Windows 10 (Anniversary Update) Mobile Device PP Operational Guidance

Microsoft Windows

Common Criteria Evaluation

Microsoft Windows 10 (Anniversary Update)

Windows 10 (Anniversary Update) Mobile Device Operational Guidance

Document Information
Version Number / 1.0
Updated On / 16 March, 2017

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.

© 2017 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, the Windows logo, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Table of Contents

1Introduction

1.1Configuration

1.1.1Evaluated Configuration

1.1.2Mobile Device Management Solutions

2Management Functions

3Managing Audits

3.1Windows 10

3.1.1Audit Events

3.2Managing Audit Policy

3.2.1Windows 10

4Managing Wipe

4.1IT Administrator Guidance

4.2Windows 10

4.2.1Local Administrator Guidance

4.3Windows 10 Mobile

4.3.1User Guidance

5Managing EAP-TLS

5.1IT Administrator Guidance

5.2Windows 10

5.2.1Local Administrator Guidance

5.3User Guidance

6Managing TLS/DLTS

6.1IT Administrator Guidance

6.2Windows 10

6.2.1Local Administrator Guidance

6.3User Guidance

7Managing Apps

7.1IT Administrator Guidance

7.2Windows 10

7.2.1Local Administrator Guidance

8Managing Volume Encryption

8.1IT Administrator Guidance

8.2Windows 10

8.2.1Local Administrator Guidance

8.2.2User Guidance

8.3Windows 10 Mobile

8.3.1User Guidance

9Managing VPN

9.1IT Administrator Guidance

9.2Windows 10

9.2.1Local Administrator Guidance

10Managing Accounts

10.1IT Administrator Guidance

10.2Windows 10

10.3Local Administrator Guidance

11Managing Bluetooth

11.1IT Administrator Guidance

11.1.1User Guidance

11.2Windows 10 Mobile

11.2.1User Guidance

12Managing Passwords

12.1Strong Passwords

12.1.1IT Administrator Guidance

12.1.2Windows 10

12.2Protecting Passwords

12.2.1Windows 10

12.2.2Windows 10 Mobile

12.3Logon/Logoff Password Policy

12.3.1IT Administrator Guidance

12.3.2Windows 10

13Managing Notifications in the Locked State

13.1Windows 10

13.1.1User Guidance

13.2Windows 10 Mobile

13.2.1User Guidance

14Managing Certificates

14.1Certificate Validation

14.1.1Windows 10

14.2Developer Guidance

14.2.1Shared User Keys

14.2.2Custom Certificate Requests

14.3IT Administrator Guidance

14.4Windows 10

14.4.1Local Administrator Guidance

14.4.2User Guidance

14.5Windows 10 Mobile

14.5.1User Guidance

15Managing Time

15.1Windows 10

15.1.1Local Administrator Guidance

15.2Windows 10 Mobile

15.2.1User Guidance

16Getting Version Information

16.1IT Administrator Guidance

16.2Windows 10

16.2.1User Guidance

16.3Windows 10 Mobile

16.3.1User Guidance

17Locking a Device

17.1IT Administrator Guidance

17.2Windows 10

17.2.1Local Administrator Guidance

17.2.2User Guidance

17.3Windows 10 Mobile

17.3.1User Guidance

17.4Managing Notifications Prior to Unlocking a Device

17.4.1IT Administrator Guidance

17.4.2Windows 10

18Managing Airplane Mode

18.1Windows 10

18.1.1User Guidance

18.2Windows 10 Mobile

18.2.1User Guidance

19Managing Device Enrollment

19.1IT Administrator Guidance

19.2Windows 10

19.2.1Local Administrator Guidance

19.3Windows 10 Mobile

19.3.1User Guidance

20Managing Updates

20.1IT Administrator Guidance

20.2Windows 10

20.2.1Local Administrator Guidance

21Managing Collection Devices

21.1IT Administrator Guidance

21.2Windows 10

21.2.1Local Administrator Guidance

22Managing USB

22.1IT Administrator Guidance

22.2Windows 10

22.2.1Local Administrator Guidance

23Managing Backup

23.1Windows 10

23.1.1Local Administrator Guidance

23.2Windows 10 and Windows 10 Mobile

23.2.1User Guidance

24Managing Enterprise Apps

24.1IT Administrator Guidance

24.2User Guidance

25Managing Developer Mode

25.1IT Administrator Guidance

25.2Windows 10

25.2.1Local Administrator Guidance

26Managing Cryptographic Algorithms

27Managing GPS

27.1IT Administrator Guidance

28Managing Location Services

28.1IT Administrator Guidance

28.2Windows 10

28.2.1Local Administrator Guidance

29Managing Wi-Fi

29.1IT Administrator Guidance

30Managing Wireless Networks (SSIDs)

30.1IT Administrator Guidance

30.2Windows 10

30.2.1Local Administrator Guidance

31Managing Personal Hotspots

31.1IT Administrator Guidance

31.2Windows 10

31.2.1Local Administrator Guidance

32Managing Mobile Broadband

32.1IT Administrator Guidance

33Managing Cellular Protocols

33.1Windows 10 Mobile

33.1.1IT Administrator Guidance

33.2Windows 10

33.2.1Local Administrator

34Managing Health Attestation

34.1IT Administrator Guidance

35Managing Sensitive Data

35.1IT Administrator Guidance

35.2Windows 10

35.2.1Local Administrator Guidance

35.3Windows 10 Mobile

36Managing USB Mass Storage

36.1IT Administrator Guidance

37Natively Installed Applications

1 Introduction

This document provides operational guidance information for a Common Criteria evaluation describing only the security functionality which the administrator should use – any security functionality not described in this document is not part of the evaluation.

1.1 Configuration

1.1.1 Evaluated Configuration

The Common Criteria evaluation includes a specific configuration of Windows, the “evaluated configuration”. To run Windows deployments using the evaluated configuration follow the deployment steps and apply the security policies and security settings indicated below. The Security Target section 1.1 describes the Windows editions and security patches included in the evaluated configuration.

The operating system is pre-installed on the devices in the evaluated configuration. When the device is turned on for the first time the Out of Box Experience (OOBE) runs to complete the configuration.

The following security policies are applied after completing the OOBE:

Security Policy / Policy Setting
Local Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithm / Enabled
Administrative Template\Windows Components\Credentials User Interface\Do not display the password reveal button / Enabled

The following security settings are applied to create the evaluated configuration:

  • Cipher suite selection is configured according to section 5 Managing TLS
  • Volume encryption is enabled according to section 8 Managing Volume Encryption
  • VPN connections route all traffic through the VPN tunnel as described section 9 Managing VPN
  • Passwords use a minimum of six alphanumeric characters and symbols according to section 12.1 Strong Passwords
  • RSA machine certificates are configured according to section 14 Managing Certificates to use a minimum 2048 bit key length
  • Session locking is enabled according to section 16 Locking a Device
  • Devices are enrolled for device management according to section 18 Device Enrollment
  • Enrolled policy must have the Enterprise Data Protection settings enabled

Some of the links in this document may be written for Windows versions that are earlier than Windows 10 (Anniversary Update). The content in all these links apply to the Windows 10 (Anniversary Update) version.

1.1.2 Mobile Device Management Solutions

Many of the configurations described in this guide for the IT Administrator role are applied to the device through a Mobile Device Management (MDM) solution. The specific steps to perform a configuration through the MDM are solution-specific and are not described in this document. Examples of possible configuration option text may be provided in this document, but are not guaranteed to match any specific MDM solution. See the MDM solution documentation for detailed configuration actions.

2 Management Functions

The following table maps management functions to roles:

Management Function / User Guidance / Local Administrator Guidance / IT Administrator Guidance
1 / Configure password policy / Windows 10 / Windows 10
Windows 10 Mobile
2 / Configure session locking policy / Windows 10 / Windows 10
Windows 10 Mobile
3 / Enable/disable the VPN protection / Windows 10 / Windows 10
Windows 10 Mobile
4 / Enable/disable [GPS, Wi-Fi, mobile broadband radios, Bluetooth] / Windows 10
Windows 10 Mobile
5 / Enable/disable [camera, microphone] / Windows 10 / Windows 10 Mobile
Windows 10 (Camera only)
6 / Specify wireless networks (SSIDs) to which the TSF may connect / Windows 10 / Windows 10
Windows 10 Mobile
7 / Configure security policy for connecting to wireless networks / Windows 10 / Windows 10
Windows 10 Mobile
8 / Transition to the locked state / Windows 10
Windows 10 Mobile / Windows 10
9 / TSF wipe of protected data / Windows 10 / Windows 10
Windows 10 Mobile
10 / Configure application installation policy / Windows 10 / Windows 10
Windows 10 Mobile
11 / Import keys/secrets into the secure key storage / Windows 10
Windows 10 Mobile / Windows 10
12 / Destroy imported keys/secrets and any other keys/secrets in the secure key storage / Windows 10
Windows 10 Mobile / Windows 10
13 / Import X.509v3 certificates into the Trust Anchor Database / Windows 10 / Windows 10
Windows 10 Mobile
14 / Remove imported X.509v3 certificates and any other X.509v3 certificates in the Trust Anchor Database / Windows 10 Mobile / Windows 10
15 / Enroll the TOE in management / Windows 10 Mobile / Windows 10
16 / Remove applications / Windows 10 / Windows 10
Windows 10 Mobile
17 / Update system software / Windows 10 / Windows 10
Windows 10 Mobile
18 / Install applications / Windows 10 / Windows 10
Windows 10 Mobile
19 / Remove Enterprise applications / Windows 10 / Windows 10
Windows 10 Mobile
20 / Configure the Bluetooth trusted channel
a. disable/enable the Discoverable mode (for BR/EDR) / Windows 10
Windows 10 Mobile
b. change the Bluetooth device name / Windows 10
Windows 10 Mobile
d. disable/enable Advertising (for LE), / Windows 10
Windows 10 Mobile
21 / Enable/disable display notification in the locked state / Windows 10
Windows 10 Mobile
22 / Enable/disable all data signaling over [USB hardware ports] / Windows 10 / Windows 10 Mobile
23 / Enable/disable [none, Assign personal Hotspot connections] / Windows 10 / Windows 10
Windows 10 Mobile
24 / Enable/disable developer modes / Windows 10 / Windows 10
Windows 10 Mobile
25 / Enable data-at rest protection / Windows 10 Mobile / Windows 10
26 / Enable removable media’s data at rest protection / Windows 10 / Windows 10
28 / Wipe Enterprise data / Windows 10 / Windows 10
Windows 10 Mobile
30 / Configure whether to allow a trusted channel if certificate validation is not possible / Windows 10
Windows 10 Mobile / Windows 10
31 / Enable/disable the cellular protocols used to connect to cellular network base stations / Windows 10 / Windows 10 Mobile
32 / Read audit logs kept by the TSF / Windows 10
33 / Configure certificate used to validate digitally signed applications / Windows 10 / Windows 10
Windows 10 Mobile
34 / Approve exceptions for shared use of keys/secrets by multiple applications / Windows 10 / Windows 10
Windows 10 Mobile
35 / Approve exceptions for destruction of keys/secrets by other applications / Windows 10
Windows 10 Mobile / Windows 10
36 / Configure the unlock banner / Windows 10 / Windows 10
Windows 10 Mobile
37 / Configure the auditable items / Windows 10
38 / Retrieve TSF-software integrity verification values / Windows 10
Windows 10 Mobile
39 / enable/disable [USB mass storage mode] / Windows 10 Mobile
40 / Enable/disable backup to remote system / Windows 10
Windows 10 Mobile / Windows 10
44 / Enable/disable location services / Windows 10 / Windows 10
Windows 10 Mobile

3 Managing Audits

This section contains the following Common Criteria SFRs:

  • Audit Data Generation (FAU_GEN.1), Selective Audit (FAU_SEL.1)
  • Extended: Audit Storage Protection (FAU_STG_EXT.1)
  • Specifications of Management Functions (FMT_SMF_EXT.1)

3.1 Windows 10

3.1.1 Audit Events

The following required audits are described for FAU_GEN.1:

Description / Id
Start-up and shutdown of the audit functions / Security: 4608, 1100
All administrative actions / <see first table below>
Startup and shutdown of the OS and kernel / Security: 4608, 1100
Insertion or removal of removable media / Microsoft- Windows-Kernel-PnP/Device Configuration: 410
Establishment of a synchronizing connection / System: 36880
Microsoft-Windows-CAPI2/Operational: 11
Specifically defined auditable events from table 10 / <see second table below>
Audit records reaching [assignment: integer value less than 100] percentage of audit capacity, [assignment: other auditable events derived from this profile / Security: 1103

Table 1: FAU_GEN.1 audits (AGD1: FAU_GEN.1)
The following table correlates the set of administrative operations described in this document with their associated audits. Section FMT_SMF_EXT.1 has test procedures to produce these audits.

Administrative Action / Id
  1. configure password policy:
  2. minimum password length
  3. minimum password complexity
  4. maximum password lifetime
/ IT Administrator:
DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
Local Administrator:
Security: 4739
  1. configure session locking policy:
  2. screen-lock enabled/disabled
  3. screen lock timeout
  4. number of authentication failures
/ IT Administrator:
DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
Local Administrator:
Security: 4739
  1. enable/disable the VPN protection:
  2. across device
[b. on a per-app basis
c. no other method] / Security:
Enable: 4651, 5451
Disable: 4655
  1. enable/disable [GPS, Wi-Fi, Bluetooth, mobile broadband]
/ DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
  1. enable/disable [camera, microphone]:
  2. across device [
b. on a per-app basis
c. no other method] / Camera (IT Administrator): DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
Microphone (IT Administrator): DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
Microphone (Local Administrator): Microsoft-Windows-Audio: 65
  1. specify wireless networks (SSIDs) to which the TSF may connect
/ IT Administrator:
DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
Local Administrator:
Microsoft-Windows-WLAN-AutoConfig/Operational: 14001
  1. configure security policy for each wireless network:
  2. [selection: specify the CA(s) from which the TSF will accept WLAN authentication server certificate(s), specify the FQDN(s) of acceptable WLAN authentication server certificate(s)]
  3. security type
  4. authentication protocol
  5. client credentials to be used for authentication
/ DeviceManagement-Enterprise-Diagnostics-Provider: 403
  1. transition to the locked state
/ Security: 4800
  1. TSF wipe of protected data
/ Success:
System: 12
Failure:
Wipe Failure Screen
Windows 10 - System: 1074
  1. configure application installation policy by [selection:
  2. restricting the sources of applications,
  3. specifying a set of allowed applications based on [a digital signature or application name and version] (an application whitelist),
  4. denying installation of applications]
/ IT Administrator:
Microsoft-Windows-AppXDeploymentServer/Operational: 400,404 for success/failure
Local Administrator:
Microsoft-Windows-AppLocker/Packaged app-Execution: 8022
  1. import keys/secrets into the secure key storage
/ Security: 5058
  1. destroy imported keys/secrets and [[any other keys/secrets]] in the secure key storage
/ System: 12
  1. import X.509v3 certificates into the Trust Anchor Database
/ Microsoft-Windows-CAPI2/Operational: 90
  1. remove imported X.509v3 certificates and [[any other X.509v3 certificates]] in the Trust Anchor Database
/ Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational: 1004
  1. enroll the TOE in management
/ DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 72
  1. remove applications
/ Microsoft-Windows-AppXDeploymentServer/Operational: 472
  1. update system software
/ Setup: 2, 3
  1. install applications
/ Microsoft-Windows-AppXDeploymentServer/Operational 400
  1. remove Enterprise applications
/ Microsoft-Windows-AppXDeploymentServer/Operational: 472
  1. configure the Bluetooth trusted channel:
  2. disable/enable the Discoverable mode (for BR/EDR)
  3. change the Bluetooth device name
[selection:
d. disable/enable Advertising (for LE),
i. no other Bluetooth configuration] / DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813, 814
  1. enable/disable display notification in the locked state of: [
  2. email notifications,
  3. calendar appointments,
  4. contact associated with phone call notification,
  5. text message notification,
  6. other application-based notifications,
  7. all notifications]
/ DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
  1. enable/disable all data signaling over [USB hardware ports]
/ Local Administrator:
Windows-Kernel-PnP: 832, 801
  1. enable/disable [none, Assign personal Hotspot connections]
/ Microsoft-Windows-WLAN-AutoConfig/Operational: 8006
  1. enable/disable developer modes
/ IT Administrator:
DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
Local Administrator:
Microsoft-Windows-GroupPolicy/Operational: 1502
  1. enable data-at rest protection
/ System: 24667
  1. enable removable media’s data-at-rest protection
/ System: 24667
  1. enable/disable bypass of local user authentication
/ N/A
  1. wipe Enterprise data
/ DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 48
  1. approve [import, removal] by applications of X.509v3 certificates in the Trust Anchor Database
/ N/A
  1. configure whether to establish a trusted channel or disallow establishment if the TSF cannot establish a connection to determine the validity of a certificate
/ Security: 4950
  1. enable/disable the cellular protocols used to connect to cellular network base stations
/ Microsoft-Windows-WWAN-SVC-Events/Operational: 11004
  1. read audit logs kept by the TSF
/ Security: 4673
  1. configure [certificate] used to validate digital signature on applications
/ Same as 13. and 14.
  1. approve exceptions for shared use of keys/secrets by multiple applications
/ Microsoft-Windows-AppXDeploymentServer/Operational: 400
  1. approve exceptions for destruction of keys/secrets by applications that did not import the key/secret
/ Microsoft-Windows-AppXDeploymentServer/Operational: 400
  1. configure the unlock banner
/ Security: 4657
  1. configure the auditable items
/ Security: 4719
  1. retrieve TSF-software integrity verification values
/ See audit for FPT_NOT_EXT.1 (ATTEST)
  1. enable/disable [selection:
  2. USB mass storage mode,
  3. USB data transfer without user authentication,
USB data transfer without authentication of the connecting system] / N/A
  1. enable/disable backup to [remote system]
/ Security: 4657
  1. enable/disable [
  2. USB tethering authenticated by [pre-shared key, passcode, no authentication]]
/ N/A
  1. approve exceptions for sharing data between [selection: application processes, groups of application processes]
/ N/A
  1. place applications into application process groups based on [assignment: application characteristics]
/ N/A
  1. enable/disable location services:
  2. across device
[
b. on a per-app basis
c. no other method] / DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
  1. [none]
/ N/A

Table 2: Administrative Actions audits (AGD2: FAU_GEN.1) (AGD1: FAU_GEN.1)

Requirement / Description / Additional Record Contents / Log: Event Id
FAU_SEL.1 / All modifications to the audit configuration that occur while the audit collection functions are operating. / No additional Information. / Security: 4719, 4912
FCS_CKM_EXT.1 / [generation of a REK] / No additional Information. / System: 1027
FCS_CKM_EXT.5 / Success or failure of the wipe. / No additional Information. / System:
Success: 12
Failure: 1074
FCS_CKM.1(ASYM KA) / Failure of key generation activity for authentication keys. / No additional Information. / Microsoft-Windows-Crypto-NCrypt/Operational: 4
FCS_HTTPS_EXT.1 / Failure of the certificate validity check. / Issuer Name and Subject Name of certificate. [No additional information]. / Microsoft-Windows-CAPI2/Operational: 11
FCS_RBG_EXT.1 / Failure of the randomization process. / No additional information. / System: 20
FCS_STG_EXT.1 / Import or destruction of key. [No other events] / Identity of key. Role and identity of requestor. / Import: Security: 5058
Destruction: System: 12
FCS_STG_EXT.3 / Failure to verify integrity of stored key. / Identity of key being verified. / Microsoft-Windows-Crypto-NCrypt: 3
(Task Category: Open Key Failure)
FCS_DTLS_EXT.1 / Failure of the certificate validity check. / Issuer Name and Subject Name of certificate. / Microsoft-Windows-CAPI2/Operational: 30
FCS_TLSC_EXT.1 / Failure to establish an EAP-TLS session. / System : 36888
Microsoft-Windows-CAPI2/Operational: 11, 30
Establishment/termination of an EAP-TLS session. / Establishment: System : 36880
Termination: Microsoft-Windows-SChannel-Events/Perf: 1793
FCS_TLSC_EXT.2 / Failure to establish a TLS session. / Reason for failure. / System : 36888
Microsoft-Windows-CAPI2/Operational: 11, 30
Failure to verify presented identifier. / Presented identifier and reference identifier. / Microsoft-Windows-CAPI2/Operational: 11
Establishment/termination of a TLS session. / Non-TOE endpoint of connection. / Establisment:
System: 36880
Microsoft-Windows-CAPI2/Operational: 11
Termination:
Microsoft-Windows-SChannel-Events/Perf: 1793
FDP_DAR_EXT.1 / Failure to encrypt/decrypt data. / No additional information. / System: 24588
FDP_DAR_EXT.2 / Failure to encrypt/decrypt data. / No additional information. / Crypto-NCrypt/Operational: 6
FDP_STG_EXT.1 / Addition or removal of certificate from Trust Anchor Database. / Subject name of certificate. / Import: Microsoft-Windows-CAPI2/Operational: 90
Removal: CertificateServicesClient-Lifecycle-System/Operational: 1004
FDP_UPC_EXT.1 / Application initiation of trusted channel. / Name of application. Trusted channel protocol. Non-TOE endpoint of connection. / HTTPS/TLS:
System: 36880
Microsoft-Windows-CAPI2/Operational: 11
Bluetooth:
System: 9
FIA_AFL_EXT.1 / Excess of authentication failure limit. / No additional information. / Exceeding failure limit: Security: 4740
FIA_BLT_EXT.1 / User authorization of Bluetooth device.
User authorization for local Bluetooth service. / User authorization decision.
Bluetooth address and name of device.
Bluetooth profile.
Identity of local service. / System: 9
System: 20001
FIA_BLT_EXT.2 / Initiation of Bluetooth connection. / Bluetooth address and name of device. / System: 8
Failure of Bluetooth connection. / Reason for failure. / System: 16
FIA_UAU_EXT.2 / Action performed before authentication. / No additional information. / N/A (no selection in Security Target)
FIA_UAU_EXT.3 / User changes Password Authentication Factor. / No additional information. / Security: 4723
FIA_X509_EXT.1 / Failure to validate X.509v3 certificate. / Reason for failure of validation. / Microsoft-Windows-CAPI2/Operational: 11
FIA_X509_EXT.2 / Failure to establish connection to determine revocation status. / No additional information. / Microsoft-Windows-CAPI2/Operational: 11
FMT_SMF_EXT.1 / Change of settings. / Role of user that changed setting. Value of new setting. / See Table 2: Administrative Actions audits
Success or failure of function. / Role of user that performed function.
Function performed.
Reason for failure
Initiation of software update. / Version of update. / System: 19
Initiation of application installation or update. / Name and version of application. / Microsoft-Windows-AppXDeploymentServer/Operational: 400
FMT_SMF_EXT.2 / Unenrollment. / Identity of administrator. Remediation action performed. / DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 48
FPT_AEX_EXT.4 / Blocked attempt to modify TSF data. / Identity of subject. Identity of TSF data. / Security: 4656
FPT_NOT_EXT.1 (AUDIT) / [Measurement of TSF software]. / [Integrity verification value]. / System: 20
FPT_NOT_EXT.1 (ATTEST) / [Measurement of TSF software]. / [Integrity verification value]. / Attestation log file
<See section “Managing Health Attestation” for more information>
FPT_TST_EXT.1 / Initiation of self-test. Failure of self-test. / System: 20
FPT_TST_EXT.2 / Start-up of TOE. / Boot Mode. / System: 12
[Detected integrity violations]. / [The TSF code that caused the integrity violation]. / Automatic Repair
FPT_TUD_EXT.2 / Success or failure of signature verification for software updates. / Setup: 2, 3
Success or failure of signature verification for applications. / Microsoft-Windows-AppXDeploymentServer/Operational: 400/404 for success/failure
FTA_TAB.1 / Change in banner setting. / No additional information. / Security: 4657
FTA_WSE_EXT.1 / All attempts to connect to access points. / Identity of access point. / Microsoft-Windows-WLAN-AutoConfig/Operational log event: 8001, 8003
FTP_ITC_EXT.1 / Initiation and termination of trusted channel. / Trusted channel protocol. Non-TOE endpoint of connection. / IPSec: Security: 4650, 4651, 5451, 4655
HTTP/TLS: System: 36880
Microsoft-Windows-CAPI2/Operational: 11
Microsoft-Windows-SChannel-Events/Perf: 1793
EAP-TLS/802.1x/802.11-2012: Microsoft-Windows-WLAN-AutoConfig/Operational: 8001, 8003

Table 3: Audits for SFRs (AGD1: FAU_GEN.1)