all data signaling over [USB hardware ports]
√
24 Enable/disable developer modes √ √
25 Enable data-at rest protection
√
26 Enable removable media’s data at rest protection √ √
28 Wipe Enterprise data √ √
30 Configure whether to allow a trusted channel if certificate validation is not possible √ √
31 Enable/disable the cellular protocols used to connect to cellular network base stations √
32 Read audit logs kept by the TSF √ √
33 Configure certificate used to validate digitally signed applications √ √
34 Approve exceptions for shared use of keys/secrets by multiple applications √ √
35 Approve exceptions for destruction of keys/secrets by other applications √ √
36 Configure the unlock banner
√ √
37 Configure the auditable items √
38 Retrieve TSF-software integrity verification values √
40 Enable/disable backup to remote system √ √
44 Enable/disable location services √ √
3 Managing Audits This section contains the following Common Criteria SFRs:
Audit Data Generation (FAU_GEN.1), Security Audit Event Selection (FAU_SEL.1)
Extended: Audit Storage Protection (FAU_STG_EXT.1)
Specifications of Management Functions (FMT_SMF_EXT.1)
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 12 of 54
3.1 Audit Events The following required audits are described for FAU_GEN.1:
Description Id
Start-up and shutdown of the audit functions Windows Logs/Security: 4608, 1100
All administrative actions <see first table below>
Startup and shutdown of the OS and kernel Windows Logs/Security: 4608, 1100
Insertion or removal of removable media Microsoft- Windows-Kernel-PnP/Device Configuration: 410
Establishment of a synchronizing connection
Windows Logs -> System Source: Schannel : 36880 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
Specifically defined auditable events from table 10 <see second table below>
Audit records reaching [assignment: integer value less than 100] percentage of audit capacity, [assignment: other auditable events derived from this profile
Windows Logs/Security: 1103
Table 1: FAU_GEN.1 audits
The following table correlates the set of administrative operations described in this document with their associated audits. Section FMT_SMF_EXT.1 has test procedures to produce these audits.
Administrative Action Id
1. configure password policy: a. minimum password length b. minimum password complexity c. maximum password lifetime
Windows Logs/Security: 4739
2. configure session locking policy: a. screen-lock enabled/disabled b. screen lock timeout c. number of authentication failures
Windows Logs/Security: 4739
3. enable/disable the VPN protection: a. across device [b. on a per-app basis c. no other method]
Windows Logs/Security: Enable: 4651, 5451 Disable: 4655, 5452
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 13 of 54
4. enable/disable [GPS, Wi-Fi, Bluetooth, mobile broadband]
GPS: Windows Logs/Security: 4657 WiFi: Microsoft-Windows-WLAN-AutoConfig/Operational Id 11001 (enable) 11004 (disable) Bluetooth: Windows Logs/Security: 4657 Broadband: WWAN-SVC-EVENTS/WWAN Operational Channel: 11009
5. enable/disable [camera, microphone]: a. across device [
b. on a per-app basis c. no other method]
Windows Logs/Security: 4657
6. specify wireless networks (SSIDs) to which the TSF may connect Microsoft-Windows-WLAN-AutoConfig/Operational: 14001
7. configure security policy for each wireless network: a. [selection: specify the CA(s) from which the TSF will accept WLAN authentication server certificate(s), specify the FQDN(s) of acceptable
WLAN authentication server certificate(s)] b. security type c. authentication protocol d. client credentials to be used for authentication
Windows Logs/Security: 4657
8. transition to the locked state Windows Logs/Security: 4800
9. TSF wipe of protected data Success: System: 12 Failure: Wipe Failure Screen System: 4502
10. configure application installation policy by [selection: a. restricting the sources of applications, b. specifying a set of allowed applications based on [assignment: application characteristics] (an application whitelist), c. denying installation of applications]
Windows Logs/Security: 4657
11. import keys/secrets into the secure key storage Microsoft-Windows-CAPI2/Operational: 90
12. destroy imported keys/secrets and [[any other keys/secrets]] in the secure key storage System: 12
13. import X.509v3 certificates into the Trust Anchor Database
Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational: 1006
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 14 of 54
14. remove imported X.509v3 certificates and [[any other X.509v3 certificates]] in the Trust Anchor Database Microsoft-Windows-CertificateServicesClient-Lifecycle-System: 1004
15. enroll the TOE in management Microsoft-Windows-SystemSettingsThreshold/Operational: 510
16. remove applications Microsoft-Windows-AppXDeploymentServer/Operational: 472
17. update system software Windows Logs/Setup: 1, 2, 3
18. install applications Microsoft-Windows-AppXDeploymentServer/Operational 400
19. remove Enterprise applications Microsoft-Windows-AppXDeploymentServer/Operational: 472
20. configure the Bluetooth trusted channel: a. disable/enable the Discoverable mode (for BR/EDR) b. change the Bluetooth device name [selection: d. disable/enable Advertising (for LE), i. no other Bluetooth configuration]
Windows Logs/Security: 4657
21. enable/disable display notification in the locked state of: [ a. email notifications, b. calendar appointments, c. contact associated with phone call notification, d. text message notification, e. other application-based notifications, f. all notifications]
<none>
22. enable/disable all data signaling over [USB hardware ports] Windows Logs/Security: 4657
23. enable/disable [none] <none>
24. enable/disable developer modes Windows Logs/Security: 4657
25. enable data-at rest protection Windows Logs/System: Id 24579
26. enable removable media’s data-at-rest protection Windows Logs/System: Id 24579
27. enable/disable bypass of local user authentication N/A
28. wipe Enterprise data N/A
29. approve [import, removal] by applications of X.509v3 certificates in the Trust Anchor Database N/A
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 15 of 54
30. configure whether to establish a trusted channel or disallow establishment if the TSF cannot establish a connection to determine the validity of a certificate
N/A
31. enable/disable the cellular protocols used to connect to cellular network base stations Microsoft-Windows-WWAN-SVC-Events/Operational: 11004
32. read audit logs kept by the TSF Windows Logs/Security: 4673
33. configure [certificate] used to validate digital signature on applications
Import certificate: Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational: 1006 Remove certificate: Microsoft-Windows-CertificateServicesClient-Lifecycle-System: 1004
34. approve exceptions for shared use of keys/secrets by multiple applications N/A
35. approve exceptions for destruction of keys/secrets by applications that did not import the key/secret N/A
36. configure the unlock banner Windows Logs/Security: 4657
37. configure the auditable items Windows Logs/Security: 4719
38. retrieve TSF-software integrity verification values Windows Logs/Security: 4657
39. enable/disable [selection: a. USB mass storage mode, b. USB data transfer without user authentication,
USB data transfer without authentication of the connecting system]
N/A
40. enable/disable backup to [remote system] Windows Logs/Security: 4657
41. enable/disable [selection: a. Hotspot functionality authenticated by [selection: pre-shared key, passcode, no authentication],
USB tethering authenticated by [selection: pre-shared key, passcode, no authentication]] N/A
42. approve exceptions for sharing data between [selection: application processes, groups of application processes] N/A
43. place applications into application process groups based on [assignment: application characteristics] N/A
44. enable/disable location services: a. across device [ b. on a per-app basis
c. no other method]
Windows Logs/Security: 4657
45. [none] N/A Table 2: Administrative Actions audits
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 16 of 54
Requirement Description Additional Record Contents Log: Event Id
FAU_SEL.1 All modifications to the audit configuration that occur while the audit collection functions are operating.
No additional Information. Windows Logs/Security: 4719
FCS_CKM_EXT.1 [generation of a REK] No additional Information. Windows Logs/System: 24
FCS_CKM_EXT.5 Success or failure of the wipe. No additional Information. Windows Logs/System: Success: 12 Failure: 4502
FCS_CKM.1(1) Failure of key generation activity for authentication keys. No additional Information. Microsoft-Windows-Crypto-NCrypt: 4
FCS_HTTPS_EXT.1 Failure of the certificate validity check. Issuer Name and Subject Name of certificate. [No additional information].
Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
FCS_RBG_EXT.1 Failure of the randomization process. No additional information. Windows Logs -> System: 20
FCS_STG_EXT.1 Import or destruction of key. [No other events] Identity of key. Role and identity of requestor.
Import: Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient/Lifecycle-System: 1006 Destruction: Windows Logs/System: 12
FCS_STG_EXT.3 Failure to verify integrity of stored key. Identity of key being verified. Windows Logs/System: 12
FCS_TLSC_EXT.1 Failure to establish an EAP-TLS session.
Windows Logs -> System : 36888 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 41 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 30
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 17 of 54
Requirement Description Additional Record Contents Log: Event Id
Establishment/termination of an EAP-TLS session.
Establishment : Windows Logs -> System : 36880 Termination : Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf: 1793
FCS_TLSC_EXT.2
Failure to establish a TLS session. Reason for failure.
Windows Logs -> System : 36888 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 41 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 30
Failure to verify presented identifier. Presented identifier and reference identifier.
Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
Establishment/termination of a TLS session. Non-TOE endpoint of connection.
Establisment : Windows Logs -> System Source: Schannel : 36880 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 Termination : Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf: 1793
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 18 of 54
Requirement Description Additional Record Contents Log: Event Id
FDP_DAR_EXT.1 Failure to encrypt/decrypt data. No additional information. Windows Logs -> System : 24588
FDP_STG_EXT.1 Addition or removal of certificate from Trust Anchor Database. Subject name of certificate.
Applications and Services Logs -> Microsoft -> Windows: Import: : CAPI2: 90 Removal: CertificateServicesClient-Lifecycle-System / Operational: 1004
FDP_UPC_EXT.1 Application initiation of trusted channel. Name of application. Trusted channel protocol. Non-TOE endpoint of connection.
HTTPS/TLS: Applications and Services Windows Logs -> System Source: Schannel : 36880 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 Bluetooth: Windows Logs -> System: 8
FIA_AFL_EXT.1 Excess of authentication failure limit. No additional information. Exceeding failure limit: Windows Logs/Security: 4740
FIA_BLT_EXT.1 User authorization of Bluetooth device. User authorization for local Bluetooth service.
User authorization decision. Bluetooth address and name of device. Bluetooth profile. Identity of local service.
Windows Logs/System (BTHUSB): 8 Windows Logs/System (UserPnp): 20001
FIA_BLT_EXT.2
Initiation of Bluetooth connection. Bluetooth address and name of device. Windows Logs/System (BTHUSB): 8
Failure of Bluetooth connection. Reason for failure. Windows Logs/System (BTHUSB): 16
FIA_UAU_EXT.2 Action performed before authentication. No additional information. N/A due to no selection in Security Target
FIA_UAU_EXT.3 User changes Password Authentication Factor. No additional information. Windows Logs/Security: 4723
FIA_X509_EXT.1 Failure to validate X.509v3 certificate. Reason for failure of validation. Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
FIA_X509_EXT.2 Failure to establish connection to determine revocation status. No additional information. Applications and Services Logs ->
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 19 of 54
Requirement Description Additional Record Contents Log: Event Id
Microsoft -> Windows -> CAPI2 -> Operational: 41
FMT_SMF_EXT.1
Change of settings. Role of user that changed setting. Value of new setting.
See Table 2: Administrative Actions audits
Success or failure of function. Role of user that performed function. Function performed. Reason for failure
Initiation of software update. Version of update. Windows Logs/System: 19
Initiation of application installation or update. Name and version of application. Microsoft-Windows-AppXDeploymentServer/Operational: 400
FMT_SMF_EXT.2 Unenrollment. Identity of administrator. Remediation action performed.
Un-enroll: Microsoft-Windows-SystemSettingsThreshold/Operational: 511
FPT_AEX_EXT.4 Blocked attempt to modify TSF data. Identity of subject. Identity of TSF data. Windows Logs/Security: 4657
FPT_NOT_EXT.1 [Measurement of TSF software]. [Integrity verification value]. Attestation log file <See section “Managing Health Attestation” for more information>
FPT_TST_EXT.1 Initiation of self-test. Failure of self-test. Windows Logs/System: 20
FPT_TST_EXT.2 Start-up of TOE. Boot Mode. Windows Logs/System: 21
[Detected integrity violations]. [The TSF code that caused the integrity violation].
Recovery Screen
FPT_TUD_EXT.2
Success or failure of signature verification for software updates. Windows Logs/Setup: 1, 2, 3
Success or failure of signature verification for applications. Microsoft-Windows-AppXDeploymentServer/Operational: 400/404 for success/failure
FTA_TAB.1 Change in banner setting. No additional information. Windows Logs/Security: 4657
FTA_WSE_EXT.1 All attempts to connect to access points. Identity of access point. Microsoft-Windows-WLAN-AutoConfig/Operational log event: 8000, 8003
FTP_ITC_EXT.1 Initiation and termination of trusted channel. Trusted channel protocol. Non-TOE endpoint IPSec: Windows Logs/Security: 4651,
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 20 of 54
Requirement Description Additional Record Contents Log: Event Id
of connection. 5451, 4655, 5452 HTTP/TLS: Applications and Services Windows Logs -> System Source: Schannel : 36880 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf: 1793 EAP-TLS/802.1x/802.11-2012: Microsoft-Windows-WLAN-AutoConfig/Operational: 8001, 8003
Table 3: Audits for Security Target Table 10
Id Log location Message Fields
1 Windows Logs -> Setup Initiating changes for package Logged: <Date and time of event> PackageIdentifier: <KB package Id> InitialPackageState: Resolved IntendedPackageState: Installed ErrorCode: <success outcome indicated by 0x0>
2 Windows Logs -> Setup Package was successfully changed to the Installed state
Logged: <Date and time of event> PackageIdentifier: <KB package Id> IntendedPackageState: Installed ErrorCode: <success outcome indicated by 0x0>
3 Windows Logs -> Setup Windows update could not be installed because … “The data is invalid”
Logged: <Date and time of event> Commandline: <KB package Id> ErrorCode: <install failure indicated by 0x800700D (2147942413)>
4 Microsoft-Windows-Crypto-NCrypt Create key operation failed Logged: <Date and time of event>
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 21 of 54
Provider Name: <Key storage provider name> Key Name: <Unique name for key> Algorithm Name: <Key algorithm name>
8 Windows Logs -> System Source: BTHUSB
The remote adapter < remote bluetooth radio address> was successfully paired with the local adapter.
Logged: <Date and time of event> EventData: <remote bluetooth radio address>
9 Windows Logs -> System Source: BTHUSB
The remote adapter < remote bluetooth radio address> was added to the list of personal devices.
Logged: <Date and time of event> EventData: <remote bluetooth radio address>
11 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational
Build Chain System/TimeCreated/SystemTime: <Date and time of event> UserData/CertGetCertificateChain/Certificate/subjectName: <subject name in client certificate> UserData/CertGetCertificateChain/CertificateChain/ChainElement/Certificate <issuer of leaf certificate as subject name in chained certificate> TrustStatus -> ErrorStatus: <Error code1>
12 Windows Logs -> System The operating system started at system time <time>.
Logged: <Date and time of OS startup> This event along with no other earlier events indicates a wipe has occurred.
16 Windows Logs -> System Source: BTHUSB
The mutual authentication between the local Bluetooth adapter and a device with Bluetooth adapter address <device address> failed.
Logged: <Date and time of event> Data: <remote device address>
19 Windows Logs -> System Installation Successful: Windows successfully installed the following update: <app/update name>
Logged: <Date and time of event> Security ID: <SID of user account that installed the app> updateTitle: <app/update name> updateGuid: <app/update Guid> serviceGuid: <app/service GUID> updateRevisionNumber: <app version>
20 Windows Logs -> System Source: Kernel-Boot
The last boot’s success was <LastBootGood event data>.
Logged: <Date and time of event> LastBootGood: <Outcome as true or false indicating if the kernel-mode cryptographic self-tests and RNG initialization succeeded or failed>
1 Error 20 indicates an untrusted root in the certificate chain.
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 22 of 54
21 Windows Logs -> System Source: Kernel-Boot
The OS loader advanced options menu was displayed and the user selected option <boot mode>
Logged: <Date and time of event> OptionSelected: <auxililiary boot mode> Note: this event is recorded if the operating system was started in an auxiliary boot mode whereas its absence indicates the operating system started in normal boot mode.
24 Windows Logs -> System Source: TPM
The Trusted Platform Module (TPM) status: <enabled state> and <active state>.
Logged: <Date and time of event>
30 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational
Verify Chain Policy System -> TimeCreated -> SystemTime: <Date and time of event> UserData -> CertVerifyCertificateChainPolicy -> Certificate -> subjectName: <certificate subject name> UserData -> Result value -> error: <error code> Error 0x800B010F: The certificate’s CN name does not match the passed value.
41 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational
Verify Revocation System -> TimeCreated -> SystemTime: <Date and time of event> UserData -> CertVerifyRevocation -> Certificate -> subjectName: <certificate subject name> UserData -> RevocationStatus -> error: <error code2>
90 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational
<un-named> Logged: <Date and time of event> Security UserID: <SID of user account that imported the certificate/secrets> Subject: <Certificate subject name, CN, etc.>
400 Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server -> Microsoft-Windows-AppXDeployment-Server/Operational
Deployment Add operation on Package <package Id> from: (<.appx pathname> ) finished successfully
Logged: <Date and time of event> User ID: <SID of user account that installed the app> PackageFullName: <package Id> Path: <.appx pathname>
404 Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server -> Microsoft-Windows-AppXDeployment-Server/Operational
AppX Deployment operation failed for package <app package identity> with error <error code>. The specific error text for this failure is: <failure text>.
Logged: <Date and time of event> User ID: <SID of user account that installed the app> PackageFullName: <package Id>
410 Applications and Services Logs -> Device < DeviceInstanceId> was started Logged: <Date and time of event>
2 Error code 0x80092013 indicates “The revocation function was unable to check revocation because the revocation server was offline.
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 23 of 54
Microsoft -> Windows -> Kernel-PnP -> Device Configuration
Security ID: <user identity> DeviceInstanceId: <Device path and volume GUID of inserted removable media>
472 Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server -> Microsoft-Windows-AppXDeployment-Server /Operational
Moving package folder <%program files location%\<package Id> to <%deleted program files location%\<package Id>. Result: <status code>
Logged: <Date and time of event> Security ID: <SID of user account that installed the app> SourceFolderPath: <%program files location%\<package Id> DestinationFolderPath: <%deleted program files location%\<package Id>
510 Applications and Services Logs -> Microsoft -> Windows -> SystemSettingsThreshold -> Operational
Attempted to turn on workplace device management. Result is <status code> ending at phase 3
Logged: <Date and time of event> Security UserID: <SID of user account that initiated enrolling TOE in management> ResultCode: <status code> CorpDeviceOperationPhase: 3
511 Microsoft-Windows-SystemSettingsThreshold/Operational
Attempted to turn of workplace device management. Result is <result code>
Logged: <Date and time of event> Security: <user identity> Remediation action removed Enterprise apps.
801 Applications and Services Logs -> Microsoft -> Windows -> Kernel-PnP -> Device Configuration
Enable PnP device.
830 Applications and Services Logs -> Microsoft -> Windows -> Kernel-PnP -> Device Configuration
Disable PnP device
1004 Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational
A certificate has been deleted Logged: <Date and time of event> Security ID: <SID of user account that deleted the certificate/secrets> SubjectNames: <Deleted certificate subject name> Thumbprint: <Deleted certificate thumbprint> EKUs: <Deleted certificate EKUs> NotValidAfter: :<Deleted certificate expiration date>
1006 Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational
A new certificate has been installed. Logged: <Date and time of event> Subject: <Certificate subject name, CN, etc.> Thumbprint: <Certificate thumbprint>
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 24 of 54
Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational
1015 Applications and Services Logs -> Microsoft -> Windows -> Wcmsvc -> Operational
Interface token applied Logged: <Date and time of event> Security ID: <SID of user account that deleted the certificate/secrets> Media type: <indication of broadband (Wwan) or WiFi (Wlan)> AutoProfiles: <indication of added or removed action (blank if removed, else name of Wwan or Wlan profile)>
1100
Windows Logs -> Security Subcategory: Security State Change
The event logging service has shut down Logged: <Date and time of event> Keywords: <Outcome as Success>
1103 Windows Logs -> System The security audit log is now <the configured value > percent full.
Logged: <Date and time of event> Keywords: <Outcome as Success>
1104 Windows Logs -> System The security audit log is full. Logged: <Date and time of event> Keywords: <Outcome as Success>
1793 Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf
<This event indicates that the TLS connection was terminated>
Logged: <Date and time of event>
3004 Windows Logs -> System Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
Logged: <Date and time of event> Level: <error level> Task category: <type of event> User: <User performing the check> Machine: <Machine check was performed on> General Description: <Contains the filename that caused the integrity violation>
4502 Microsoft-Windows-ResetEng Attempt to restore the system to original condition has failed. Changes to the system have been undone.
Logged: <Date and time of event>
4608 Windows Logs -> Security Subcategory: Security State Change
Startup of audit functions Logged: <Date and time of event> Task category: <type of event> Keywords: <Outcome as Success or Failure>
4624 Windows Logs -> Security Subcategory: Logon
An account was successfully logged on. Logged: <Date and time of event> Security ID: <SID of enabled user account>
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 25 of 54
Account Name: <name of enabled account> Account Domain: <domain of enabled account if applicable, otherwise computer> Workstation Name: <name of computer user logged on> Logon Type: <type of logon (e.g. interactive)> LogonID: <unique logon identification> Source Network Address: <IP address of computer logged on>
4651 Windows Logs -> Security Subcategory: IPsec Main Mode
IPsec main mode security association was established. A certificate was used for authentication.
Logged: <Date and time of event> Task category: <type of event> Local Endpoint: <Subject identity as IP address> Remote Endpoint: <Subject identity as IP address of non-TOE endpoint of connection > Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2> Local Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint> Remote Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint> Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id and cryptographic parameters established in the SA> Keywords: <Outcome as Success>
4655 Windows Logs -> Security Subcategory: IPsec Main Mode
IPsec main mode security association ended
Logged: <Date and time of event> Task category: <type of event> Local Endpoint: <Subject identity as IP address/port > Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection/channel > Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2> Keywords: <Outcome as Success>
4657 Windows Logs -> Security Subcategory: Registry
Registry entry change Logged: <Date and time of event> Task category: <type of event> Security ID: <user identity> Object name: <key path> Changes: <old and new registry values> Keywords: <Outcome as Success or Failure>
4673 Windows Logs -> Security Subcategory: Sensitive Privilege Use / Non Sensitive Privilege Use
A privileged service was called. Logged: <Date and time of event> Security ID: <SID of user account that viewed the log> Account Name: <user account name that viewed the log>
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 26 of 54
Account Domain: <domain of user accout that viewed the log> Keywords: <Outcome as Success>
4719 Windows Logs -> Security Subcategory: Audit Policy Change
System audit policy was changed Logged: <Date and time of event> Task category: <category of audit> Task Subcategory: <subcategory of audit> Subcategory GUID: <subcategory GUID name> Security ID: <user identity> Account Name: <account name> Account Domain: <account domain> Login ID: <login Id> Changes: <Success/Failure changes> Keywords: <Outcome as Success or Failure>
4723 Windows Logs -> Security Subcategory: User Account Management
An attempt was made to change an account's password.
Logged: <Date and time of event> Security ID: <user identity> Keywords: <Outcome as Success or Failure>
4739 Windows Logs -> Security Subcategory: Authentication Policy Change
Domain Policy was changed. Logged: <Date and time of event> Security ID: <SID of user account making audit policy change> Account Name: <name of user account making audit policy change > Account Domain: <domain of user account making audit policy change if applicable, otherwise computer> Category: <Audit category that was changed.> Subcategory: <Audit subcategory that was changed.> Changes: <Change to audit policy.>
4740 Windows Logs -> Security Subcategory: User Account Management
A user account was locked out Logged: <Date and time of event> Security ID: <SID of locked account> Account Name: <name of locked account> Account Domain: <domain of locked account>
4800 Windows Logs -> Security Subcategory: Logoff
The workstation was locked. Logged: <Date and time of event> Security UserID: <SID of logon user> Account Name: <name of logon account> Account Domain: <domain of logon account>
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 27 of 54
4801 Windows Logs -> Security Subcategory: Logon
The workstation was unlocked. Logged: <Date and time of event> Security ID: <SID of logon user> Account Name: <name of logon account> Account Domain: <domain of logon account>
4950 Windows Logs -> Security Subcategory: MPSSVC Rule-Level Policy Change
A Windows Firewall setting has changed. Logged: <Date and time of event> Security ID: <SID of user configuring the setting> Value: <new configuration setting value>
5058 Windows Logs -> Security Subcategory: System Integrity
Key file operation Logged: <Date and time of event> Task category: <type of event> Subject: <Security ID, Account Name/Domain> Cryptographic Parameters: <Key Name/Type> Key file operation information: <Filepath, operation, return code>
5061 Windows Logs -> Security Subcategory: System Integrity
Cryptographic operation. Logged: <Date and time of event> Task category: <type of event> Subject: <Security ID, Account Name/Domain> Cryptographic parameters: <Key Name/Type> Cryptographic operation: <Operation, return code>
5447 Windows Logs -> Security Subcategory: Other Policy Change Events
Windows Filtering Platform filter has been changed
Logged: <Date and time of event> Task category: <type of event> Change type: <Operation as add, change or delete> Filter ID: <Filter Id as GUID> Filter Name: <Filter identifier as text-based name> Layer ID: <Layer Id as GUID> Layer Name: <Layer identifier as text-based name> Additional Information: <Filter conditions>
5450 Windows Logs -> Security Subcategory: Filtering Platform Policy Change
Windows Filtering Platform sub-layer has been changed
Logged: <Date and time of event> Task category: <type of event> Change type: <Operation as add, change or delete> Sub-layer ID: <Sub-layer Id as GUID> Sub-layer Name: <Sub-layer identifier as text-based name>
5451 Windows Logs -> Security
IPsec quick mode security association was established
Logged: <Date and time of event> Task category: <type of event>
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 28 of 54
Subcategory: IPsec Quick Mode Local Endpoint: <Subject identity as IP address/port> Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection > Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2> Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id, QM SA Id, Inbound SPI, Outbound SPI and cryptographic parameters established in the SA > Keywords: <Outcome as Success>
5452 Windows Logs -> Security Subcategory: IPsec Quick Mode
IPsec quick mode security association ended
Logged: <Date and time of event> Task category: <type of event> Local Endpoint: <Subject identity as IP address/port> Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection > Cryptographic Information: <The entry in the SPD that applied to the decision as the QM SA Id, Tunnel Id, Traffic Selector Id> Keywords: <Outcome as Success>
5038 Windows Logs -> Security Subcategory: System Integrity
Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
Logged: <Date and time of event> Task category: <type of event> File Name: < file failing integrity check>
5446 Windows Logs -> Security Subcategory: Filtering Platform Policy Change
Windows Filtering Platform callout has been changed
Logged: <Date and time of event> Task category: <type of event> Change type: <Operation as add, change or delete> Callout ID: <Callout identifier as GUID> Callout Name: <Callout identifier as text-based name> Layer ID: <Layer identifier as GUID> Layer Name: <Layer identifier as text-based name> Keywords: <Outcome as Success or Failure>
5447 Windows Logs -> Security Subcategory: Other Policy Change Events
Windows Filtering Platform filter has been changed
Logged: <Date and time of event> Task category: <type of event> Change type: <Operation as add, change or delete> Filter ID: <Filter Id as GUID> Filter Name: <Filter identifier as text-based name> Layer ID: <Layer Id as GUID> Layer Name: <Layer identifier as text-based name> Additional Information: <Filter conditions>
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 29 of 54
5450 Windows Logs -> Security Subcategory: Filtering Platform Policy Change
Windows Filtering Platform sub-layer has been changed
Logged: <Date and time of event> Task category: <type of event> Change type: <Operation as add, change or delete> Sub-layer ID: <Sub-layer Id as GUID> Sub-layer Name: <Sub-layer identifier as text-based name>
8000 Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service started a connection to a wireless network
Logged: <Date and time of event> Network Adapter: <adapter device name>
8001 Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service has successfully connected to a wireless network
Logged: <Date and time of event> SSID: <Wireless network name> (non-TOE endpoint of connection) Authentication: WPA2-Enterprise (protocol) 802.1x Enabled: Yes (protocol)
8003 Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service has successfully disconnected from a wireless network
Logged: <Date and time of event> SSID: < Wireless network name> (non-TOE endpoint of connection)
8003 Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service has successfully disconnectd from a wireless network
Logged: <Date and time of event> Network Adapter: <adapter device name>
11001 Microsoft-Windows-WLAN-AutoConfig/Operational
Wireless network association succeeded Logged: <Date and time of event> Network Adapter: <adapter device name> Local MAC address: <Wi-Fi address>
11009 Microsoft-Windows-WWAN-SVC-Events/Operational
Received ContextState Logged: <Date and time of event> State: <WwanActivatinoStateActivated> State: <WwanActivatinoStateDeActivated>
11004 Microsoft-Windows-WLAN-AutoConfig/Operational
Wireless security stopped Logged: <Date and time of event> Network Adapter: <adapter device name> Local MAC address: <Wi-Fi address>
11010 Applications and Services Logs -> Microsoft -> Windows -> WLAN-AutoConfig -> Operational
Wireless Security Started Logged: <Date and time of event> Network Adapter: <enabled adapter name> Local MAC Address: <enabled adapter MAC address>
14001 Microsoft-Windows-WLAN-AutoConfig/Operational
New Wireless Network Policy Logged: <Date and time of event> Applied Settings: <WiFi configuration settings >
20001 Windows Logs -> System Source: UserPnP
Driver Manager concluded the process to install driver <driver name> for Device Instance ID <ID value include device address>
Logged: <Date and time of event> Security UserID: <SID of user> DeviceInstanceID: <instance ID (including remote device address)> SetupClass: <Bluetooth service/profile GUID>
24579 Windows Logs -> System Encryption of volume <drive letter>: Logged: <Date and time of event>
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 30 of 54
completed Security UserID: <SID of user account that installed the app> Volume: <encrypted volume letter>
24588 Windows Logs -> System The conversion operation on volume <drive letter> encountered a bad sector error.
Logged: <Date and time of event> Volume: <encrypted volume letter>
36880 Windows Logs -> System Source: Schannel
An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.
Logged: <Date and time of event> Protocol: <TLS protocol> CipherSuite: <cypher suite>
36888 Windows Logs -> System Source: Schannel
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is %1.
Logged: <Date and time of event> Reason for failureProtocol: <TLS protocol error code> The following are the possible error codes:
Description Error Code Value
Unexpected message 10
Bad record MAC 20
Record overflow 22
Decompression fail 30
Handshake failure 40
Illegal parameter 47
Unknown CA 48
Access denied 49
Decode error 50
Decrypt error 51
Protocol version 70
Insufficient security 71
Internal error 80
Unsupported extension 110
Recovery Screen
Windows Logs -> System and Display
System event Id 20 is recorded by source Kernel-Boot indicating event data “LastBootGood” as “false”. This event together with the indication of the TSF executable causing the failed boot on the Recovery screen.
Wipe Failure Screen
Display There was a problem resetting your PC. No changes were made.
On logon a message is displayed to the user indicating that the recovery operation of the system failed.
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 31 of 54
Bitlocker recovery
Display Bitlocker recovery On startup a message is displayed requesting the Bitlocker recovery key
Table 4: Audit Descriptions
3.2 Managing Audit Policy
3.2.1 Local Administrator Guidance
The following log locations are always enabled:
Windows Logs -> System
Windows Logs -> Setup
Windows Logs -> Security (for startup and shutdown of the audit functions and of the OS and kernel, and clearing the audit log)
The following TechNet topic describes the categories of audits in the Windows Logs -> Security log:
Advanced Audit Policy Configuration: http://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx
The following TechNet topic describes how to select audit policies by category, user and audit success or failure in the Windows Logs -> Security log:
- Auditpol set: https://technet.microsoft.com/en-us/library/cc755264.aspx
For example, to enable all audits in the given subcategories of the Windows Logs -> Security log run the following commands at an elevated command prompt:
Logon operations:
auditpol /set /subcategory:”Logon” /success:enable /failure:enable
audit policy changes:
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
IPsec operations:
auditpol /set /subcategory:”IPsec Main Mode” /success:enable /failure:enable
auditpol /set /subcategory: “IPsec Quick Mode” /success:enable /failure:enable
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 32 of 54
Configuring IKEv1 and IKEv2 connection properties:
auditpol /set /subcategory:" Filtering Platform Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enable
registry changes (modifying TLS Cipher Suite priority):
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
In addition to enabling audit policy as noted above, each registry key to be audited must also have its auditing permissions enabled. This is done as follows:
1. Start the registry editor tool by executing the command regedit.exe as an administrator
2. Navigate to the registry path for the key that should be audited, right-click the key’s node and select Permissions… on the key’s context menu to open the Permissions dialog
3. Click the Advanced button to open the Advanced Security Settings dialog, click on the Auditing tab and click the Add button to open the Auditing Entry dialog
4. Click the Select a principal to open the Select User or Group dialog to select a user (e.g. Administrator) and click the OK button.
5. Choose the desired audits using the Type, Applies to and Basic Permissions attributes and click OK
6. Click OK on the Advanced Security Settings dialog
7. Click OK on the Permissions dialog
The following is the list of registry keys that must be audited:
HKEY_LOCAL_MACHINE/Software/Microsoft/PolicyManager
HKEY_LOCAL_MACHINE /Software/Policies/Microsoft/Windows/DeviceInstall/Restrictions
HKEY_LOCAL_MACHINE /Software/Policies/Microsoft/Windows/SettingSync/DisableSettingSync
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System
To enable/disable TLS event logging in the System Event Log, see the following link:
https://technet.microsoft.com/en-us/library/Dn786445.aspx#BKMK_HowToEnableSchannelEventLogging
To enable/disable event logging in the Application and Services Logs, see the following link describing how to enumerate the log names3 and set their enabled state:
3 “Log Location” log names shown in the table above correlate with the names enumerated by Wevtutil utility (which requires a quoted name using hyphens rather than spaces).
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 33 of 54
Wevtutil: http://technet.microsoft.com/en-us/library/cc732848.aspx
To view audit logs, see the following link:
Get-EventLog: http://technet.microsoft.com/en-us/library/hh849834.aspx
4 Managing Wipe This section contains the following Common Criteria SFRs:
Extended: TSF Wipe (FCS_CKM_EXT.5)
4.1 IT Administrator Windows 10 devices can be configured for wipe after exceeding a maximum number of consecutive authentication failures by the MDM administrator by using the “Number of failed logon
attempts before the device is wiped” policy as described in the following TechNet topic (see “Password” heading):
General settings for Mobile Devices in Configuration Manager: https://technet.microsoft.com/en-us/library/dn376523.aspx#BKMK_Password
The “Password” settings are enforced only if the “Require password settings on mobile devices”policy is also set.
4.2 Local Administrator Guidance The following Windows help topic describes how to reset Windows 10 devices with removal of all user data (the “Fully clean the drive” option wipes all protected data):
How to refresh, reset, or restore your PC: http://windows.microsoft.com/en-us/windows-10/windows-10-recovery-options
5 Managing EAP-TLS This section contains the following Common Criteria SFRs:
Extended: Trusted Channel Communication (FTP_ITC_EXT.1)
Extended: PAE Authentication (FIA_PAE_EXT.1)
Extended: Trusted Channel Communication (FTP_ITC_EXT.1)
Extended: Wireless Network Access (FTA_WSE_EXT.1)
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 34 of 54
Specifications of Management Functions (FMT_SMF_EXT.1)
5.1 IT Administrator Guidance An MDM system can be used to manage Wi-Fi profiles.
The following links specify the server certificate requirements for EAP-TLS and the procedure to create a Wi-Fi profile in System Center 2012 R2 Configuration Manager:
Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS: http://support.microsoft.com/kb/814394/en-us
Wi-Fi Profiles in Configuration Manager: https://technet.microsoft.com/en-us/library/dn261221.aspx
Steps 1 – 4 in the following link describe how to configure the IT infrastructure for EAP-TLS using WPA2-Enterprise (based on 802.1x authentication and 802.11-2012 encryption standards):
Creating a secure 802.1x wireless infrastructure using Microsoft Windows: http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-
infrastructure-using-microsoft-windows.aspx
Group policy can be used to specify the wireless networks (SSIDs) that a user may connect to.
Configure Network Permissions and Connection Preferences : https://msdn.microsoft.com/en-us/library/dd759204.aspx
5.2 Local Administrator Guidance The following topics describe how to configure EAP-TLS on Windows 10:
Extensible Authentication Protocol (EAP) Settings for Network Access: http://technet.microsoft.com/en-us/library/hh945104.aspx4
The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:
Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx
4 This topic also applies to Windows 10
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 35 of 54
5.3 User Guidance The user views the list of available networks (including networks associated with a configured Wi-Fi profile) in Settings -> Network & Internet -> Wi-Fi. Tapping a given Wi-Fi network presents
the option to Connect to the network.
6 Managing TLS This section contains the following Common Criteria SFRs:
Extended: EAP TLS Protocol (FCS_TLSC_EXT.1)
Extended: TLS Protocol (FCS_TLSC_EXT.2)
6.1 IT Administrator Guidance The cipher suite selection and priority may be configured on the server side of a connection. Cipher suite selection is made according to the default order as described in the previous section for
Windows 10.
The DN in the certificate is automatically compared to the expected DN and does not require additional configuration of the expected DN for the connection.
Windows 10 devices may be configured to trust a Certificate Authority by using policy pushed to the device by a MDM. The TOE comes preloaded with root certificates for various Certificate
Authorities. Additional Certificate Authorities may be managed on the Windows 10 device using workplace enrollment and an MDM.Restricting Applications.
There is no configuration necessary to use client authentication on the device once a device has client authentication certificates. See the Managing Certificates section for information on
configuring a device to enroll for client certificates.
6.2 Local Administrator Guidance The mandatory and optional cipher suites listed in the Security Target correlate with those available in the TOE as follows:
Cipher Suites (per Security Target) Cipher Suite Requirement
Available Cipher Suites in TOE5
TLS_RSA_WITH_AES_128_CBC_SHA Mandatory TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA Optional TLS_RSA_WITH_AES_256_CBC_SHA
5 See: Cipher Suites in Schannel: http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 36 of 54
TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 Optional TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246 Optional TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289
Optional TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289
Optional TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289
Optional TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289
Optional TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Optional TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 and/or TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Optional TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 and/or TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
The following MSDN article describes how the administrator modifies the set of TLS cipher suites for priority and availability:
- Prioritizing Schannel Cipher Suites: http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx
- How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll: http://support.microsoft.com/kb/245030
The DN in the certificate is automatically compared to the expected DN and does not require additional configuration of the expected DN for the connection.
The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:
Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx
Hashes in the TLS protocol are configured in association with cipher suite selection. The administrator configures the cipher suites used on a machine by following the configuration instructions
at the following link: http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx
The elliptic curves supported for a particular cipher suite are part of the cipher suite configuration. For example in the table above one of the supported cipher suites is
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, note that the string used to configure this cipher suite is TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256, which is slightly different
than the actual cipher suite name. The difference is the final four characters which indicate the elliptic curve that is to be used, in this case it is the curve P256 (secp256r1).
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 37 of 54
The reference identifier in Windows 10 for TLS is the URL of the server. There is no configuration of the reference identifier.
The signature algorithm is not configurable in Windows 10 for TLS.
6.3 User Guidance Users may choose using TLS with HTTPS by using https in the URL typed into the browser.
7 Managing Apps This section contains the following Common Criteria SFRs:
Extended: Security Attribute Based Access Control (FDP_ACF_EXT.1)
7.1 IT Administrator Guidance MDM solutions are capable of installing, removing and restricting the ability for applications to run on Windows 10.
7.2 Local Administrator Guidance The ability for users to run the Store app may be removed using a registry value on Windows 10 by performing the following steps:
1. Start the registry editor tool by executing the command regedit.exe as an administrator
2. Navigate to the registry path HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore. Note that the WindowsStore registry key may need to be created.
3. Create a DWORD (32 bit) registry value with the name RemoveWindowsStore under the WindowsStore registry key. Set the registry value to 1.
Local administrators can also restrict the ability of users to install applications using AppLocker on Windows 10 as described in the AppLocker Overview: https://technet.microsoft.com/en-
us/library/hh831440.aspx.
Local administrators remove applications in the same manner as device users.
7.3 User Guidance The following Windows help topic describes how users remove an app installed from the Store, or in the case of enrolled devices, from their Company Portal or installed automatically by their IT
administrator, and any information the app contained:
Uninstall, change or repair a program: http://windows.microsoft.com/en-us/windows-10/repair-or-remove-programs#v1h=tab01
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 38 of 54
Note: If the system administrator has configured required Enterprise apps then those Enterprise apps will be re-installed if a user uninstalls them.
8 Managing Volume Encryption This section contains the following Common Criteria SFRs:
Extended: Data at Rest Protection (FDP_DAR_EXT.1)
The following TechNet topic describes the BitLocker feature, including its use to encrypt the entire operation system volume or removable volumes:
- BitLocker Overview: http://technet.microsoft.com/en-US/library/hh831713.aspx
8.1 Local Administrator Guidance The following TechNet topic describes the manage-bde command that should be executed in a command shell while running as an administrator to configure DAR protection:
- Manage-bde: http://technet.microsoft.com/en-us/library/ff829849(v=ws.10).aspx
By default AES128 encrypion is used by the manage-bde command when enabling BitLocker for Windows 10 – the AES256 algorithm should be used instead. In addition, the TPM and PIN
authorization factor must be used in the evaluated configuration. The Enhanced PIN capabilities must be used in the evaluated configuration.
To enable the TPM and Enhanced PIN authorization factors execute the following command:
- Manage-bde –on <operating system disk volume letter>: -tpmandpin -encryptionMethod aes256
For the Surface Pro 3 and Surface 3 (LTE) a USB keyboard is necessary to enter the Enhanced PIN to unlock the drive at boot.
The following is a link to BitLocker Policy settings:
- https://technet.microsoft.com/en-us/library/jj679890.aspx
Administrators must create an Enhanced PIN value with a minimum of four and a maximum of 20 numeric characters, but can also include uppercase and lowercase English letters, symbols on
an EN-US keyboard, numbers, and spaces. To enable the Enhanced PIN capabilities start the gpedit.msc MMC snap-in as an administrator and enable the following local or group policy:
- Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 39 of 54
Other BitLocker policies that must be enabled to use the TPM and Enhanced PIN authenticator are:
- Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Enable use of BitLocker authentication requiring preboot keyboard input on slates
- Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Require additional authentication at startup
8.2 User Guidance Users may use BitLocker To Go in order to encrypt removable drives. The following details how to do this:
1. Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.
2. On the BitLocker Drive Encryption page, follow the instructions in the Removable data drives – BitLocker To Go section.
9 Managing VPN The native Window 10 VPN client is not part of this evaluation. Windows 10 does provides support for third-party IPsec VPN clients using the Windows.Networking.Vpn classes and the
networkingVpnProvider capability. The link below provides documentation for Windows.Networking.Vpn:
https://msdn.microsoft.com/en-us/library/windows/apps/windows.networking.vpn.aspx
10 Managing Accounts This section contains the following Common Criteria SFRs:
Extended: Authorization Failure Handling (FIA_AFL_EXT.1)
10.1 Local Administrator Guidance The following TechNet topic explains the net accounts command line utility for standalone computers (followed by command line options for managing account lockout policy):
Net Accounts: http://technet.microsoft.com/en-us/library/bb490698.aspx
In addition to the parameters given in the referenced article the following are also valid options:
/lockoutthreshold: number : Sets the number of times a bad password may be entered until the account is locked out. If set to 0 then the account is never locked out.
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 40 of 54
/lockoutwindow: minutes : Sets the number of minutes of the lockout window.
/lockoutduration: minutes : Sets the number of minutes the account will be locked out for.
Exceeding the authentication failure limit is audited by Security log Id 4740. However, this information is lost when an enrolled device exceeds the authentication failure limit configured by the
IT administrator as described in section “Managing Wipe”.
When the organizational user attempts to logon repeatedly with a bad password, they will eventually be prompted that the account is about to be locked out and that they will need a BitLocker
recovery key to unlock. In certain configurations of the system, including the evaluated configuration, there will not be a Bitlocker recovery key to use once the maximum logon attempt
threshold is passed. In such a situation the device is considered to be “wiped” as recovery of the data on the Bitlocker encrypted volumes is not possible. This is true even if the system prompts
the user explicitly for a Bitlocker recovery key, as this prompt occurs even if no Bitlocker recovery key was ever configured.
11 Managing Bluetooth This section contains the following Common Criteria SFRs:
Extended: Bluetooth Authentication (FIA_BLT_EXT.1)
Specifications of Management Functions (FMT_SMF_EXT.1)
11.1 IT Administrator The TOE includes a Policy Configuration Service Provider (CSP) that is able to handle policy configuration requests from MDM systems. The following MSDN topic describes how to configure the
Bluetooth trusted channel policies a) disable/enable the Discoverable mode (for BR/EDR), b) change the Bluetooth device name, c) disable/enable Advertising (for LE):
Policy CSP: https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx
o See Bluetooth/AllowDiscoverableMode, Bluetooth/LocalDeviceName and Bluetooth/AllowAdvertising
11.2 Local Administrator Guidance Bluetooth is enabled and disabled in the Settings -> Devices -> Bluetooth user interface by setting the radio button labeled Bluetooth to the On or Off state.
No configuration is necessary to ensure the Bluetooth services provided before login are limited.
11.3 User Guidance The following topic describes how to initiate and complete pairing with a Bluetooth device:
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 41 of 54
Add a Bluetooth device: https://www.microsoft.com/surface/en-us/support/hardware-and-drivers/add-a-bluetooth-device?os=windows-10
Bluetooth pairing uses a protected communication channel by default so there is no configuration necessary.
12 Managing Passwords
12.1 Strong Passwords This section contains the following Common Criteria SFRs:
Extended: Password Management (FIA_PMG_EXT.1)
12.1.1 IT Administrator Guidance
An MDM system may be used to enforce use of strong passwords.
12.1.2 Local Administrator Guidance
The following TechNet topics describe the characteristics for passwords that are available, instructions for setting the enforcement mechanism and a discussion of strong passwords and
recommended minimum settings:
Enforcing Strong Password Usage Throughout Your Organization: https://technet.microsoft.com/en-us/library/hh994562(v=ws.10).aspx
Strong Password: http://technet.microsoft.com/en-us/library/cc756109(v=ws.10).aspx
Password Best practices: http://technet.microsoft.com/en-us/library/cc784090(v=ws.10).aspx
12.2 Protecting Passwords This section contains the following Common Criteria SFRs:
Protected Authorization Feedback (FIA_UAU.7)
12.2.1 User Guidance
The following Windows Help topic describes how to conduct initial logon authentication for users:
Sign in to or out of Windows: http://windows.microsoft.com/en-us/windows-8/sign-in-out-of-windows
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 42 of 54
Windows 10 do not require any configuration to ensure the password is obscured by default. The following best practices should be observed:
As with all forms of authentication, when entering your password, avoid allowing other people to watch you as you sign in.
Keep your device in a secure location where unauthorized people do not have physical access to it. As with any password entry, be aware of line of sight and potential recording devices that
intrude on your screen.
12.3 Logon/Logoff Password Policy This section contains the following Common Criteria SFRs:
Extended: Authentication for Cryptographic Operation (FIA_UAU_EXT.1)
Extended: Timing of Authentication (FIA_UAU_EXT.2)
Extended: Re-Authorizing (FIA_UAU_EXT.3)
Specifications of Management Functions (FMT_SMF_EXT.1)
12.3.1 Local Administrator Guidance
The out of box experience requires that when user accounts are created a password is assigned to the account.
To change an account password do either of the following:
Tap the Start menu, tap the account picture, tap Change account settings, tap Sign-in options, tap Change under Password.
Type the secure attention sequence: CTRL-ALT-DEL
The inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity
limit” as described in the following Technet topic in the section heading titled “New and changed functionality”:
Security Policy Settings Overview: http://technet.microsoft.com/en-us/library/2fdcbb11-8037-45b1-9015-665393268e36
The following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure
the Windows security policy:
Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 43 of 54
12.3.2 User Guidance
To configure screen lock timeout:
Go to Settings -> System -> Power & sleep -> Additional power settings -> Change when the computer sleeps
To initiate a session lock:
Tap the Start menu, tap the account picture, click Lock.
To manage notifications on the lock screen:
Go to Settings -> System -> Notifications & actions
13 Managing Certificates This section contains the following Common Criteria SFRs:
Extended: Validation of Certificates (FIA_X509_EXT.1)
Extended: Certificate Authentication (FIA_X509_EXT.2)
Extended: Cryptographic Key Storage (FCS_STG_EXT.1)
13.1 Developer Guidance Application developers import and use keys and secrets with the Windows.Security.Cryptography.Certificates namespace as described by the following MSDN topic:
Windows.Security.Cryptography.Certificates namespace: https://msdn.microsoft.com/en-
us/library/windows/apps/windows.security.cryptography.certificates.aspx?f=255&MSPPError=-2147217396
Developers have a choice when enrolling for a certificate to use either CertificateEnrollmentManager base class or the derived class UserCertificateEnrollmentManager. When using
UserCertificateEnrollmentManager the keys are secured by the user account credentials and user account ACLs. When using the CertificateEnrollmentManager base class the keys are only
available to the application that imported or created the keys.
13.2 IT Administrator Guidance Root certificates can be added to and removed from devices using an MDM for enrolled devices. The following link is an example of MDM documentation for deploying root certificates:
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 44 of 54
How to Deploy Certificate Profiles in Configuration Manager: https://technet.microsoft.com/en-us/library/dn270540.aspx
Windows 10 can be configured to enroll for client certificates using an MDM for enrolled devices. The following link is an example of MDM documentation for configuring the enrollment of
client certificates:
Certificate deployment with System Center 2012 R2 Configuration Manager and Windows Intune : http://blogs.technet.com/b/configmgrteam/archive/2014/04/28/certificate-
deployment-with-system-center-2012-r2-configuration-manager-and-windows-intune.aspx
13.3 Local Administrator Guidance The following TechNet topic describes managing certificates (including the “Obtain a Certificate” sub-topic):
Manage Certificates : http://technet.microsoft.com/en-us/library/cc771377.aspx
Certutil: http://technet.microsoft.com/library/cc732443.aspx
The operational guidance for setting up a trusted channel to communicate with a CA is described in the operational guidance for FTP_ITC.1 (OS)).
The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:
Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx
The following TechNet topic describes how to delete a certificate:
Delete a Certificate: http://technet.microsoft.com/en-us/library/cc772354.aspx
Root certificates can be added to and removed from devices using an MDM for enrolled devices.
When validating a certificate with modern Windows applications the connection to a configured revocation server must be available or the validation will fail. This configuration cannot be
changed.
The administrator configures certificate validation using the Set-NetFirewallSetting PowerShell cmdlet as described in the following TechNet topic:
Set-NetFirewallSetting: http://technet.microsoft.com/en-us/library/jj554878.aspx
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 45 of 54
The administrator configures certificate validation for network connections based on EAP-TLS using the “Set Up a Connection or Network” wizard in the “Smart Card or Other Certificate
Properties” and “Configure Certificate Selection” screens as described in the following TechNet topic:
Extensible Authentication Protocol (EAP) Settings for Network Access (Smart Card or other Certificate Properties configuration items): https://technet.microsoft.com/en-
us/library/hh945104.aspx#BKMK_LAN_SmartCard
The administrator configures certificate validation for HTTPS using the Security options checkboxes in the Advanced tab on the Internet Properties dialog for Control Panel. The “Warn about
certificate address mismatch” setting configures whether the Web address must match the certificate subject field and warns the user of a mismatch. The following MSDN Blog describes the
“Check for server certificate revocation” setting:
Understanding Certificate Revocation Checks: http://blogs.msdn.com/b/ieinternals/archive/2011/04/07/enabling-certificate-revocation-check-failure-warnings-in-internet-explorer.aspx
The administrator cannot configure certificate validation for code signing purposes.
Key lengths of keys used with certificates are configured in the certificate templates on the Certificate Authority used during enrollment and are not configured by the user or local
administrator.
13.4 User Guidance The following TechNet topic describes how to manually import a certificate:
Import a Certificate: http://technet.microsoft.com/en-us/library/cc754489.aspx
When using HTTPS in a browsing scenario the user may choose to ignore a failed certificate validation and continue the connection.
13.5 Custom Certificate Requests Certificate requests with specific fields such as "Common Name", "Organization", "Organizational Unit", and/or "Country" can be generated by apps using the
Certificates.CertificateEnrollmentManager.CreateRequestAsync API. The following link provides the documentation for the API:
https://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.certificateenrollmentmanager.createrequestasync.aspx
14 Managing Time This section contains the following Common Criteria SFRs:
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 46 of 54
Reliable Time Stamps (FPT_STM.1)
14.1 Local Administrator Guidance The administrator sets the time using the Set-Date PowerShell cmdlet that is documented here:
http://technet.microsoft.com/en-us/library/7f44d9e2-6956-4e55-baeb-df7a649fdca1
The administrator configures the time service to synchronize time from a time server using the W32tm command that is documented here:
http://technet.microsoft.com/en-us/library/cc773263(v=WS.10).aspx#w2k3tr_times_tools_dyax The administrator ensures the communication path between the TOE client and the time service provider is protected from attacks that could compromise the integrity of the time by establishing an IPsec policy using the “Microsoft Windows 8 Microsoft Windows Server 2012 --- Supplemental Admin Guidance for IPsec VPN Clients (January 23 2014)”, where section 3 provides detailed instructions that can be used to configure the TOE client and the time service provider.
The administrator ensures the NTP server is authenticated by verifying the IP address provided by the IT administrator for the NTP Server in the main mode and quick mode security associations according to the audit trail for the FTP_ITC.1 requirement outlined in section “4.1 Audit Policy for IPsec Operations” of the IPsec VPN Client guidance. In particular, audits are provided when a trusted channel is established that includes the IP address of the channel’s local and remote endpoints. If the integrity of the trusted channel is compromised, then this is indicated by the audit Id 4960 that is also discussed in section 4.1.
15 Getting Version Information This section contains the following Common Criteria SFRs:
Extended: Trusted Update: TSF Version Query (FPT_TUD_EXT.1)
15.1 User Guidance To determine the hardware model and operating system version:
Go to Settings -> System -> About
The following are instructions for getting the version of an app on Windows 10:
1. Start the app you wish to get the version of.
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 47 of 54
2. Once the app is opened, move your mouse cursor to the upper-right or lower-right corner of the screen to see the Charms bar. Touch screen users need to swipe-in from the right-edge
of the screen to bring up the Charms bar.
3. Click or tap Settings charm on the Charms bar to open Settings for the app.
4. Click or tap Permissions to see the developer’s name and also current version of the app.
16 Locking a Device This section contains the following Common Criteria SFRs:
Extended: TSF and User initiated Locked State (FTA_SSL_EXT.1)
16.1 IT Administrator Guidance The following TechNet topic describes the “Idle time before mobile device is locked (minutes)” MDM configuration policy setting that may be used to configure the
“MaxInactivityTimeDeviceLock” MDM configuration policy settings for enrolled devices:
Compliance Settings for System Center 2012 R2 Configuration Manager: http://technet.microsoft.com/en-us/library/dn376523.aspx#bkmk_comps
16.2 Local Administrator Guidance The following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure
the Windows security policy for standalone or domain-joined machines:
Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx
Group Policy Management Console: http://technet.microsoft.com/en-us/library/dn265969.aspx
The inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity
limit” as described in the following Technet topic in the section heading titled “New and changed functionality”:
Security Policy Settings Overview: http://technet.microsoft.com/en-us/library/2fdcbb11-8037-45b1-9015-665393268e36
16.3 User Guidance See section 12.3.2
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 48 of 54
16.4 Managing Notifications Prior to Unlocking a Device This section contains the following Common Criteria SFRs:
Default TOE Access Banners (FTA_TAB.1)
16.4.1 Local Administrator Guidance
The following TechNet topics describe how to configure a message to users attempting to logon:
Interactive logon: Message title for users attempting to log on: http://technet.microsoft.com/en-us/library/cc778393(v=ws.10).aspx
Interactive logon: Message text for users attempting to log on: http://technet.microsoft.com/en-us/library/cc779661(v=WS.10).aspx
17 Managing Airplane Mode This section contains the following Common Criteria SFRs:
Specifications of Management Functions (FMT_SMF_EXT.1)
17.1 User Guidance When airplane mode is on wireless connections, cellular voice, cellular protocols, and messaging functionality will not work on the device. The following link describes how to enable/disable
airplane mode: http://windows.microsoft.com/en-us/windows-10/turn-on-airplane-mode
18 Managing Device Enrollment This section contains the following Common Criteria SFRs:
Specifications of Management Functions (FMT_SMF_EXT.1)
Extended: Specification of Remediation Actions (FMT_SMF_EXT.2)
18.1 IT Administrator A Mobile Device Management (MDM) administrator can remotely wipe enrolled devices. The following MSDN topic describes the doWipe command supported on Windows 10 devices by the
RemoteWipe Configuration Service Provider (CSP):
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 49 of 54
RemoteWipe CSP: https://msdn.microsoft.com/en-us/library/windows/hardware/dn904968(v=vs.85).aspx
18.2 Local Administrator Guidance To enroll for management do the following
Go to Settings -> Accounts -> Work access
Tap the Connect button
Fill in the user account credentials provided by your IT administrator
Unenrollment from the MDM solution performs the remediation actions of:
alert the administrator
remove Enterprise applications
To unenroll from device management do the following:
Go to Settings > Account -> Work access
Tap the Remove button that is displayed when the enrollment setting is selected, and then confirm the Remove operation
The local administrator determines if the device is enrolled or not enrolled by looking at the Work access page of the Accounts settings. On the Work access page of the Accounts settings if the
device device is enrolled then the enrollment setting is indicated by the Work access name as established by your IT administrator and your account name provided by your IT administrator that
was used to enroll the device – tapping the enrollment setting reveals the Sync, Info and Remove buttons that may be used to synchronize device management settings, inspect Work access
enrollment settings or remove the device from enrollment.
18.3 User Guidance Users manage device enrollment like local administrators as described above.
19 Managing Updates Windows 10 applications include metadata that is installed with the application by the Windows Installer and the Store App installer. The application metadata includes version information that
prevents the Windows Installer and the Store App installer from updating an installed application with an older version.
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 50 of 54
Update packages downloaded by Windows Update for Windows 10 are signed with the Microsoft Root Certificate Authority to prove their authenticity and integrity. This signature is checked on
the mobile device before installing any of the product updates contained in a given package in order to verify the updates have not been altered since they where digitally signed. If the
signature is incorrect, then the update operation will fail. Otherwise, if the signature is correct then the update operation will proceed.
19.1 IT Administrator Consult MDM documentation for configuring System Updates.
19.2 Local Administrator There are two options for the local admistrator to configure System Updates:
Go to Settings -> Update & security -> Windows Update
20 Managing Health Attestation
20.1 IT Administrator The following MSDN topic describes the TOE’s HealthAttestation CSP that enables enterprise IT managers to assess the health of managed devices and take enterprise policy actions based on
the generated health attestation reports: https://msdn.microsoft.com/en-us/library/windows/hardware/dn934876(v=vs.85).aspx
The health attestation log file generated by the device is processed by the MDM solution and the health report is generated for the IT Administrator’s review.
21 Managing Collection Devices
21.1 IT Administrator The following link describes how to enable/disable the camera (see Security heading) for Windows 10:
General settings for Mobile Devices in Configuration Manager: https://technet.microsoft.com/en-us/library/dn376523.aspx#bkmk_comps
21.1.1 Local Aministrator Guidance
The local administrator disables/enables the camera for all users by disabling all subnodes under the “Imaging devices” node in the Device Manager.
To start the Device Manager, type “Device Manager” in the taskbar searchbox and click on the Device Manager icon.
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 51 of 54
The local administrator disables/enables the microphone for all users by the following procedure:s
1. On the desktop right click on the Start button and click the Control Panel menu item.
2. Type “Sound” and choose “Manage audio devices” from the list to open the Sound window
3. In the Sound window click the “Recording” tab
4. On the Recording tab right the Microphone item(s) and select the “Disable” menu item
Note: to reverse this step the “Show Disabled Devices” menu item should be selected.
21.1.2 User Guidance
The user turns enables/disables the camera in the Settings -> Privacy -> Camera by setting the “Let apps use my camera” radio button to the On/Off state. The user enables/disables the
microphone in the Settings -> Privacy -> Microphone user interface by setting the “Let apps use my microphone” radio button to the On/Off state.
22 Managing USB
22.1 Local Administrator The local administrator may also disable the USB in the Device Manager application by right-clicking the USB Root Hub child node in the Universal Serial Bus controllers node and selecting the
Properties menu item to open the USB Root Hub Properties window. the local administrator then clicks the Driver tab In the USB Root Hub Properties window and clicks he Disable button.
23 Managing Backup
23.1 Local Administrator The following TechNet topic describes how to disable File History:
“Windows 8.1 and the File History”: https://technet.microsoft.com/en-us/windows/jj984238.aspx
The following TechNet topic describes how to disable OneDrive:
Use Group Policy in Windows 2012 R2 to disable OneDrive functionality in Windows 8.1 clients: https://technet.microsoft.com/en-us/library/dn921901.aspx
The following policy setting can be used to disable Sync your settings:
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 52 of 54
“Do not sync” policy located at Computer Configuration\Administrative Templates\Windows Components\Sync your settings
In addition to enabling the policy, ensure the “Allow user to turn syncing on” option is unchecked
23.2 User Guidance The following Windows 10 topic describes how to configure Backup and Restore: http://windows.microsoft.com/en-us/windows-10/getstarted-back-up-your-files
The following Windows 10 topic describes how to configure OneDrive to sync files and folders: http://windows.microsoft.com/en-us/windows-10/getstarted-onedrive
To configure OneDrive to sync settings: Settings -> Accounts -> Sync your settings.
24 Managing Developer Mode
24.1 IT Administrator Consult MDM documentation for enabling/disabling Developer mode with an MDM.
24.2 Local Administrator Guidance Developer Mode allows installation of test-signed applications. The local administrator or user configures Developer Mode in Settings -> Updates & security -> For developers by selecting the
Developer Mode radio button.
25 Managing Cryptographic Algorithms There is no global configuration for hashing algorithms. The use of required hash sizes is supported and global configuration is not needed.
There is no global configuration for key generation schemes. The use of required key generation schemes is supported and global configuration is not needed.
There is no global configuration for key establishment schemes. The use of required key establishment schemes is supported and global configuration is not needed.
Keys may be imported by apps using the Certificates.CertificateEnrollmentManager.ImportPfxDataAsync API. The following link provides the documentation for the API:
https://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.certificateenrollmentmanager.importpfxdataasync.aspx
Keys are destroyed by wiping the device, see the Managing Wipe section of this document.
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 53 of 54
The Windows 10 system cryptographic engine was tested during the FIPS evaluation of the operating system. Other cryptographic engines may have been separately evaluated but were not
part of this CC evaluation.
26 Managing Internet Connection Sharing (ICS) Internet Connection Sharing provides a means to share an Internet connection to another computer.
26.1 Local Administrator Guidance The following Windows Help topic describes how to configure ICS:
Using ICS (Internet Connection Sharing): http://windows.microsoft.com/en-us/windows/using-internet-connection-sharing#1TC=windows-7
27 Managing Location Services (GPS)
27.1 IT Administrator Consult MDM documentation for configuring Location Services.
27.2 Local Administrator Guidance Configure Location Services: http://windows.microsoft.com/en-us/windows-10/location-service-privacy
Click Change.
28 Managing Wi-Fi
28.1 IT Administrator Consult MDM documentation for configuring Wi-Fi.
28.2 Local Administrator Guidance Enable/disable the wireless network adapter: http://windows.microsoft.com/en-us/windows/enable-disable-network-adapter#1TC=windows-7
Windows 10 Mobile Device PP Operational Guidance
Microsoft © 2016 Page 54 of 54
29 Managing Mobile Broadband
29.1 User Guidance Settings for enabling/troubleshooting Mobile Broadband: http://windows.microsoft.com/en-us/windows-10/cellular-settings
30 Managing Health Attestation
30.1 IT Administrator Guidance MDM solutions are capable of managing Health Attestation on phones. See the MDM solution documentation for detailed configuration actions.
30.2 Local Administrator Guidance The device will create a Helath Attestation log every time the system boots. The Health Attestation logs are found in the following directory:
%windir%\Logs\MeasuredBoot
The contents of the Health Attestation logs may be viewed on or off the TOE using the “TPM Platform Crypto-Provider Toolkit” that can be downloaded from the following link:
TPM Platform Crypto-Provider Toolkit : http://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92d5d/
31 Natively Installed Applications The set of applications and system files included in the TOE are version 10.0.10240.16384. The following embedded Excel file has two lists of files, one each for x64 and x86: