Introduction
Microsoft WindowsCommon Criteria EvaluationMicrosoft Windows 10 (Anniversary Update)Windows 10 (Anniversary Update) Mobile Device Operational GuidanceDocument InformationVersion Number1.0Updated On16 March, 2017The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This document?is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS plying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. ? 2017 Microsoft Corporation. All rights reserved.Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, the Windows logo, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.Table of Contents TOC \o "1-3" \h \z \u 1Introduction PAGEREF _Toc477438025 \h 131.1Configuration PAGEREF _Toc477438026 \h 131.1.1Evaluated Configuration PAGEREF _Toc477438027 \h 131.1.2Mobile Device Management Solutions PAGEREF _Toc477438028 \h 142Management Functions PAGEREF _Toc477438029 \h 143Managing Audits PAGEREF _Toc477438030 \h 173.1Windows 10 PAGEREF _Toc477438031 \h 173.1.1Audit Events PAGEREF _Toc477438032 \h 173.2Managing Audit Policy PAGEREF _Toc477438033 \h 363.2.1Windows 10 PAGEREF _Toc477438034 \h 364Managing Wipe PAGEREF _Toc477438035 \h 394.1IT Administrator Guidance PAGEREF _Toc477438036 \h 394.2Windows 10 PAGEREF _Toc477438037 \h 394.2.1Local Administrator Guidance PAGEREF _Toc477438038 \h 394.3Windows 10 Mobile PAGEREF _Toc477438039 \h 394.3.1User Guidance PAGEREF _Toc477438040 \h 395Managing EAP-TLS PAGEREF _Toc477438041 \h 395.1IT Administrator Guidance PAGEREF _Toc477438042 \h 405.2Windows 10 PAGEREF _Toc477438043 \h 405.2.1Local Administrator Guidance PAGEREF _Toc477438044 \h 405.3User Guidance PAGEREF _Toc477438045 \h 416Managing TLS/DLTS PAGEREF _Toc477438046 \h 416.1IT Administrator Guidance PAGEREF _Toc477438047 \h 416.2Windows 10 PAGEREF _Toc477438048 \h 416.2.1Local Administrator Guidance PAGEREF _Toc477438049 \h 416.3User Guidance PAGEREF _Toc477438050 \h 437Managing Apps PAGEREF _Toc477438051 \h 437.1IT Administrator Guidance PAGEREF _Toc477438052 \h 437.2Windows 10 PAGEREF _Toc477438053 \h 437.2.1Local Administrator Guidance PAGEREF _Toc477438054 \h 438Managing Volume Encryption PAGEREF _Toc477438055 \h 448.1IT Administrator Guidance PAGEREF _Toc477438056 \h 448.2Windows 10 PAGEREF _Toc477438057 \h 448.2.1Local Administrator Guidance PAGEREF _Toc477438058 \h 448.2.2User Guidance PAGEREF _Toc477438059 \h 458.3Windows 10 Mobile PAGEREF _Toc477438060 \h 468.3.1User Guidance PAGEREF _Toc477438061 \h 469Managing VPN PAGEREF _Toc477438062 \h 469.1IT Administrator Guidance PAGEREF _Toc477438063 \h 469.2Windows 10 PAGEREF _Toc477438064 \h 469.2.1Local Administrator Guidance PAGEREF _Toc477438065 \h 4610Managing Accounts PAGEREF _Toc477438066 \h 4710.1IT Administrator Guidance PAGEREF _Toc477438067 \h 4710.2Windows 10 PAGEREF _Toc477438068 \h 4710.3Local Administrator Guidance PAGEREF _Toc477438069 \h 4711Managing Bluetooth PAGEREF _Toc477438070 \h 4811.1IT Administrator Guidance PAGEREF _Toc477438071 \h 4811.1.1User Guidance PAGEREF _Toc477438072 \h 4811.2Windows 10 Mobile PAGEREF _Toc477438073 \h 4811.2.1User Guidance PAGEREF _Toc477438074 \h 4812Managing Passwords PAGEREF _Toc477438075 \h 4912.1Strong Passwords PAGEREF _Toc477438076 \h 4912.1.1IT Administrator Guidance PAGEREF _Toc477438077 \h 4912.1.2Windows 10 PAGEREF _Toc477438078 \h 4912.2Protecting Passwords PAGEREF _Toc477438079 \h 5012.2.1Windows 10 PAGEREF _Toc477438080 \h 5012.2.2Windows 10 Mobile PAGEREF _Toc477438081 \h 5012.3Logon/Logoff Password Policy PAGEREF _Toc477438082 \h 5012.3.1IT Administrator Guidance PAGEREF _Toc477438083 \h 5112.3.2Windows 10 PAGEREF _Toc477438084 \h 5113Managing Notifications in the Locked State PAGEREF _Toc477438085 \h 5113.1Windows 10 PAGEREF _Toc477438086 \h 5213.1.1User Guidance PAGEREF _Toc477438087 \h 5213.2Windows 10 Mobile PAGEREF _Toc477438088 \h 5213.2.1User Guidance PAGEREF _Toc477438089 \h 5214Managing Certificates PAGEREF _Toc477438090 \h 5214.1Certificate Validation PAGEREF _Toc477438091 \h 5314.1.1Windows 10 PAGEREF _Toc477438092 \h 5314.2Developer Guidance PAGEREF _Toc477438093 \h 5414.2.1Shared User Keys PAGEREF _Toc477438094 \h 5414.2.2Custom Certificate Requests PAGEREF _Toc477438095 \h 5414.3IT Administrator Guidance PAGEREF _Toc477438096 \h 5414.4Windows 10 PAGEREF _Toc477438097 \h 5514.4.1Local Administrator Guidance PAGEREF _Toc477438098 \h 5514.4.2User Guidance PAGEREF _Toc477438099 \h 5514.5Windows 10 Mobile PAGEREF _Toc477438100 \h 5514.5.1User Guidance PAGEREF _Toc477438101 \h 5515Managing Time PAGEREF _Toc477438102 \h 5615.1Windows 10 PAGEREF _Toc477438103 \h 5615.1.1Local Administrator Guidance PAGEREF _Toc477438104 \h 5615.2Windows 10 Mobile PAGEREF _Toc477438105 \h 5615.2.1User Guidance PAGEREF _Toc477438106 \h 5616Getting Version Information PAGEREF _Toc477438107 \h 5716.1IT Administrator Guidance PAGEREF _Toc477438108 \h 5716.2Windows 10 PAGEREF _Toc477438109 \h 5716.2.1User Guidance PAGEREF _Toc477438110 \h 5716.3Windows 10 Mobile PAGEREF _Toc477438111 \h 5716.3.1User Guidance PAGEREF _Toc477438112 \h 5717Locking a Device PAGEREF _Toc477438113 \h 5817.1IT Administrator Guidance PAGEREF _Toc477438114 \h 5817.2Windows 10 PAGEREF _Toc477438115 \h 5817.2.1Local Administrator Guidance PAGEREF _Toc477438116 \h 5817.2.2User Guidance PAGEREF _Toc477438117 \h 5917.3Windows 10 Mobile PAGEREF _Toc477438118 \h 5917.3.1User Guidance PAGEREF _Toc477438119 \h 5917.4Managing Notifications Prior to Unlocking a Device PAGEREF _Toc477438120 \h 5917.4.1IT Administrator Guidance PAGEREF _Toc477438121 \h 5917.4.2Windows 10 PAGEREF _Toc477438122 \h 6018Managing Airplane Mode PAGEREF _Toc477438123 \h 6018.1Windows 10 PAGEREF _Toc477438124 \h 6018.1.1User Guidance PAGEREF _Toc477438125 \h 6018.2Windows 10 Mobile PAGEREF _Toc477438126 \h 6018.2.1User Guidance PAGEREF _Toc477438127 \h 6019Managing Device Enrollment PAGEREF _Toc477438128 \h 6019.1IT Administrator Guidance PAGEREF _Toc477438129 \h 6119.2Windows 10 PAGEREF _Toc477438130 \h 6119.2.1Local Administrator Guidance PAGEREF _Toc477438131 \h 6119.3Windows 10 Mobile PAGEREF _Toc477438132 \h 6219.3.1User Guidance PAGEREF _Toc477438133 \h 6220Managing Updates PAGEREF _Toc477438134 \h 6220.1IT Administrator Guidance PAGEREF _Toc477438135 \h 6220.2Windows 10 PAGEREF _Toc477438136 \h 6320.2.1Local Administrator Guidance PAGEREF _Toc477438137 \h 6321Managing Collection Devices PAGEREF _Toc477438138 \h 6321.1IT Administrator Guidance PAGEREF _Toc477438139 \h 6321.2Windows 10 PAGEREF _Toc477438140 \h 6321.2.1Local Administrator Guidance PAGEREF _Toc477438141 \h 6322Managing USB PAGEREF _Toc477438142 \h 6422.1IT Administrator Guidance PAGEREF _Toc477438143 \h 6422.2Windows 10 PAGEREF _Toc477438144 \h 6422.2.1Local Administrator Guidance PAGEREF _Toc477438145 \h 6423Managing Backup PAGEREF _Toc477438146 \h 6423.1Windows 10 PAGEREF _Toc477438147 \h 6423.1.1Local Administrator Guidance PAGEREF _Toc477438148 \h 6423.2Windows 10 and Windows 10 Mobile PAGEREF _Toc477438149 \h 6523.2.1User Guidance PAGEREF _Toc477438150 \h 6524Managing Enterprise Apps PAGEREF _Toc477438151 \h 6524.1IT Administrator Guidance PAGEREF _Toc477438152 \h 6524.2User Guidance PAGEREF _Toc477438153 \h 6525Managing Developer Mode PAGEREF _Toc477438154 \h 6525.1IT Administrator Guidance PAGEREF _Toc477438155 \h 6625.2Windows 10 PAGEREF _Toc477438156 \h 6625.2.1Local Administrator Guidance PAGEREF _Toc477438157 \h 6626Managing Cryptographic Algorithms PAGEREF _Toc477438158 \h 6627Managing GPS PAGEREF _Toc477438159 \h 6727.1IT Administrator Guidance PAGEREF _Toc477438160 \h 6728Managing Location Services PAGEREF _Toc477438161 \h 6728.1IT Administrator Guidance PAGEREF _Toc477438162 \h 6728.2Windows 10 PAGEREF _Toc477438163 \h 6728.2.1Local Administrator Guidance PAGEREF _Toc477438164 \h 6729Managing Wi-Fi PAGEREF _Toc477438165 \h 6729.1IT Administrator Guidance PAGEREF _Toc477438166 \h 6730Managing Wireless Networks (SSIDs) PAGEREF _Toc477438167 \h 6830.1IT Administrator Guidance PAGEREF _Toc477438168 \h 6830.2Windows 10 PAGEREF _Toc477438169 \h 6830.2.1Local Administrator Guidance PAGEREF _Toc477438170 \h 6831Managing Personal Hotspots PAGEREF _Toc477438171 \h 6831.1IT Administrator Guidance PAGEREF _Toc477438172 \h 6831.2Windows 10 PAGEREF _Toc477438173 \h 6831.2.1Local Administrator Guidance PAGEREF _Toc477438174 \h 6832Managing Mobile Broadband PAGEREF _Toc477438175 \h 6932.1IT Administrator Guidance PAGEREF _Toc477438176 \h 6933Managing Cellular Protocols PAGEREF _Toc477438177 \h 6933.1Windows 10 Mobile PAGEREF _Toc477438178 \h 6933.1.1IT Administrator Guidance PAGEREF _Toc477438179 \h 6933.2Windows 10 PAGEREF _Toc477438180 \h 6933.2.1Local Administrator PAGEREF _Toc477438181 \h 6934Managing Health Attestation PAGEREF _Toc477438182 \h 6934.1IT Administrator Guidance PAGEREF _Toc477438183 \h 7035Managing Sensitive Data PAGEREF _Toc477438184 \h 7035.1IT Administrator Guidance PAGEREF _Toc477438185 \h 7035.2Windows 10 PAGEREF _Toc477438186 \h 7035.2.1Local Administrator Guidance PAGEREF _Toc477438187 \h 7035.3Windows 10 Mobile PAGEREF _Toc477438188 \h 7036Managing USB Mass Storage PAGEREF _Toc477438189 \h 7136.1IT Administrator Guidance PAGEREF _Toc477438190 \h 7137Natively Installed Applications PAGEREF _Toc477438191 \h 71IntroductionThis document provides operational guidance information for a Common Criteria evaluation describing only the security functionality which the administrator should use – any security functionality not described in this document is not part of the evaluation.ConfigurationEvaluated ConfigurationThe Common Criteria evaluation includes a specific configuration of Windows, the “evaluated configuration”. To run Windows deployments using the evaluated configuration follow the deployment steps and apply the security policies and security settings indicated below. The Security Target section 1.1 describes the Windows editions and security patches included in the evaluated configuration.The operating system is pre-installed on the devices in the evaluated configuration. When the device is turned on for the first time the Out of Box Experience (OOBE) runs to complete the configuration.The following security policies are applied after completing the OOBE:Security PolicyPolicy SettingLocal Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithmEnabledAdministrative Template\Windows Components\Credentials User Interface\Do not display the password reveal buttonEnabledThe following security settings are applied to create the evaluated configuration:Cipher suite selection is configured according to section 5 Managing TLSVolume encryption is enabled according to section 8 Managing Volume EncryptionVPN connections route all traffic through the VPN tunnel as described section 9 Managing VPNPasswords use a minimum of six alphanumeric characters and symbols according to section 12.1 Strong PasswordsRSA machine certificates are configured according to section 14 Managing Certificates to use a minimum 2048 bit key lengthSession locking is enabled according to section 16 Locking a DeviceDevices are enrolled for device management according to section 18 Device EnrollmentEnrolled policy must have the Enterprise Data Protection settings enabledSome of the links in this document may be written for Windows versions that are earlier than Windows 10 (Anniversary Update). The content in all these links apply to the Windows 10 (Anniversary Update) version.Mobile Device Management SolutionsMany of the configurations described in this guide for the IT Administrator role are applied to the device through a Mobile Device Management (MDM) solution. The specific steps to perform a configuration through the MDM are solution-specific and are not described in this document. Examples of possible configuration option text may be provided in this document, but are not guaranteed to match any specific MDM solution. See the MDM solution documentation for detailed configuration actions.Management FunctionsThe following table maps management functions to roles:Management FunctionUser GuidanceLocal Administrator GuidanceIT Administrator Guidance1Configure password policyWindows 10Windows 10Windows 10 Mobile2Configure session locking policyWindows 10Windows 10Windows 10 Mobile3Enable/disable the VPN protectionWindows 10Windows 10Windows 10 Mobile4Enable/disable [GPS, Wi-Fi, mobile broadband radios, Bluetooth]Windows 10Windows 10 Mobile5Enable/disable [camera, microphone]Windows 10Windows 10 MobileWindows 10 (Camera only)6Specify wireless networks (SSIDs) to which the TSF may connectWindows 10Windows 10Windows 10 Mobile7Configure security policy for connecting to wireless networksWindows 10Windows 10Windows 10 Mobile8Transition to the locked stateWindows 10Windows 10 MobileWindows 109TSF wipe of protected dataWindows 10Windows 10Windows 10 Mobile10Configure application installation policyWindows 10Windows 10Windows 10 Mobile11Import keys/secrets into the secure key storageWindows 10Windows 10 MobileWindows 1012Destroy imported keys/secrets and any other keys/secrets in the secure key storageWindows 10Windows 10 MobileWindows 1013Import X.509v3 certificates into the Trust Anchor DatabaseWindows 10Windows 10Windows 10 Mobile14Remove imported X.509v3 certificates and any other X.509v3 certificates in the Trust Anchor DatabaseWindows 10 MobileWindows 1015Enroll the TOE in managementWindows 10 MobileWindows 1016Remove applicationsWindows 10Windows 10Windows 10 Mobile17Update system softwareWindows 10Windows 10Windows 10 Mobile18Install applications? Windows 10Windows 10Windows 10 Mobile19Remove Enterprise applicationsWindows 10Windows 10Windows 10 Mobile20Configure the Bluetooth trusted channela. disable/enable the Discoverable mode (for BR/EDR) Windows 10Windows 10 Mobileb. change the Bluetooth device name Windows 10Windows 10 Mobiled. disable/enable Advertising (for LE),Windows 10Windows 10 Mobile21Enable/disable display notification in the locked stateWindows 10Windows 10 Mobile22Enable/disable all data signaling over [USB hardware ports]Windows 10Windows 10 Mobile23Enable/disable [none, Assign personal Hotspot connections]Windows 10Windows 10Windows 10 Mobile24Enable/disable developer modesWindows 10Windows 10Windows 10 Mobile25Enable data-at rest protectionWindows 10 MobileWindows 1026Enable removable media’s data at rest protectionWindows 10Windows 1028Wipe Enterprise dataWindows 10Windows 10Windows 10 Mobile30Configure whether to allow a trusted channel if certificate validation is not possibleWindows 10Windows 10 MobileWindows 1031Enable/disable the cellular protocols used to connect to cellular network base stationsWindows 10Windows 10 Mobile32Read audit logs kept by the TSFWindows 1033Configure certificate used to validate digitally signed applicationsWindows 10Windows 10Windows 10 Mobile34Approve exceptions for shared use of keys/secrets by multiple applicationsWindows 10Windows 10Windows 10 Mobile35Approve exceptions for destruction of keys/secrets by other applicationsWindows 10Windows 10 MobileWindows 1036Configure the unlock bannerWindows 10Windows 10Windows 10 Mobile37Configure the auditable itemsWindows 1038Retrieve TSF-software integrity verification valuesWindows 10Windows 10 Mobile39enable/disable [USB mass storage mode]Windows 10 Mobile40Enable/disable backup to remote systemWindows 10Windows 10 Mobile Windows 1044Enable/disable location servicesWindows 10Windows 10Windows 10 MobileManaging AuditsThis section contains the following Common Criteria SFRs:Audit Data Generation (FAU_GEN.1), Selective Audit (FAU_SEL.1)Extended: Audit Storage Protection (FAU_STG_EXT.1)Specifications of Management Functions (FMT_SMF_EXT.1)Windows 10Audit EventsThe following required audits are described for FAU_GEN.1:DescriptionIdStart-up and shutdown of the audit functionsSecurity: 4608, 1100All administrative actions<see first table below>Startup and shutdown of the OS and kernelSecurity: 4608, 1100Insertion or removal of removable mediaMicrosoft- Windows-Kernel-PnP/Device Configuration: 410Establishment of a synchronizing connectionSystem: 36880Microsoft-Windows-CAPI2/Operational: 11Specifically defined auditable events from table 10<see second table below>Audit records reaching [assignment: integer value less than 100] percentage of audit capacity, [assignment: other auditable events derived from this profileSecurity: 1103Table 1: FAU_GEN.1 audits (AGD1: FAU_GEN.1)The following table correlates the set of administrative operations described in this document with their associated audits. Section FMT_SMF_EXT.1 has test procedures to produce these audits.Administrative ActionIdconfigure password policy:minimum password lengthminimum password complexitymaximum password lifetimeIT Administrator:DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813Local Administrator:Security: 4739configure session locking policy:screen-lock enabled/disabledscreen lock timeoutnumber of authentication failuresIT Administrator:DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813Local Administrator:Security: 4739enable/disable the VPN protection:across device [b. on a per-app basisc. no other method]Security: Enable: 4651, 5451Disable: 4655enable/disable [GPS, Wi-Fi, Bluetooth, mobile broadband]DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813enable/disable [camera, microphone]: across device [b. on a per-app basisc. no other method]Camera (IT Administrator): DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813Microphone (IT Administrator): DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813Microphone (Local Administrator): Microsoft-Windows-Audio: 65specify wireless networks (SSIDs) to which the TSF may connectIT Administrator:DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813Local Administrator:Microsoft-Windows-WLAN-AutoConfig/Operational: 14001configure security policy for each wireless network: [selection: specify the CA(s) from which the TSF will accept WLAN authentication server certificate(s), specify the FQDN(s) of acceptable WLAN authentication server certificate(s)] security type authentication protocolclient credentials to be used for authenticationDeviceManagement-Enterprise-Diagnostics-Provider: 403transition to the locked stateSecurity: 4800TSF wipe of protected dataSuccess: System: 12Failure: Wipe Failure Screen Windows 10 - System: 1074 configure application installation policy by [selection: restricting the sources of applications,specifying a set of allowed applications based on [a digital signature or application name and version] (an application whitelist),denying installation of applications]IT Administrator:Microsoft-Windows-AppXDeploymentServer/Operational: 400,404 for success/failureLocal Administrator:Microsoft-Windows-AppLocker/Packaged app-Execution: 8022import keys/secrets into the secure key storageSecurity: 5058destroy imported keys/secrets and [[any other keys/secrets]] in the secure key storageSystem: 12import X.509v3 certificates into the Trust Anchor DatabaseMicrosoft-Windows-CAPI2/Operational: 90remove imported X.509v3 certificates and [[any other X.509v3 certificates]] in the Trust Anchor DatabaseMicrosoft-Windows-CertificateServicesClient-Lifecycle-System/Operational: 1004enroll the TOE in managementDeviceManagement-Enterprise-Diagnostics-Provider/Admin: 72remove applicationsMicrosoft-Windows-AppXDeploymentServer/Operational: 472update system softwareSetup: 2, 3install applicationsMicrosoft-Windows-AppXDeploymentServer/Operational 400remove Enterprise applicationsMicrosoft-Windows-AppXDeploymentServer/Operational: 472configure the Bluetooth trusted channel:disable/enable the Discoverable mode (for BR/EDR)change the Bluetooth device name [selection: d. disable/enable Advertising (for LE),i. no other Bluetooth configuration]DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813, 814enable/disable display notification in the locked state of: [email notifications,calendar appointments,contact associated with phone call notification, text message notification,other application-based notifications,all notifications] DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813enable/disable all data signaling over [USB hardware ports]Local Administrator:Windows-Kernel-PnP: 832, 801enable/disable [none, Assign personal Hotspot connections]Microsoft-Windows-WLAN-AutoConfig/Operational: 8006enable/disable developer modesIT Administrator:DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813Local Administrator:Microsoft-Windows-GroupPolicy/Operational: 1502enable data-at rest protectionSystem: 24667enable removable media’s data-at-rest protectionSystem: 24667enable/disable bypass of local user authenticationN/Awipe Enterprise dataDeviceManagement-Enterprise-Diagnostics-Provider/Admin: 48approve [import, removal] by applications of X.509v3 certificates in the Trust Anchor DatabaseN/Aconfigure whether to establish a trusted channel or disallow establishment if the TSF cannot establish a connection to determine the validity of a certificateSecurity: 4950enable/disable the cellular protocols used to connect to cellular network base stationsMicrosoft-Windows-WWAN-SVC-Events/Operational: 11004read audit logs kept by the TSFSecurity: 4673configure [certificate] used to validate digital signature on applicationsSame as 13. and 14.approve exceptions for shared use of keys/secrets by multiple applicationsMicrosoft-Windows-AppXDeploymentServer/Operational: 400approve exceptions for destruction of keys/secrets by applications that did not import the key/secretMicrosoft-Windows-AppXDeploymentServer/Operational: 400configure the unlock bannerSecurity: 4657configure the auditable itemsSecurity: 4719retrieve TSF-software integrity verification valuesSee audit for FPT_NOT_EXT.1 (ATTEST)enable/disable [selection: USB mass storage mode,USB data transfer without user authentication,USB data transfer without authentication of the connecting system]N/Aenable/disable backup to [remote system]Security: 4657enable/disable [ USB tethering authenticated by [pre-shared key, passcode, no authentication]]N/Aapprove exceptions for sharing data between [selection: application processes, groups of application processes]N/Aplace applications into application process groups based on [assignment: application characteristics]N/Aenable/disable location services:across device [b. on a per-app basisc. no other method]DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813[none]N/ATable 2: Administrative Actions audits (AGD2: FAU_GEN.1) (AGD1: FAU_GEN.1)RequirementDescriptionAdditional Record ContentsLog: Event IdFAU_SEL.1 All modifications to the audit configuration that occur while the audit collection functions are operating.No additional Information.Security: 4719, 4912FCS_CKM_EXT.1[generation of a REK]No additional Information.System: 1027FCS_CKM_EXT.5Success or failure of the wipe.No additional Information.System: Success: 12 Failure: 1074 FCS_CKM.1(ASYM KA)Failure of key generation activity for authentication keys.No additional Information.Microsoft-Windows-Crypto-NCrypt/Operational: 4FCS_HTTPS_EXT.1Failure of the certificate validity check. Issuer Name and Subject Name of certificate. [No additional information].Microsoft-Windows-CAPI2/Operational: 11FCS_RBG_EXT.1Failure of the randomization process.No additional information.System: 20FCS_STG_EXT.1Import or destruction of key. [No other events]Identity of key. Role and identity of requestor.Import: Security: 5058Destruction: System: 12FCS_STG_EXT.3Failure to verify integrity of stored key.Identity of key being verified.Microsoft-Windows-Crypto-NCrypt: 3(Task Category: Open Key Failure)FCS_DTLS_EXT.1Failure of the certificate validity check. Issuer Name and Subject Name of certificate. Microsoft-Windows-CAPI2/Operational: 30FCS_TLSC_EXT.1Failure to establish an EAP-TLS session.System : 36888Microsoft-Windows-CAPI2/Operational: 11, 30Establishment/termination of an EAP-TLS session.Establishment: System : 36880Termination: Microsoft-Windows-SChannel-Events/Perf: 1793FCS_TLSC_EXT.2Failure to establish a TLS session.Reason for failure.System : 36888Microsoft-Windows-CAPI2/Operational: 11, 30Failure to verify presented identifier.Presented identifier and reference identifier.Microsoft-Windows-CAPI2/Operational: 11Establishment/termination of a TLS session.Non-TOE endpoint of connection.Establisment: System: 36880 Microsoft-Windows-CAPI2/Operational: 11Termination:Microsoft-Windows-SChannel-Events/Perf: 1793FDP_DAR_EXT.1Failure to encrypt/decrypt data. No additional information.System: 24588FDP_DAR_EXT.2Failure to encrypt/decrypt data. No additional information.Crypto-NCrypt/Operational: 6FDP_STG_EXT.1Addition or removal of certificate from Trust Anchor Database.Subject name of certificate.Import: Microsoft-Windows-CAPI2/Operational: 90Removal: CertificateServicesClient-Lifecycle-System/Operational: 1004FDP_UPC_EXT.1Application initiation of trusted channel.Name of application. Trusted channel protocol. Non-TOE endpoint of connection.HTTPS/TLS: System: 36880Microsoft-Windows-CAPI2/Operational: 11Bluetooth: System: 9 FIA_AFL_EXT.1Excess of authentication failure limit.No additional information.Exceeding failure limit: Security: 4740 FIA_BLT_EXT.1User authorization of Bluetooth device. User authorization for local Bluetooth service.User authorization decision. Bluetooth address and name of device.Bluetooth profile.Identity of local service. System: 9System: 20001FIA_BLT_EXT.2Initiation of Bluetooth connection.Bluetooth address and name of device.System: 8Failure of Bluetooth connection.Reason for failure. System: 16FIA_UAU_EXT.2Action performed before authentication.No additional information. N/A (no selection in Security Target)FIA_UAU_EXT.3User changes Password Authentication Factor.No additional information. Security: 4723FIA_X509_EXT.1Failure to validate X.509v3 certificate.Reason for failure of validation.Microsoft-Windows-CAPI2/Operational: 11FIA_X509_EXT.2Failure to establish connection to determine revocation status.No additional information.Microsoft-Windows-CAPI2/Operational: 11FMT_SMF_EXT.1Change of settings.Role of user that changed setting. Value of new setting.See Table 2: Administrative Actions auditsSuccess or failure of function.Role of user that performed function. Function performed.Reason for failureInitiation of software update.Version of update. System: 19Initiation of application installation or update.Name and version of application.Microsoft-Windows-AppXDeploymentServer/Operational: 400FMT_SMF_EXT.2Unenrollment.Identity of administrator. Remediation action performed.DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 48FPT_AEX_EXT.4Blocked attempt to modify TSF data.Identity of subject. Identity of TSF data.Security: 4656FPT_NOT_EXT.1 (AUDIT)[Measurement of TSF software].[Integrity verification value].System: 20FPT_NOT_EXT.1 (ATTEST)[Measurement of TSF software].[Integrity verification value].Attestation log file<See section “Managing Health Attestation” for more information>FPT_TST_EXT.1Initiation of self-test. Failure of self-test.System: 20FPT_TST_EXT.2Start-up of TOE.Boot Mode.System: 12[Detected integrity violations].[The TSF code that caused the integrity violation].Automatic RepairFPT_TUD_EXT.2Success or failure of signature verification for software updates.Setup: 2, 3Success or failure of signature verification for applications.Microsoft-Windows-AppXDeploymentServer/Operational: 400/404 for success/failureFTA_TAB.1Change in banner setting.No additional information.Security: 4657FTA_WSE_EXT.1All attempts to connect to access points.Identity of access point.Microsoft-Windows-WLAN-AutoConfig/Operational log event: 8001, 8003FTP_ITC_EXT.1Initiation and termination of trusted channel.Trusted channel protocol. Non-TOE endpoint of connection.IPSec: Security: 4650, 4651, 5451, 4655HTTP/TLS: System: 36880Microsoft-Windows-CAPI2/Operational: 11Microsoft-Windows-SChannel-Events/Perf: 1793EAP-TLS/802.1x/802.11-2012: Microsoft-Windows-WLAN-AutoConfig/Operational: 8001, 8003Table 3: Audits for SFRs (AGD1: FAU_GEN.1)IdLog locationMessageFields2SetupPackage was successfully changed to the Installed stateLogged: <Date and time of event>PackageIdentifier: <KB package Id>ErrorCode: <success outcome indicated by 0x0>3SetupWindows update could not be installed because … “The data is invalid”Logged: <Date and time of event>Commandline: <KB package Id>ErrorCode: <value>3Microsoft-Windows-Crypto-NCryptOpen key operation failedLogged: <Date and time of event>Provider Name: <Key storage provider name>Key Name: <Unique name for key>4Microsoft-Windows-Crypto-NCrypt/OperationalCreate key operation failedLogged: <Date and time of event>Provider Name: <Key storage provider name>Key Name: <Unique name for key>Algorithm Name: <Key algorithm name>6Microsoft-Windows-Crypto-NCrypt/OperatonalUnprotect Key operation failedLogged: <Date and time of event>KeyId: <Unique Id for key>8SystemSource: BTHUSBThe remote adapter < remote bluetooth radio address> was successfully paired with the local adapter.Logged: <Date and time of event>EventData: <remote bluetooth radio address>9SystemSource: BTHUSBThe remote adapter < remote bluetooth radio address> was added to the list of personal devices.Logged: <Date and time of event>EventData: <remote bluetooth radio address>11Microsoft-Windows-CAPI2/OperationalBuild ChainSystem/TimeCreated/SystemTime: <Date and time of event>Subject name of the leaf certificate is the first instance of the following path:UserData/CertGetCertificateChain/CertificateChain/Certificate subjectName: <subject name in client certificate>Subject name of the issuing certificate is the second instance of the following path:UserData/CertGetCertificateChain/CertificateChain/ChainElement/Certificate <issuer of leaf certificate as subject name in chained certificate>TrustStatus -> ErrorStatus: <Error code>12SystemSource: Kernel-GeneralThe operating system started at system time <time>.Logged: <Date and time of OS startup>This event along with no other earlier events indicates a wipe has occurred.16SystemSource: BTHUSBThe mutual authentication between the local Bluetooth adapter and a device with Bluetooth adapter address <device address> failed.Logged: <Date and time of event>Data: <remote device address>19SystemSource: WindowsUpdateClientInstallation Successful: Windows successfully installed the following update: <app/update name>Logged: <Date and time of event>Security ID: <SID of user account that installed the app>updateTitle: <app/update name>updateGuid: <app/update Guid>serviceGuid: <app/service GUID>updateRevisionNumber: <app version>20SystemSource: Kernel-BootThe last boot’s success was <LastBootGood event data>.Logged: <Date and time of event>LastBootGood: <Outcome as true or false indicating if the kernel-mode cryptographic self-tests and RNG initialization succeeded or failed>21SystemSource: Kernel-BootThe OS loader advanced options menu was displayed and the user selected option <boot mode>Logged: <Date and time of event>OptionSelected: <auxililiary boot mode>Note: this event is recorded if the operating system was started in an auxiliary boot mode whereas its absence indicates the operating system started in normal boot mode.30Microsoft-Windows-CAPI2/OperationalVerify Chain PolicySystem -> TimeCreated -> SystemTime: <Date and time of event>UserData -> CertVerifyCertificateChainPolicy -> Certificate -> subjectName: <certificate subject name>UserData -> CertVerifyCertificateChainPolicy -> Result -> value : <error code>48Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-ProviderMDM Unenroll: Unenroll event sent to serverLogged: <Date and time of event>Security UserID: <SID of user account that initiated enrolling TOE >65Microsoft-Windows-Audio/OperationalMMDevAPI: Audio device state changedLogged: <Date and time of event>OpCode: <operational code>72Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-ProviderMDM Enroll: SucceededLogged: <Date and time of event>Security UserID: <SID of user account that initiated enrolling TOE >90Microsoft-Windows-CAPI2/Operational<un-named>Logged: <Date and time of event>Security UserID: <SID of user account that imported the certificate/secrets>Subject: <Certificate subject name, CN, etc.>400Microsoft-Windows-AppXDeployment-Server-Microsoft-Windows-AppXDeployment-Server/OperationalDeployment Add operation on Package <package Id> from: (<.appx pathname> ) finished successfullyLogged: <Date and time of event><package Id>403Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-ProviderMDM ConfigurationManager: CSP Allow check. Logged: <Date and time of event>URI: <indicates policy change – WiFi or Lock Screen Wallpaper>Allowed: <enable = 0x1, disable = 0x0>404Microsoft-Windows-AppXDeployment-Server-Microsoft-Windows-AppXDeployment-Server/OperationalAppX Deployment operation failed for package <app package identity> with error <error code>. The specific error text for this failure is: <failure text>.Logged: <Date and time of event><package Id>410Microsoft-Windows-Kernel-PnP/Device ConfigurationDevice < DeviceInstanceId> was startedLogged: <Date and time of event> User: <user identity>DeviceInstanceId: <Device path and volume GUID of inserted removable media>472Microsoft-Windows-AppXDeployment-Server-Microsoft-Windows-AppXDeployment-Server /OperationalMoving package folder <%program files location%\<package Id> to <%deleted program files location%\<package Id>. Result: <status code>Logged: <Date and time of event>Security ID: <SID of user account that installed the app>SourceFolderPath: <%program files location%\<package Id>DestinationFolderPath: <%deleted program files location%\<package Id>801Microsoft-Windows-Kernel-PnP/Device ConfigurationProcessing device <device>.TimeCreated: <Date and time of event>813Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-ProviderMDM PolicyManagerLogged: <Date and time of event>Policy: <policy applied>814Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-ProviderMDM PolicyManagerLogged: <Date and time of event>Policy: <policy applied>832Microsoft-Windows-Kernel-PnP/Device ConfigurationEnd removal of <device>.TimeCreated: <Date and time of event>1004Microsoft-Windows-CertificateServicesClient-Lifecycle-System/OperationalA certificate has been deletedLogged: <Date and time of event>UserID: <SID of user account that deleted the certificate/secrets>SubjectNames: <Deleted certificate subject name>Thumbprint: <Deleted certificate thumbprint>NotValidAfter: :<Deleted certificate expiration date>1006Microsoft-Windows-CertificateServicesClient-Lifecycle-System/OperationalA new certificate has been installed.Logged: <Date and time of event>Subject: <Certificate subject name, CN, etc.>Thumbprint: <Certificate thumbprint>1015Applications and Services Logs-Microsoft-Windows-Wcmsvc-OperationalInterface token appliedLogged: <Date and time of event>Security ID: <SID of user account that deleted the certificate/secrets>Media type: <indication of broadband (Wwan) or WiFi (Wlan)>AutoProfiles: <indication of added or removed action (blank if removed, else name of Wwan or Wlan profile)>1027SystemSource: TPM-WMIThe Ownership of the Trusted Platform Module (TPM) hardware on this computer was successfully taken (TPM TakeOwnership command) by the systemLogged: <Date and time of event>Keywords: <Outcome as Success>1074SystemSource: User32The process <system32 path>\systemreset.exe has initiated the restart of computer <computer name> on behalf of user <user name> for the following reason: No title for this reason could be foundReason Code: 0x20001Logged: <Date and time of event>User: <SID of user that started the reset>1100SecuritySubcategory: Security State ChangeThe event logging service has shut downLogged: <Date and time of event>Keywords: <Outcome as Success>1103SecurityThe security audit log is now <the configured value > percent full.Logged: <Date and time of event>Keywords: <Outcome as Success>1104SystemThe security audit log is full.Logged: <Date and time of event>Keywords: <Outcome as Success>1502Microsoft-Windows-GroupPolicy/OperationalThe Group Policy settings for the computer were processed successfully. New settings from 1 Group Policy objects were detected and applied.Logged: <Date and time of event>1793Microsoft-Windows-SChannel-Events/Perf<This event indicates that the TLS connection was terminated>Logged: <Date and time of event>4502SystemSource: ResetEngAttempt to restore the system to original condition has failed. Changes to the system have been undone.Logged: <Date and time of event>Keywords: <Outcome as Success or Failure>4608SecuritySubcategory: Security State ChangeStartup of audit functionsLogged: <Date and time of event>Task category: <type of event>Keywords: <Outcome as Success or Failure>4624SecuritySubcategory: LogonAn account was successfully logged on.Logged: <Date and time of event>Security ID: <SID of enabled user account>Account Name: <name of enabled account>Account Domain: <domain of enabled account if applicable, otherwise computer>Workstation Name: <name of computer user logged on>Logon Type: <type of logon (e.g. interactive)>LogonID: <unique logon identification>Source Network Address: <IP address of computer logged on>4650Security Subcategory: IPsec Main ModeIPsec main mode security association was established. Certificate authentication was not used.Logged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address>Remote Endpoint: <Subject identity as IP address of non-TOE endpoint of connection >Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>Local Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>Remote Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id and cryptographic parameters established in the SA>Keywords: <Outcome as Success>4651Security Subcategory: IPsec Main ModeIPsec main mode security association was established. A certificate was used for authentication.Logged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address>Remote Endpoint: <Subject identity as IP address of non-TOE endpoint of connection >Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>Local Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>Remote Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id and cryptographic parameters established in the SA>Keywords: <Outcome as Success>4655Security Subcategory: IPsec Main ModeIPsec main mode security association endedLogged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address/port >Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection/channel >Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>Keywords: <Outcome as Success>4656Security Subcategory: Handle ManipulationA handle to an object was requested.Logged: <Date and time of event>Security ID: <SID of locked account>Object Name: <Pathname of the object changed>Access Mask: <Access requested>Accesses: <Access granted (for success event) or denied (for failure event)>Keywords: <Outcome as Success or Failure>4657SecuritySubcategory: RegistryRegistry entry changeLogged: <Date and time of event>Task category: <type of event>Security ID: <user identity>Object name: <key path>Change Information: <old and new registry values>Keywords: <Outcome as Success or Failure>4673SecuritySubcategory: Sensitive Privilege Use / Non Sensitive Privilege UseA privileged service was called.Logged: <Date and time of event>Security ID: <SID of user account that viewed the log>Account Name: <user account name that viewed the log>Account Domain: <domain of user accout that viewed the log>Keywords: <Outcome as Success>4719SecuritySubcategory: Audit Policy ChangeSystem audit policy was changedLogged: <Date and time of event>Security ID: <Subject user identity>Account Name: <Subject account name>Account Domain: <Subject account domain>Login ID: <Subject login Id>Task category: <category of audit>Task Subcategory: <subcategory of audit>Subcategory GUID: <subcategory GUID name>Changes: <Changes>Keywords: <Outcome as Success or Failure>4723SecuritySubcategory: User Account ManagementAn attempt was made to change an account's password.Logged: <Date and time of event>Security ID: <user identity>Keywords: <Outcome as Success or Failure>4739SecuritySubcategory: Authentication Policy ChangeDomain Policy was changed.Logged: <Date and time of event>Security ID: <SID of user account making audit policy change>Account Name: <name of user account making audit policy change >Account Domain: <domain of user account making audit policy change if applicable, otherwise computer>Task Category: <Audit subcategory that was changed.>Changed Attributes: <Change to audit policy.>4740SecuritySubcategory: User Account ManagementA user account was locked outLogged: <Date and time of event>Security ID: <SID of locked account>Account Name: <name of locked account>Account Domain: <domain of locked account>4800Security Subcategory: LogoffThe workstation was locked.Logged: <Date and time of event>Security UserID: <SID of logon user>Account Name: <name of logon account>Account Domain: <domain of logon account>4801SecuritySubcategory: LogonThe workstation was unlocked.Logged: <Date and time of event>Security ID: <SID of logon user>Account Name: <name of logon account>Account Domain: <domain of logon account>4912SecuritySubcategory: Audit Policy ChangePer-user Audit Policy was changedLogged: <Date and time of event>Security ID: <Subject user identity>Account Name: <Subject account name>Account Domain: <Subject account domain>Login ID: <Subject login Id>Policy Change Details: <Changes>Policy For Account: <SID of user account for policy change>Keywords: <Outcome as Success or Failure>4950SecuritySubcategory: MPSSVC Rule-Level Policy ChangeA Windows Firewall setting has changed.Logged: <Date and time of event>Value: <new configuration setting value>5058SecuritySubcategory: System IntegrityKey file operationLogged: <Date and time of event>Task category: <type of event>Subject: <Security ID, Account Name/Domain>Cryptographic Parameters: <Key Name/Type>Key file operation information: <Filepath, operation, return code>5447SecuritySubcategory: Other Policy Change EventsWindows Filtering Platform filter has been changedLogged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Filter ID: <Filter Id as GUID>Filter Name: <Filter identifier as text-based name> Layer ID: <Layer Id as GUID>Layer Name: <Layer identifier as text-based name>Additional Information: <Filter conditions>5450SecuritySubcategory: Filtering Platform Policy ChangeWindows Filtering Platform sub-layer has been changedLogged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Sub-layer ID: <Sub-layer Id as GUID>Sub-layer Name: <Sub-layer identifier as text-based name>5451Security Subcategory: IPsec Quick ModeIPsec quick mode security association was establishedLogged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address/port>Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection >Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id, QM SA Id, Inbound SPI, Outbound SPI and cryptographic parameters established in the SA >Keywords: <Outcome as Success>5038SecuritySubcategory: System IntegrityCode integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.Logged: <Date and time of event>Task category: <type of event>File Name: < file failing integrity check>5446SecuritySubcategory: Filtering Platform Policy ChangeWindows Filtering Platform callout has been changedLogged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Callout ID: <Callout identifier as GUID>Callout Name: <Callout identifier as text-based name>Layer ID: <Layer identifier as GUID>Layer Name: <Layer identifier as text-based name>Keywords: <Outcome as Success or Failure>5447SecuritySubcategory: Other Policy Change EventsWindows Filtering Platform filter has been changedLogged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Filter ID: <Filter Id as GUID>Filter Name: <Filter identifier as text-based name> Layer ID: <Layer Id as GUID>Layer Name: <Layer identifier as text-based name>Additional Information: <Filter conditions>5450SecuritySubcategory: Filtering Platform Policy ChangeWindows Filtering Platform sub-layer has been changedLogged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Sub-layer ID: <Sub-layer Id as GUID>Sub-layer Name: <Sub-layer identifier as text-based name>8000Microsoft-Windows-WLAN-AutoConfig/OperationalWLAN AutoConfig service started a connection to a wireless networkLogged: <Date and time of event>Network Adapter: <adapter device name>8001Microsoft-Windows-WLAN-AutoConfig/OperationalWLAN AutoConfig service has successfully connected to a wireless networkLogged: <Date and time of event>SSID: <Wireless network name> (non-TOE endpoint of connection)Authentication: WPA2-Enterprise (protocol)8002Microsoft-Windows-WLAN-AutoConfig/OperationalWLAN AutoConfig service failed to connect to a wireless networkLogged: <Date and time of event>SSID: < Wireless network name> (non-TOE endpoint of connection)8003Microsoft-Windows-WLAN-AutoConfig/OperationalWLAN AutoConfig service has successfully disconnectd from a wireless networkLogged: <Date and time of event>Interface GUID: < network adapter identification>SSID: <SSID name>8006Microsoft-Windows-WLAN-AutoConfig/OperationalWLAN AutoConfig service has finished starting the hosted network. Logged: <Date and time of event>Interface GUID: <network adapter identification> SSID: <SSID name>8022Microsoft-Windows-AppLocker/Packaged app-Execution<appl> was prevented from running. Logged: <Date and time of event>11001Microsoft-Windows-WLAN-AutoConfig/OperationalWireless network association succeededLogged: <Date and time of event>Network Adapter: <adapter device name>Local MAC address: <Wi-Fi address>11004Microsoft-Windows-WWAN-SVC-Events/OperationalReceived ContextStateLogged: <Date and time of event>Action: <WwanRadioOff or WwanRadioOn>11004Microsoft-Windows-WLAN-AutoConfig/OperationalWireless security stoppedLogged: <Date and time of event>Network Adapter: <adapter device name>Local MAC address: <Wi-Fi address>11010Microsoft-Windows-WLAN-AutoConfig/OperationalWireless Security StartedLogged: <Date and time of event>Network Adapter: <enabled adapter name>Local MAC Address: <enabled adapter MAC address>14001Microsoft-Windows-WLAN-AutoConfig/OperationalNew Wireless Network PolicyLogged: <Date and time of event>Applied Settings: <WiFi configuration settings >20001SystemSource: UserPnPDriver Manager concluded the process to install driver <driver name> for Device Instance ID <ID value include device address>Logged: <Date and time of event>Security UserID: <SID of user>DeviceInstanceID: <instance ID (including remote device address)>SetupClass: <Bluetooth service/profile GUID>24579SystemSource: Bitlocker-DriverEncryption of volume <drive letter>: completedLogged: <Date and time of event>Security UserID: <SID of user account that installed the app>Volume: <encrypted volume letter>24588SystemSource: Bitlocker-DriverThe conversion operation on volume <drive letter> encountered a bad sector error.Logged: <Date and time of event>Volume: <encrypted volume letter>24667SystemSource: BitLocker-DriverBitLocker finalization sweep completed for volume <drive letter>.Logged: <Date and time of event>Volume: <encrypted volume letter>36880SystemSource: SchannelAn SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.Logged: <Date and time of event>Protocol: <TLS protocol>CipherSuite: <cypher suite>36888SystemSource: SchannelA fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is %1.Logged: <Date and time of event>Reason for failureProtocol: <TLS protocol error code>The following are the possible error codes:DescriptionError Code ValueUnexpected message10Bad record MAC20Record overflow22Decompression fail30Handshake failure40Illegal parameter47Unknown CA48Access denied49Decode error50Decrypt error51Protocol version70Insufficient security71Internal error80Unsupported extension110Automatic Repair%windir%\system32\logfiles\srt\strtrail.txtStartup Repair diagnosis and repair logLogged: <Date and time of file>Boot critical file: <name of critical boot file indicated as corrupted>Wipe Failure ScreenDisplayThere was a problem resetting your PC. No changes were made.On logon a message is displayed to the user indicating that the recovery operation of the system failed.Bitlocker recoveryDisplayBitlocker recoveryOn startup a message is displayed requesting the Bitlocker recovery keyTable 4: Audit (AGD1: FAU_GEN.1) (AGD3: FAU_GEN.1)Managing Audit Policy(AGD1: FAU_SEL.1) (AGD2: FAU_SEL.1)Windows 10Local Administrator GuidanceThe following log locations are always enabled (AGD3: FAU_SEL.1): SystemSetupSecurity (for startup and shutdown of the audit functions and of the OS and kernel, and clearing the audit log)The following TechNet topic describes the categories of audits in the Security log:Advanced Audit Policy Configuration: (v=ws.10).aspxThe following TechNet topic describes how to select audit policies by category, user and audit success or failure in the Security log:Auditpol set: example, to enable all audits in the given subcategories of the Security log run the following commands at an elevated command prompt:Logon operations: auditpol /set /subcategory:”Logon” /success:enable /failure:enableaudit policy changes: auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enableIPsec operations:auditpol /set /subcategory:”IPsec Main Mode” /success:enable /failure:enable auditpol /set /subcategory: “IPsec Quick Mode” /success:enable /failure:enableConfiguring IKEv1 and IKEv2 connection properties:auditpol /set /subcategory:" Filtering Platform Policy Change" /success:enable /failure:enableauditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enableregistry changes (modifying TLS Cipher Suite priority):auditpol /set /subcategory:"Registry" /success:enable /failure:enableIn addition to enabling audit policy as noted above, each registry key to be audited must also have its auditing permissions enabled. This is done as follows:Start the registry editor tool by executing the command regedit.exe as an administratorNavigate to the registry path for the key that should be audited, right-click the key’s node and select Permissions… on the key’s context menu to open the Permissions dialogClick the Advanced button to open the Advanced Security Settings dialog, click on the Auditing tab and click the Add button to open the Auditing Entry dialogClick the Select a principal to open the Select User or Group dialog to select a user (e.g. Administrator) and click the OK button.Choose the desired audits using the Type, Applies to and Basic Permissions attributes and click OKClick OK on the Advanced Security Settings dialogClick OK on the Permissions dialogThe following is the list of registry keys that must be audited:HKEY_LOCAL_MACHINE/Software/Microsoft/PolicyManagerHKEY_LOCAL_MACHINE /Software/Policies/Microsoft/Windows/DeviceInstall/RestrictionsHKEY_LOCAL_MACHINE /Software/Policies/Microsoft/Windows/SettingSync/DisableSettingSyncHKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/SystemTo enable/disable TLS and DTLS event logging in the System Event Log, browse to the following link and see How to enable Schannel event logging: enable/disable event logging in the Application and Services Logs, see the following link describing how to enumerate the log names and set their security descriptor and enabled state:Wevtutil: view audit logs, see the following links (AGD1: FMT_SMF_EXT.1(32)):Get-EventLog: : Wipe(AGD2: FCS_CKM.5) (AGD1: FMT_SMF_EXT.1(9))This section contains the following Common Criteria SFRs:Extended: TSF Wipe (FCS_CKM_EXT.5)Specifications of Management Functions (FMT_SMF_EXT.1)Wipe of the TOE accomplishes removal of protected data and destruction of keys/secret.IT Administrator GuidanceWindows 10 (Anniversary Update) devices can be managed to wipe after exceeding a maximum number of consecutive authentication failures using a MDM. See the MDM solution documentation for detailed configuration actions.Windows 10Local Administrator GuidanceThe following Windows help topic describes how to reset Windows 10 (Anniversary Update) devices with removal of all user data (the “Fully clean the drive” option wipes all protected data):How to refresh, reset, or restore your PC: 10 MobileUser GuidanceThe following support topic describes how to reset a Windows 10 Mobile device:Reset my phone: EAP-TLS(AGD2: FCS_CKM.1) (AGD1: FCS_CKM.2) (AGD2: FDP_IFC_EXT.1) (AGD1: FMT_SMF_EXT.1(6)) (AGD1: FMT_SMF_EXT.1(7)) (AGD1: FTP.ITC_EXT.1)This section contains the following Common Criteria SFRs:Extended: Trusted Channel Communication (FTP_ITC_EXT.1)Extended: PAE Authentication (FIA_PAE_EXT.1)Extended: Trusted Channel Communication (FTP_ITC_EXT.1)Extended: Wireless Network Access (FTA_WSE_EXT.1)Specifications of Management Functions (FMT_SMF_EXT.1)IT Administrator GuidanceWi-Fi policies on Windows 10 (Anniversary Update) devices, including certificate validation options, can be managed using a MDM. See the MDM solution documentation for detailed configuration actions. Steps 1 – 4 in the following link describe how to configure the IT infrastructure for EAP-TLS using WPA2-Enterprise (based on 802.1x authentication and 802.11-2012 encryption standards):Creating a secure 802.1x wireless infrastructure using Microsoft Windows: policy can be used to specify the wireless networks (SSIDs) that a user may connect to.Configure Network Permissions and Connection Preferences : 10Local Administrator GuidanceThe following topics describe how to configure EAP-TLS on Windows 10 (Anniversary Update):Extensible Authentication Protocol (EAP) Settings for Network Access: TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:Manage Trusted Root Certificates: User GuidanceThe user views the list of available networks (including networks associated with a configured Wi-Fi profile) in Settings -> Network & Internet -> Wi-Fi. Tapping a given Wi-Fi network presents the option to Connect to the network.Managing TLS/DLTS(AGD1: FCS_CKM.2) (AGD1: FCS_TLSC_EXT.1) (AGD1: FCS_TLSC_EXT.2) (AGD1: FCS_DTLS_EXT.1) (AGD1: FDP_UPC_EXT.1)The name in the certificate is automatically compared to the expected name and does not require additional configuration of the expected name for the connection.The TOE comes preloaded with root certificates for various Certificate Authorities. Additional Certificate Authorities may be managed on the Windows 10 (Anniversary Update) device using workplace enrollment and a MDM. There is no configuration necessary to use client authentication on the device once a device has client authentication certificates. See the Managing Certificates section for information on configuring a device to enroll for client certificates.All TLS settings such as cipher suites also apply to DTLS.IT Administrator GuidanceThe cipher suite selection and priority may be managed on Windows 10 (Anniversary Update) devices using a MDM. Cipher suite selection is made according to the default order as described in the previous section for Windows 10 (Anniversary Update). See the MDM solution documentation for detailed configuration actions.Windows 10Local Administrator GuidanceThe mandatory and optional cipher suites listed in the Security Target correlate with those available in the TOE as follows:Cipher Suites (per Security Target)Cipher Suite RequirementAvailable Cipher Suites in TOETLS_RSA_WITH_AES_128_CBC_SHA MandatoryTLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA OptionalTLS_RSA_WITH_AES_256_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246OptionalTLS_DHE_RSA_WITH_AES_256_CBC_SHA as defined in RFC 5246OptionalTLS_ECDHE_RSA_WITH_AES_128_CBC_SHA as defined in RFC 4492OptionalTLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as defined in RFC 4492OptionalTLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA as defined in RFC 4492OptionalTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA as defined in RFC 4492OptionalTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 OptionalTLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246 OptionalTLS_RSA_WITH_AES_256_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246OptionalTLS_DHE_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246OptionalTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289OptionalTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289OptionalTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289OptionalTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289OptionalTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384Table 5: Selected TLS Cipher Suites (AGD1: FCS_TLSC_EXT.2) (AGD3: FCS_TLSC_EXT.2)The following MSDN article describes how the administrator modifies the set of TLS cipher suites for priority and availability:Prioritizing Schannel Cipher Suites: (v=vs.85).aspxHow to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll: name in the certificate is automatically compared to the expected name and does not require additional configuration of the expected name for the connection.The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships (AGD2: FCS_TLSC_EXT.1) (AGD3: FCS_TLSC_EXT.1) (AGD4: FCS_TLSC_EXT.2) (AGD1: FCS_HTTPS_EXT.1):Manage Trusted Root Certificates: Hashes in the TLS protocol are configured in association with cipher suite selection. The administrator configures the cipher suites used on a machine by following the configuration instructions at the following link: (v=vs.85).aspxThe elliptic curves are configured independentally of the cipher suite configuration. (AGD6: FCS_TLSC_EXT.1)The reference identifier in Windows 10 (Anniversary Update) for TLS is the URL of the server. There is no configuration of the reference identifier. (AGD2: FCS_TLSC_EXT.2)The signature algorithm is not configurable in Windows 10 (Anniversary Update) for TLS. (AGD7: FCS_TLSC_EXT.1) (AGD6: FCS_TLSC_EXT.2)User GuidanceUsers may choose to use TLS with HTTPS by using https in the URL typed into the browser. The reference identifier for TLS is the URL of the server. There is no configuration of the reference identifier.Managing Apps(AGD1: FMT_SMF_EXT.1(10)) (AGD1: FMT_SMF_EXT.1(16)) (AGD1: FMT_SMF_EXT.1(18))Administrators must exercise discretion when installing apps based upon examining app metadata describing claimed capabilities. (AGD1: FDP_ACF_EXT.1) For example:Installing apps that declare the shareduserCertificates app capability allows the app to approve exceptions for shared use or destruction of keys/secrets that were imported by another app. (AGD1: FMT_SMF_EXT.1(35))IT Administrator GuidanceMDM solutions are capable of installing, removing and restricting the ability for applications to run on the TOE. See the MDM solution documentation for detailed configuration actions.Windows 10Local Administrator GuidanceThe ability for users to run the Store app may be removed using a registry value:Start the registry editor tool by executing the command regedit.exe as an administratorNavigate to the registry path HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore. Note that the WindowsStore registry key may need to be created.Create a DWORD (32 bit) registry value with the name RemoveWindowsStore under the WindowsStore registry key. Set the registry value to 1.Local administrators can also restrict the ability of users to install applications using AppLocker as described in this TechNet topic:AppLocker Overview: following Windows help topic describes how to remove an app installed from the Store, or in the case of enrolled devices, from their Company Portal or installed automatically by their IT administrator, and any information the app contained:Uninstall, change or repair a program: Volume Encryption(AGD1: FCS_CKM.5) (AGD1: FDP_DAR_EXT.1) (AGD3: FDP_DAR_EXT.1) (AGD1: FIA_UAU_EXT.1) (AGD2: FIA_UAU_EXT.1) (AGD1: FMT_SMF_EXT.1(25))This section contains the following Common Criteria SFRs:Extended: Data at Rest Encrytion (FDP_DAR_EXT.1)Extended: Authentication for Cryptographic Operation (FIA_UAU_EXT.1)Specifications of Management Functions (FMT_SMF_EXT.1)The following TechNet topic describes the BitLocker feature, including its use to encrypt the entire operation system volume or removable volumes (AGD1: FDP_DAR_EXT.1):BitLocker Overview: Administrator GuidanceIf volume encryption is enabled on the TOE, then the MDM solution can configure AES-256 as the default encryption to be used when a device is BitLockered. See the MDM solution documentation for detailed configuration actions.Windows 10Local Administrator GuidanceThe following TechNet topic describes the manage-bde command that should be executed in a command shell while running as an administrator to configure DAR protection:Manage-bde: (v=ws.10).aspxBy default AES128 encrypion is used by the manage-bde command when enabling BitLocker for Windows 10 (Anniversary Update) – the AES256 algorithm should be used instead. In addition, the TPM and PIN authorization factor must be used in the evaluated configuration. The Enhanced PIN capabilities must be used in the evaluated configuration.To enable the TPM and Enhanced PIN authorization factors execute the following command:Manage-bde –on <operating system disk volume letter>: -tpmandpin -encryptionMethod aes256A USB keyboard is necessary to enter the Enhanced PIN to unlock the drive at boot on some devices.The following is a link to BitLocker Policy settings: must create an Enhanced PIN value with a minimum of four and a maximum of 20 numeric characters, but can also include uppercase and lowercase English letters, symbols on an EN-US keyboard, numbers, and spaces. To enable the Enhanced PIN capabilities start the gpedit.msc MMC snap-in as an administrator and enable the following local or group policy:Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startupOther BitLocker policies that must be enabled to use the TPM and Enhanced PIN authenticator are:Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Enable use of BitLocker authentication requiring preboot keyboard input on slates Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Require additional authentication at startupUser Guidance(AGD1:FMT_SMF_EXT.1(26))Users may use BitLocker To Go in order to encrypt removable drives. The following details how to do this: Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.On the BitLocker Drive Encryption page, follow the instructions in the Removable data drives – BitLocker To Go section.Windows 10 MobileUser GuidanceTo enable/disable Volume Encryption:Go to Settings -> System -> Device EncryptionTap On/OffManaging VPN(AGD1: FDP_IFC_EXT.1) (AGD3: FDP_IFC_EXT.1) (AGD1: FMT_SMF_EXT.1(3)) (AGD1: FTP.ITC_EXT.1)IT Administrator GuidanceMDM solutions can be used to manage VPN profiles, including lockdown VPN profiles that implement the policy that all network traffic other than the traffic necessary to establish the VPN connection go through the VPN tunnel, on the TOE. See the MDM solution documentation for detailed configuration actions.Windows 10Local Administrator GuidanceThe Windows Firewall/Windows Filtering Platform may be used on Windows 10 to prevent traffic other than VPN traffic to and from the device.The Windows Filtering Platform can be configured to use Inbound and Outbound rules that PROTECT, BYPASS, DISCARD and ALLOW traffic specified by the Inbound and Outbound rules.Overview of Windows Firewall with Advanced Security: (v=ws.10).aspxThe following TechNet topic explains the priority for applying firewall rules:Understanding the Firewall: (v=ws.10).aspx The following TechNet topic describes how the Windows Firewall is managed using PowerShell cmdlets:Network Security Cmdlets in Windows PowerShell: (v=wps.630).aspx Managing AccountsThis section contains the following Common Criteria SFRs:Authentication Failure Handling (FIA_AFL_EXT.1)IT Administrator GuidanceThe maximum number of unsuccessful authentication attempts and associated remediation action is a Mobile Device Management (MDM) configuration policy setting that may only be managed by a Mobile Device Management system and cannot be directly configured by users on their device. If this device configuration policy setting is configured, then the remediation action wipes the device and restores factory default settings. See the MDM solution documentation for detailed configuration actions.Windows 10Local Administrator Guidance(AGD1: FIA_PMG_EXT.1) (AGD1: FMT_SMF_EXT.1(1)) (AGD1: FMT_SMF_EXT.1(2))The following TechNet topic explains the net accounts command line utility for standalone computers for managing password length and lifetime:Net Accounts: addition to the parameters given in the referenced article the following are also valid options for managing account lockout policy:/lockoutthreshold: number : Sets the number of times a bad password may be entered until the account is locked out. If set to 0 then the account is never locked out. (AGD1: FIA_AFL_EXT.1)/lockoutwindow: minutes ? : Sets the number of minutes of the lockout window./lockoutduration: minutes ? : Sets the number of minutes the account will be locked out for.Password complexity is configured by the administrator via Windows security policy. The relevant security policy is “Security Settings/Account Policies/Password Policy/Password must meet complexity requirements”. The following Technet topic include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy:Local Group Policy Editor: the authentication failure limit is audited by Security log Id 4740. However, this information is lost when an enrolled device exceeds the authentication failure limit configured by the IT administrator as described in section “Managing Wipe”.When the organizational user attempts to logon repeatedly with a bad password, they will eventually be prompted that the account is about to be locked out and that they will need a BitLocker recovery key to unlock. In certain configurations of the system, including the evaluated configuration, there will not be a Bitlocker recovery key to use once the maximum logon attempt threshold is passed. In such a situation the device is considered to be “wiped” as recovery of the data on the Bitlocker encrypted volumes is not possible. This is true even if the system prompts the user explicitly for a Bitlocker recovery key, as this prompt occurs even if no Bitlocker recovery key was ever configured.Managing BluetoothBluetooth pairing uses a protected communication channel by default so there is no configuration necessary. (AGD1: FDP_UPC_EXT.1)IT Administrator Guidance(AGD1: FMT_SMF_EXT.1(4)), (AGD1: FMT_SMF_EXT.1(20))The MDM solution can enable/disable Bluetooth devices on the TOE. The MDM solution can a) disable/enable the Discoverable mode (for BR/EDR), b) change the Bluetooth device name, d) disable/enable Advertising (for LE). See the MDM solution documentation for detailed configuration actions. User Guidance(AGD1: FIA_BLT_EXT.1)The following topic describes how to initiate and complete pairing with a Bluetooth device:Add a Bluetooth device: 10 MobileUser Guidance(AGD1: FIA_BLT_EXT.1)Users authorize Bluetooth pairing by doing the following:Go to Settings -> Devices -> Bluetooth to manage the Bluetooth devicesTap the desired Bluetooth device in the list of discovered devices indicated as Tap to pair to conduct the pairing operationManaging PasswordsStrong Passwords(AGD1: FIA_PMG_EXT.1) (AGD1: FMT_SMF_EXT.1(1)) (AGD1: FMT_SMF_EXT.1(2))This section contains the following Common Criteria SFRs:Extended: Password Management (FIA_PMG_EXT.1)Specifications of Management Functions (FMT_SMF_EXT.1)IT Administrator GuidanceThe composition of strong passwords and minimum password length policy settings may only be managed by a Mobile Device Management (MDM) system and cannot be directly configured by users on their device. See the MDM solution documentation for detailed configuration actions.The following TechNet topics describe the characteristics for passwords that are available, instructions for setting the enforcement mechanism and a discussion of strong passwords and recommended minimum settings:Strong Password: (v=ws.10).aspx Password Best practices: (v=ws.10).aspx Windows 10Local Administrator GuidanceThe following TechNet topics describe the characteristics for passwords that are available, instructions for setting the enforcement mechanism and a discussion of strong passwords and recommended minimum settings:Enforcing Strong Password Usage Throughout Your Organization: (v=ws.10).aspx Strong Password: (v=ws.10).aspx Password Best practices: (v=ws.10).aspx Protecting PasswordsThis section contains the following Common Criteria SFRs:Protected Authorization Feedback (FIA_UAU.7)Windows 10User GuidanceTo conduct initial logon authentication type CTRL-ALT-DEL to open the logon screen and then enter the user name and password. If no keyboard is available then swipe up to open the logon screen.Windows 10 (Anniversary Update) does not require any configuration to ensure the password is obscured by default. The following best practices should be observed (AGD1: FIA_UAU.7):As with all forms of authentication, when entering your password, avoid allowing other people to watch you as you sign in.Keep your device in a secure location where unauthorized people do not have physical access to it. As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen.Windows 10 MobileUser GuidanceWindows 10 Mobile does not require any configuration to ensure the password is obscured by default. The following best practices should be observed:As with all forms of authentication, when entering your password, avoid allowing other people to watch you as you sign in.Keep your device in a secure location where unauthorized people do not have physical access to it. As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen.Logon/Logoff Password PolicyThis section contains the following Common Criteria SFRs:Extended: Authentication for Cryptographic Operation (FIA_UAU_EXT.1)Extended: Timing of Authentication (FIA_UAU_EXT.2)Extended: Re-Authorizing (FIA_UAU_EXT.3)Extended: TSF and User initiated Locked State (FTA_SSL_EXT.1)Specifications of Management Functions (FMT_SMF_EXT.1)IT Administrator GuidancePassword policies may be configured by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.Windows 10Local Administrator GuidanceThe out of box experience requires that when user accounts are created a password is assigned to the account. (AGD3: FIA_UAU_EXT.3)To change an account password do either of the following (AGD4: FIA_UAU_EXT.3):Tap the Start menu, tap the account picture, tap Change account settings, tap Sign-in options, tap Change under Password.Type the secure attention sequence: CTRL-ALT-DEL and select Change a passwordThe inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality” (AGD5: FIA_UAU_EXT.3): Security Policy Settings Overview: following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy:Local Group Policy Editor: Notifications in the Locked State(AGD1: FMT_SMF_EXT.1(21))This section contains the following Common Criteria SFRs:Specifications of Management Functions (FMT_SMF_EXT.1)Windows 10User GuidanceTo manage notifications on the lock screen:Go to Settings -> System -> Notifications & actionsWindows 10 MobileUser GuidanceTo enable or disable showing detailed status for applications on the lock screen:Go to Settings -> PersonalizationTap Lock screenThen Choose an app to show detailed status and choose none from the list to receive disable receiving detailed status information, or choose an application to show its detailed status on the lock screenTo disable showing quick status for applications on the lock screen:Go to Settings -> PersonalizationTap Lock screenThen tap each of the boxes under Choose apps to show quick status and then choose none in the CHOOSE AN APP screen to receive no quick status information on the lock screen, or tap a box and choose a desired application in the CHOOSE AN APP screen to receive quick status for that application on the lock screenTo disable receiving email, calendar or text message notifications in action center:Go to Settings -> systemTap Notifications+ActionsUncheck Show notifications in action center when my phone is lockedManaging Certificates(AGD1: FIA_X509_EXT.2) (AGD1: FMT_SMF_EXT.1(13)) (AGD1: FMT_SMF_EXT.1(14))This section contains the following Common Criteria SFRs:Extended: Validation of Certificates (FIA_X509_EXT.1)Extended: Certificate Authentication (FIA_X509_EXT.2)Extended: Cryptographic Key Storage (FCS_STG_EXT.1)Specifications of Management Functions (FMT_SMF_EXT.1)Certificate Validation(AGD2: FIA_X509_EXT.2) (AGD1: FMT_SMF_EXT.1(30))When validating a certificate with modern Windows applications the connection to a configured revocation server must be available or the validation will fail. This configuration cannot be changed.The administrator cannot configure certificate validation for code signing purposes.Key lengths of keys used with certificates are configured in the certificate templates on the Certificate Authority used during enrollment and are not configured by the user or local administrator.Once a certificate suitable for client authentication is configured on the TOE, no additional configuration is necessary to use it.Windows 10The administrator configures certificate validation using the Set-NetFirewallSetting PowerShell cmdlet as described in the following TechNet topic:Set-NetFirewallSetting: administrator configures certificate validation for network connections based on EAP-TLS using the “Set Up a Connection or Network” wizard in the “Smart Card or Other Certificate Properties” and “Configure Certificate Selection” screens as described in the following TechNet topicExtensible Authentication Protocol (EAP) Settings for Network Access (see Smart Card or other Certificate Properties configuration items): administrator configures certificate validation for HTTPS using the Security options checkboxes in the Advanced tab on the Internet Properties dialog for Control Panel. The “Warn about certificate address mismatch” setting configures whether the Web address must match the certificate subject field and warns the user of a mismatch. The following MSDN Blog describes the “Check for server certificate revocation” setting:Understanding Certificate Revocation Checks: GuidanceApplication developers import and use keys and secrets with the Windows.Security.Cryptography.Certificates namespace as described by the following MSDN topic:Windows.Security.Cryptography.Certificates namespace: have a choice when enrolling for a certificate to use either CertificateEnrollmentManager base class or the derived class UserCertificateEnrollmentManager. When using UserCertificateEnrollmentManager the keys are secured by the user account credentials and user account ACLs. When using the CertificateEnrollmentManager base class the keys are only available to the application that imported or created the keys.Shared User KeysThe following MSDN topic describes the sharedUserCertificates special capability that must be declared by Windows 10 or Windows 10 Mobile applications so that applications may share keys:App capability declarations: Certificate Requests(AGD3: FIA_X509_EXT.2) Certificate requests with specific fields such as "Common Name", "Organization", "Organizational Unit", and/or "Country" can be generated by apps using the Certificates.CertificateEnrollmentManager.CreateRequestAsync API. The following link provides the documentation for the API:CertificateEnrollmentManager.CreateRequestAsync | createRequestAsync method: IT Administrator GuidanceRoot certificates can be added to Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions.Windows 10 (Anniversary Update) devices can be managed to enroll for client certificates using a MDM. See the MDM solution documentation for detailed configuration actions.Keys are deleted using device wipe as described in the Managing Wipe section of this document.Windows 10Local Administrator GuidanceThe following TechNet topic describes managing certificates (including the “Obtain a Certificate” sub-topic) (AGD5: FCS_TLSC_EXT.1) (AGD5: FCS_TLSC_EXT.2):Manage Certificates : Certutil: operational guidance for setting up a trusted channel to communicate with a CA is described in the operational guidance for FTP_ITC.1 (OS)). The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships (AGD4: FCS_TLSC_EXT.1) (AGD4: FCS_TLSC_EXT.2) (AGD1: FCS_HTTPS_EXT.1):Manage Trusted Root Certificates: following TechNet topic describes how to delete a certificate: Delete a Certificate: are deleted using device wipe as described in the Managing Wipe section of this document.User GuidanceWhen using HTTPS in a browsing scenario the user may choose to ignore a failed certificate validation and continue the connection.Windows 10 MobileUser GuidanceWhen using HTTPS in a browsing scenario the user may choose to ignore a failed certificate validation and continue the connection.Certificates may be deleted from the Trusted Root Store using device wipe as described in the Managing Wipe section of this document.Managing Time(AGD1: FPT_STM.1)This section contains the following Common Criteria SFRs:Reliable Time Stamps (FPT_STM.1)Windows 10Local Administrator GuidanceThe administrator sets the time using the Set-Date PowerShell cmdlet that is documented here: administrator configures the time service to synchronize time from a time server using the W32tm command that is documented here (see Windows Time Service Tools):(v=WS.10).aspxThe administrator ensures the communication path between the TOE client and the time service provider is protected from attacks that could compromise the integrity of the time by establishing an IPsec policy using the “Windows 10 (Anniversary Update) and Windows Server 2016 AU IPsec VPN Client Operational Guidance”, where section 4 provides detailed instructions that can be used to configure the TOE client and the time service provider. The administrator ensures the NTP server is authenticated by verifying the IP address provided by the IT administrator for the NTP Server in the main mode and quick mode security associations according to the audit trail for the FTP_ITC.1 requirement outlined in section “4.1 Audit Policy for IPsec Operations” of the IPsec VPN Client guidance. In particular, audits are provided when a trusted channel is established that includes the IP address of the channel’s local and remote endpoints. Windows 10 MobileUser GuidanceTo set the time on Windows 10 Mobile :Go to Settings -> Time & Language -> Date & TimeThen enable Set date and time automatically or set the time manually.Windows 10 Mobile also supports automatically setting the date and time by the mobile operator via Network Identity and Time Zone (NITZ). Otherwise if the mobile operator does not support NITZ, then the user can only configure the date and time manually. Windows 10 Mobile devices do not support NTP.Getting Version Information(AGD1: FPT_TUD_EXT.1)This section contains the following Common Criteria SFRs:Extended: Trusted Update: TSF Version Query (FPT_TUD_EXT.1)Specifications of Management Functions (FMT_SMF_EXT.1)IT Administrator GuidanceApp installation and version checking can be managed on Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions. Windows 10User GuidanceTo determine the hardware model and operating system version: Go to Settings -> System -> AboutThe following TechNet topic describes how to enumerate all installed applications and their version:Get-AppxPackage: 10 MobileUser GuidanceTo determine the hardware model and operating system version :Go to Settings -> System -> AboutThe hardware model and operating system version will be displayed on this page.The following steps describe how to determine the version of apps on the device: Open the appTap More… , then tap Settings.The version of the app will be displayed on this page.Locking a Device(AGD1: FMT_SMF_EXT.1(8)) (AGD1: FTA_SSL_EXT.1) (AGD1: FMT_SMF_EXT.1(2))This section contains the following Common Criteria SFRs:Extended: TSF and User initiated Locked State (FTA_SSL_EXT.1)Specifications of Management Functions (FMT_SMF_EXT.1)IT Administrator GuidanceDevice locking policies can be managed on Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions. Windows 10Local Administrator GuidanceThe following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy for standalone or domain-joined machines:Local Group Policy Editor: Policy Management Console: inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality”: Security Policy Settings Overview: GuidanceTo configure screen lock timeout (AGD5: FIA_UAU_EXT.3) (AGD1: FTA_SSL_EXT.1):Go to Settings -> System -> Power & sleep -> Additional power settings -> Change when the computer sleepsTo initiate a session lock (AGD6: FIA_UAU_EXT.3):Tap the Start menu, tap the account picture, click Lock.Windows 10 Mobile(AGD5: FIA_UAU_EXT.3) (AGD1: FTA_SSL_EXT.1)User GuidanceThe following help topic describes how to configure the TSF to use (set or change) a Password Authentication Factor: How do I set or change a password on my phone?: , the Require a password after setting must be configured with the value each time.The device may be commanded to transition to the locked state by configuring the inactivity interval as above and then pressing the button to power off the device such that the lock screen will be presented and the password will be required when the button is pressed to turn the device back on. To manage notifications in the locked state go to Settings -> System -> Lock Screen, Choose an app to show detailed status and Choose apps to show quick status.Managing Notifications Prior to Unlocking a Device(AGD1: FMT_SMF_EXT.1(36)) (AGD1: FTA_TAB.1)This section contains the following Common Criteria SFRs:Default TOE Access Banners (FTA_TAB.1)Specifications of Management Functions (FMT_SMF_EXT.1)IT Administrator GuidanceThe following MSDN topic describes the LockscreenWallpaper policy the IT administrator may use to manage notifications prior to unlocking enrolled devices:EnterpriseAssignedAccess CSP: (v=vs.85).aspxWindows 10Local Administrator GuidanceThe following TechNet topics describe how to configure notifications prior to unlocking devices:Interactive logon: Message title for users attempting to log on: (v=ws.10).aspxInteractive logon: Message text for users attempting to log on: (v=WS.10).aspxManaging Airplane Mode(AGD1: FMT_SMF_EXT.1(4))This section contains the following Common Criteria SFRs:Specifications of Management Functions (FMT_SMF_EXT.1)When airplane mode is on wireless connections, cellular voice, cellular protocols, and messaging functionality will not work on the device. Windows 10User GuidanceTo enable/disable airplane mode go to Settings -> Network & Internet -> Airplane Mode.Windows 10 MobileUser GuidanceTo enable/disable airplane mode go to Settings -> Network & Wireless -> Airplane Mode.Managing Device Enrollment(AGD1: FMT_SMF_EXT.1(15)), (AGD1: FMT_SMF_EXT.1(28))This section contains the following Common Criteria SFRs:Specifications of Management Functions (FMT_SMF_EXT.1)Extended: Specification of Remediation Actions (FMT_SMF_EXT.2)Unenrollment from the MDM solution performs the remediation actions of:alert the administratorremove Enterprise applicationsIT Administrator GuidanceRemote unenrollment can be accomplished on Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions. Windows 10Local Administrator GuidanceTo enroll for management do the followingGo to Settings -> Accounts -> Access work or schoolTap the Connect buttonFill in the user account credentials provided by your IT administratorTo unenroll from device management do the following:Go to Settings > Account -> Access work or schoolTap the Remove button that is displayed when the enrollment setting is selected, and then confirm the Remove operationThe user determines if the device is enrolled or not enrolled by looking at the Access work or school page of the Accounts settings. On the Access work or school access page of the Accounts settings if the device device is enrolled then the enrollment setting is indicated by the name as established by your IT administrator and your account name provided by your IT administrator that was used to enroll the device – tapping the enrollment setting reveals the Info and Remove buttons that may be used to synchronize device management settings, inspect Access work or school enrollment settings or remove the device from enrollment.Windows 10 MobileUser GuidanceTo enroll for management do the followingGo to Settings -> Accounts -> Access work or schoolTap the Connect buttonFill in the user account credentials provided by your IT administratorTo unenroll from device management do the following:Go to Settings > Account -> Access work or schoolTap the Remove button that is displayed when the enrollment setting is selected, and then confirm the Remove operationThe user determines if the device is enrolled or not enrolled by looking at the Access work or school page of the Accounts settings. On the Access work or school access page of the Accounts settings if the device device is enrolled then the enrollment setting is indicated by the name as established by your IT administrator and your account name provided by your IT administrator that was used to enroll the device – tapping the enrollment setting reveals the Info and Remove buttons that may be used to synchronize device management settings, inspect Access work or school enrollment settings or remove the device from enrollment.Managing Updates(AGD1: FMT_SMF_EXT.1(17)) (AGD1: FPT_TUD_EXT.1)Windows 10 (Anniversary Update) applications include metadata that is installed with the application by the Windows Installer and the Store App installer. The application metadata includes version information that prevents the Windows Installer and the Store App installer from updating an installed application with an older version.Update packages downloaded by Windows Update for Windows 10 (Anniversary Update) are signed with the Microsoft Root Certificate Authority to prove their authenticity and integrity. This signature is checked on the mobile device before installing any of the product updates contained in a given package in order to verify the updates have not been altered since they where digitally signed. If the signature is incorrect, then the update operation will fail. Otherwise, if the signature is correct then the update operation will proceed.IT Administrator GuidanceWindows update policies can be managed on Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions. Windows 10Local Administrator GuidanceThe local admistrator manages System Updates using the following settings interface:Go to Settings -> Update & security -> Windows UpdateManaging Collection Devices(AGD1: FMT_SMF_EXT.1(5))This section contains the following Common Criteria SFRs:Specifications of Management Functions (FMT_SMF_EXT.1)IT Administrator GuidanceThe camera may be enabled/disabled on the TOE by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions. The microphone may be enabled/disabled on Windows 10 Mobile by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.Windows 10Local Administrator GuidanceThe local administrator disables/enables the camera for all users by disabling all subnodes under the “Imaging devices” node in the Device Manager. To start the Device Manager, type “Device Manager” in the taskbar searchbox and click on the Device Manager icon.The local administrator disables/enables the microphone for all users by the following procedures: On the desktop right click on the Start button and click the Control Panel menu item.Type “Sound” and choose “Manage audio devices” from the list to open the Sound windowIn the Sound window click the “Recording” tabOn the Recording tab right the Microphone item(s) and select the “Disable” menu itemNote: to reverse this step the “Show Disabled Devices” menu item should be selected.Managing USB(AGD1: FMT_SMF_EXT.1(22))This section contains the following Common Criteria SFRs:Specifications of Management Functions (FMT_SMF_EXT.1)IT Administrator GuidanceMDM solutions are capable of managing USB connectivity on Windows 10 Mobile devices. See the MDM solution documentation for detailed configuration actions.Windows 10Local Administrator GuidanceThe local administrator may also disable the USB in the Device Manager application by right-clicking the USB Root Hub child node in the Universal Serial Bus controllers node and selecting the Properties menu item to open the USB Root Hub Properties window. the local administrator then clicks the Driver tab In the USB Root Hub Properties window and clicks he Disable button.Managing Backup(AGD1: FMT_SMF_EXT.1(40))This section contains the following Common Criteria SFRs:Specifications of Management Functions (FMT_SMF_EXT.1)Windows 10Local Administrator GuidanceThe following policy setting in the Group Policy Editor can be used to disable Sync your settings:“Do not sync” policy located at Computer Configuration\Administrative Templates\Windows Components\Sync your settingsIn addition to enabling the policy, ensure the “Allow user to turn syncing on” option is uncheckedWindows 10 and Windows 10 MobileUser GuidanceTo configure OneDrive to sync settings: Settings -> Accounts -> Sync your settings. Managing Enterprise Apps(AGD1: FMT_SMF_EXT.1(19)) (AGD1: FPT_TUD_EXT.2)This section contains the following Common Criteria SFRs:Specifications of Management Functions (FMT_SMF_EXT.1(19))Extended: Trusted Update Verification (FPT_TUD_EXT.2)Enterprise organizations may deploy line-of-business applications on devices configured for enterprise apps. In addition to configuring the enterprise apps policy the organization must deploy the digital signature certificate associated with their LOB apps as a trusted root certificate for enrolled devices as described in section REF _Ref450907070 \r \h 14 REF _Ref450907053 \h Managing Certificates. (AGD1: FPT_TUD_EXT.2)IT Administrator GuidanceApp policies can be managed on Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions. User GuidanceThe following TechNet topic describes how to configure Enterprise apps:Sideload LOB apps in Windows 10 : Developer Mode(AGD1: FMT_SMF_EXT.1(24))This section contains the following Common Criteria SFRs:Specifications of Management Functions (FMT_SMF_EXT.1)Extended: Trusted Update Verification (FPT_TUD_EXT.2) Developer Mode allows installation of test-signed applications. When developer mode is enabled the TOE trusts valid, app digital signatures. (FMT_SMF_EXT.1(33)) (AGD1: FPT_TUD_EXT.2)IT Administrator GuidanceDeveloper mode policies can be managed on Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions. Windows 10Local Administrator GuidanceDeveloper mode is configured by the administrator via Windows security policy.Enable your device for development: Cryptographic Algorithms(AGD1: FCS_CKM.1) (AGD1: FCS_STG_EXT.1) (AGD2: FCS_STG_EXT.1) (AGD3: FCS_STG_EXT.1) (AGD1: FMT_SMF_EXT.1(11)) (AGD1: FMT_SMF_EXT.1(12))This guidance applies to both Windows 10 and Windows 10 Mobile.No configuration is required to use the random number generator algorithms. (AGD1: FCS_RGB.1)There is no global configuration for hashing algorithms. The use of required hash sizes is supported and global configuration is not needed.There is no global configuration for key generation schemes. The use of required key generation schemes is supported and global configuration is not needed.There is no global configuration for key establishment schemes. The use of required key establishment schemes is supported and global configuration is not needed.Keys may be imported by apps using the Certificates.CertificateEnrollmentManager.ImportPfxDataAsync API. The following link provides the documentation for the API: are destroyed by wiping the device, see the Managing Wipe of this document.Cryptographic Algorithm Validation Program (CAVP) testing was performed on the Windows 10 (Anniversary Update) system cryptographic engine. Other cryptographic engines may have been separately evaluated but were not part of this CC evaluation. Managing GPS(AGD1: FMT_SMF_EXT.1(4)) IT Administrator GuidanceGPS may be enabled/disabled on the TOE by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.Managing Location Services(AGD1: FMT_SMF_EXT.1(44))IT Administrator GuidanceLocation Services may be enabled/disabled on the TOE by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.Windows 10Local Administrator GuidanceThe location service is configured by the administrator via Windows security policy. The relevant security policy is “Local Computer Policy\Administrative Templates\Windows Components\Location and Sensors\Turn off location”. The following Technet topic include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy:Local Group Policy Editor: Wi-FiIT Administrator Guidance(AGD1: FMT_SMF_EXT.1(4))Wi-Fi may be enabled/disabled on TOE by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.Managing Wireless Networks (SSIDs)IT Administrator Guidance(AGD1: FMT_SMF_EXT.1(6))Wi-Fi SSIDs may be configured on the TOE by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.Windows 10Local Administrator Guidance Wireless networks (SSIDs) may be enabled/disabled by the Local Administrator by using the following TechNet topic describes to disable the Wi-Fi network adapter:Disable-NetAdapter: Personal HotspotsIT Administrator Guidance(AGD1: FMT_SMF_EXT.1(23))Sharing a personal hotspot may be enabled/disabled on TOE by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.Windows 10Local Administrator Guidance Personal hotspots may be enabled/disabled by the Local Administrator by using the following TechNet topic describes to disable the Wi-Fi network adapter:Disable-NetAdapter: Mobile BroadbandIT Administrator Guidance(AGD1: FMT_SMF_EXT.1(4)) Mobile broadband may be enabled/disabled by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.Managing Cellular Protocols(AGD1: FMT_SMF_EXT.1(31)) Windows 10 MobileIT Administrator GuidanceCellular protocols may be enabled/disabled on Windows 10 Mobile by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.Windows 10Local AdministratorThe local administrator disables/enables cellular protocols for all users by disabling all cellular subnodes under the “Network adapters” node in the Device Manager. To start the Device Manager, type “Device Manager” in the taskbar searchbox and click on the Device Manager icon.Managing Health Attestation(AGD1: FPT_NOT_EXT.1) (AGD2: FPT_NOT_EXT.1)This section contains the following Common Criteria SFRs:Extended: Self-Test Event Notification by Attestation (FPT_NOT_EXT.1(ATTEST))IT Administrator GuidanceHealth attestation policies can be managed to determine the health of enrolled Windows 10 (Anniversary Update) devices using a MDM. See the MDM solution documentation for detailed configuration actions. The device will create a Helath Attestation log every time the system boots. The Health Attestation logs are found in the following directory:%windir%\Logs\MeasuredBootThe contents of the Health Attestation logs may be viewed on or off the TOE using the “TPM Platform Crypto-Provider Toolkit” that can be downloaded from the following link:TPM Platform Crypto-Provider Toolkit : Sensitive DataIT Administrator GuidanceEnterprise Data Protection policies can be managed to help protect against accidental data leakage from enrolled employee-owned Windows 10 (Anniversary Update) devices by using a MDM. See the MDM solution documentation for detailed configuration actions. Windows 10Local Administrator GuidanceEnterprise Data Protection policies are applied on enrolled devices – see section “Managing Device Enrollment” for more information about enrolling devices with an MDM.Windows 10 MobileUser GuidanceEnterprise Data Protection policies are applied on enrolled devices – see section “Managing Device Enrollment” for more information about enrolling devices with an MDM.Managing USB Mass StorageIT Administrator GuidanceUSB Mass Storage may be enabled/disabled on the TOE by using a Mobile Device Management (MDM) solution. See the MDM solution documentation for detailed configuration actions.Natively Installed ApplicationsThe set of applications and system files included in the TOE are version 10.0.14393. The following embedded Excel file has the lists of files: ................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- introduction to financial management pdf
- letter of introduction sample
- argumentative essay introduction examples
- how to start an essay introduction examples
- introduction to finance
- introduction to philosophy textbook
- introduction to philosophy pdf download
- introduction to philosophy ebook
- introduction to marketing student notes
- introduction to marketing notes
- introduction to information systems pdf
- introduction paragraph examples for essays