Version 2.4 January 28, 2016. Prepared by:

Microsoft Windows 10 with Surface 3, Surface Pro 3, Dell Venue 8 Pro, HP Pro X2, Lenovo X1 Carbon, and Panasonic FZ-G1 Common Criteria Assurance Activities Report Version 2.4 January 28, 2016 Prepared by: Leidos Inc. (formerly Science Applications International Corporation) https://www.leidos.com/commercialcyber/ate Common Criteria Testing Laboratory 6841 Benjamin Franklin Drive Columbia, MD 21046 Microsoft 2016 Page 1 of 213

Prepared for: National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme The Developer of the TOE: Microsoft Corporation Corporate Headquarters One Microsoft Way Redmond, WA 98052-6399 The TOE Evaluation was Sponsored by: Microsoft Corporation Corporate Headquarters One Microsoft Way Redmond, WA 98052-6399 Evaluation Personnel: Greg Beaver Dawn Campbell Gary Grainger Kevin Steiner Common Criteria Versions Common Criteria for Information Technology Security Evaluation Part 1: Introduction, Version 3.1, Revision 4, September 2012. Common Criteria for Information Technology Security Evaluation Part 2: Security Functional Components, Revision 4, September 2012. Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance Components, Revision 4, September 2012. Common Evaluation Methodology Versions Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 4, September 2012. Protection Profiles Protection Profile for Mobile Device Fundamentals, Version 2.0, 17 September 2014 Microsoft 2016 Page 2 of 213

Table of Contents 1 Introduction... 8 1.1 Evidence... 8 1.2 Protection Profile... 8 2 Security Functional Requirement Assurance Activities... 8 2.1 Security Audit (FAU)... 8 2.1.1 Audit Data Generation (FAU_GEN.1)... 8 2.1.2 Security Audit Review (FAU_SAR.1)... 36 2.1.3 Security Audit Event Selection (FAU_SEL.1)... 36 2.1.4 Audit Storage Protection (FAU_STG.1)... 37 2.1.5 Prevention of Audit Data Loss (FAU_STG.4)... 39 2.2 Cryptographic Support (FCS)... 39 2.2.1 Cryptographic Key Generation (FCS_CKM.1(1))... 39 2.2.2 Cryptographic Key Generation (WLAN) (FCS_CKM.1(2))... 44 2.2.3 Cryptographic Key Generation (WLAN) (FCS_CKM.1(3))... 50 2.2.4 Cryptographic Key Establishment FCS_CKM.2.1(1)... 51 2.2.5 Cryptographic Key Distribution (WLAN) FCS_CKM.2.1(2)... 55 2.2.6 Cryptographic Key Support (REK) FCS_CKM_EXT.1... 57 2.2.7 Extended: Cryptographic Key Support (FCS_CKM_EXT.1.4)... 59 2.2.8 Cryptographic Key Random Generation (FCS_CKM_EXT.2)... 59 2.2.9 Cryptographic Key Encryption Keys (FCS_CKM_EXT.3)... 60 2.2.10 Cryptographic Key Destruction (FCS_CKM_EXT.4)... 62 2.2.11 TSF Wipe (FCS_CKM_EXT.5)... 64 2.2.12 Cryptographic Salt Generation (FCS_CKM_EXT.6)... 67 2.2.13 Cryptographic Operation (FCS_COP.1(1))... 67 2.2.14 Hashing Algorithms (FCS_COP.1(2))... 76 2.2.15 Signature Algorithms (FCS_COP.1(3))... 78 2.2.16 Keyed Hash Algorithms (FCS_COP.1(4))... 80 2.2.17 Password-Based Key Derivation Functions (FCS_COP.1(5))... 81 2.2.18 Extended: HTTPS Protocol (FCS_HTTPS_EXT.1)... 82 Microsoft 2016 Page 3 of 213

2.2.19 Initialization Vector Generation (FCS_IV_EXT.1)... 83 2.2.20 Random Bit Generation (FCS_RBG_EXT.1)... 83 2.2.21 Extended: Cryptographic Algorithm Services (FCS_SRV_EXT.1.1)... 85 2.2.22 Extended: Cryptographic Algorithm Services (FCS_SRV_EXT.1.2)... 86 2.2.23 Extended: Cryptographic Key Storage (FCS_STG_EXT.1)... 87 2.2.24 Extended: Encrypted Cryptographic Key Storage (FCS_STG_EXT.2)... 90 2.2.25 Extended: Integrity of encrypted key storage (FCS_STG_EXT.3)... 91 2.2.26 Extended: EAP TLS Protocol (FCS_TLSC_EXT.1.1)... 92 2.2.27 Extended: EAP TLS Protocol (FCS_TLSC_EXT.1.2)... 95 2.2.28 Extended: EAP TLS Protocol (FCS_TLSC_EXT.1.3)... 96 2.2.29 Extended: EAP TLS Protocol (FCS_TLSC_EXT.1.4)... 97 2.2.30 Extended: EAP TLS Protocol (FCS_TLSC_EXT.1.5)... 98 2.2.31 Extended: EAP TLS Protocol (FCS_TLSC_EXT.1.6)... 99 2.2.32 Extended: EAP TLS Protocol (FCS_TLSC_EXT.1.7)... 99 2.2.33 Extended: EAP TLS Protocol (FCS_TLSC_EXT.1.8)... 100 2.2.34 Extended: TLS Protocol (FCS_TLSC_EXT.2.1)... 101 2.2.35 Extended: TLS Protocol (FCS_TLSC_EXT.2.2)... 103 2.2.36 Extended: TLS Protocol (FCS_TLSC_EXT.2.3)... 104 2.2.37 Extended: TLS Protocol (FCS_TLSC_EXT.2.4)... 105 2.2.38 Extended: TLS Protocol (FCS_TLSC_EXT.2.5)... 106 2.2.39 Extended: TLS Protocol (FCS_TLSC_EXT.2.6)... 106 2.2.40 Extended: TLS Protocol (FCS_TLSC_EXT.2.7)... 107 2.2.41 Extended: TLS Protocol (FCS_TLSC_EXT.2.8)... 108 2.3 User Data Protection (FDP)... 108 2.3.1 Extended: Security Access Control (FDP_ACF_EXT.1.1)... 108 2.3.2 Extended: Security Access Control (FDP_ACF_EXT.1.2)... 111 2.3.3 Extended: Security Access Control (FDP_ACF_EXT.1.3)... 111 2.3.4 Extended: Limitation of Bluetooth Device Access (FDP_BLT_EXT.1)... 112 2.3.5 Extended: Protected Data Encryption (FDP_DAR_EXT.1)... 113 2.3.6 Extended: Subset information flow control (FDP_IFC_EXT.1)... 114 2.3.7 Extended: User Data Storage (FDP_STG_EXT.1)... 116 Microsoft 2016 Page 4 of 213

2.3.8 Extended: Inter-TSF user data transfer protection (FDP_UPC_EXT.1)... 117 2.4 Identification and Authentication (FIA)... 119 2.4.1 Authentication failure handling (FIA_AFL_EXT.1)... 119 2.4.2 Bluetooth Authorization and Authentication (FIA_BLT_EXT.1)... 121 2.4.3 Bluetooth Authorization and Authentication (FIA_BLT_EXT.1.2)... 122 2.4.4 Extended: Bluetooth Authentication (FIA_BLT_EXT.2)... 123 2.4.5 Extended: Rejection of Duplicate Bluetooth Connections FIA_BLT_EXT.3... 124 2.4.6 Port Access Entity Authentication (FIA_PAE_EXT.1)... 125 2.4.7 Extended: Password Management (FIA_PMG_EXT.1)... 126 2.4.8 Extended: Authentication Throttling (FIA_TRT_EXT.1)... 127 2.4.9 Protected Authentication Feedback (FIA_UAU.7)... 128 2.4.10 Extended: Authentication for Cryptographic Operation (FIA_UAU_EXT.1).. 128 2.4.11 Extended: Timing of Authentication (FIA_UAU_EXT.2)... 130 2.4.12 Extended: Re-Authentication (FIA_UAU_EXT.3)... 130 2.4.13 Extended: Validation of certificates (FIA_X509_EXT.1)... 131 2.4.14 Extended: X509 certificate authentication (FIA_X509_EXT.2)... 132 2.4.15 Extended: X509 certificate authentication (FIA_X509_EXT.2.3)... 134 2.4.16 Extended: X509 certificate authentication (FIA_X509_EXT.2.4)... 134 2.4.17 Extended: Request Validation of certificates (FIA_X509_EXT.3)... 135 2.5 Security Management (FMT)... 136 2.5.1 Extended: Management of Security Functions Behavior (FMT_MOF_EXT.1.1)... 136 2.5.2 Extended: Management of Security Functions Behavior (FMT_MOF_EXT.1.2)... 137 2.5.3 Extended: Specification of Management Functions (FMT_SMF_EXT.1)... 138 2.5.4 Extended: Specification of Remediation Actions (FMT_SMF_EXT.2)... 176 2.6 Protection of the TSF (FPT)... 177 2.6.1 Extended: Anti-Exploitation Services (ASLR) (FPT_AEX_EXT.1)... 177 2.6.2 Extended: Anti-Exploitation Services (ASLR) (FPT_AEX_EXT.1.3)... 177 2.6.3 Extended: Anti-Exploitation Services (ASLR) (FPT_AEX_EXT.1.4)... 178 2.6.4 Extended: Anti-Exploitation Services (Memory Page Permissions) (FPT_AEX_EXT.2.1)... 178 Microsoft 2016 Page 5 of 213

2.6.5 Extended: Anti-Exploitation Services (Memory Page Permissions) (FPT_AEX_EXT.2.2)... 179 2.6.6 Extended: Anti-Exploitation Services (Overflow Protection) (FPT_AEX_EXT.3)... 180 2.6.7 Extended: Anti-Exploitation Services (Overflow Protection) (FPT_AEX_EXT.3.2)... 180 2.6.8 Extended: Domain Isolation (FPT_AEX_EXT.4)... 181 2.6.9 Application Processor Mediation (FPT_BBD_EXT.1)... 183 2.6.10 Extended: Limitation of Bluetooth Profile Support (FPT_BLT_EXT.1)... 184 2.6.11 Extended: Key Storage (FPT_KST_EXT.1)... 184 2.6.12 Extended: No Key Transmission (FPT_KST_EXT.2)... 185 2.6.13 Extended: No Plaintext Key Export (FPT_KST_EXT.3)... 186 2.6.14 Extended: Self-Test Notification (FPT_NOT_EXT.1)... 187 2.6.15 Extended: Self-Test Notification (FPT_NOT_EXT.1.2)... 188 2.6.16 Extended: Self-Test Notification (FPT_NOT_EXT.1.3)... 189 2.6.17 Reliable Time Stamps (FPT_STM.1)... 190 2.6.18 Extended: TSF Cryptographic Functionality Testing (FPT_TST_EXT.1)... 191 2.6.19 Extended: TSF Integrity Testing (FPT_TST_EXT.2.1)... 192 2.6.20 Extended: TSF Integrity Testing (FPT_TST_EXT.2.2)... 194 2.6.21 Extended: Trusted Update: TSF Version Query (FPT_TUD_EXT.1)... 195 2.6.22 Extended: Trusted Update Verification (FPT_TUD_EXT.2)... 196 2.6.23 Extended: Trusted Update Verification (FPT_TUD_EXT.2.4)... 198 2.6.24 Extended: Trusted Update Verification (FPT_TUD_EXT.2.5)... 198 2.6.25 Extended: Trusted Update Verification (FPT_TUD_EXT.2.6)... 199 2.6.26 Extended: Trusted Update Verification (FPT_TUD_EXT.2.7)... 200 2.7 TOE Access (FTA)... 200 2.7.1 Extended: TSF- and User-initiated locked state (FTA_SSL_EXT.1)... 200 2.7.2 Default TOE Access Banners (FTA_TAB.1)... 202 2.7.3 Extended: Wireless Network Access (FTA_WSE_EXT.1)... 202 2.8 Trusted Path/Channels (FTP)... 203 2.8.1 Extended: Trusted channel Communication (FTP_ITC_EXT.1)... 203 Microsoft 2016 Page 6 of 213

3 Security Assurance Requirements... 205 3.1 Class ADV: Development... 205 3.1.1 ADV_FSP.1 Basic Functional Specification... 205 3.2 Class AGD: Guidance Documents... 206 3.2.1 AGD_OPE.1 Operational User Guidance... 206 3.2.2 AGD_PRE.1 Preparative Procedures... 207 3.3 Class ALC: Life-Cycle Support... 207 3.3.1 ALC_CMC.1 Labeling of the TOE Assurance Activity... 207 3.3.2 ALC_CMS.1 TOE CM Coverage Assurance Activity... 208 3.3.3 Timely Security Updates (ALC_TSU_EXT) Assurance Activity... 208 3.4 ATE_IND.1 Independent Testing Conformance... 209 3.4.1 ATE_IND.1 Assurance Activity... 209 3.4.2 Cryptographic Algorithm Validation Programming Testing... 210 3.5 Class AVA: Vulnerability Assessment... 213 3.5.1 AVA_VAN.1 Assurance Activity... 213 Microsoft 2016 Page 7 of 213

1 INTRODUCTION This document presents assurance activity evaluation results of the Microsoft Windows 10 evaluation. There are three types of assurance activities and the following is provided for each: 1. TOE Summary Specification (TSS) an indication that the required information is in the TSS section of the Security Target 2. Guidance a specific reference to the location in the guidance is provided for the required information 3. Test a summary of the test procedure and result is provided for each required test activity. This Assurance Activities Report contains sections for each functional class and family and sub-sections addressing each of the SFRs specified in the Security Target. 1.1 Evidence [ST] Microsoft Windows 10 Security Target, v1.0, January 26, 2016 [Guide] [TPM 1.2 Design] Microsoft Windows 10 Mobile Device Operational Guidance, V1.0, January 12, 2016 TPM Main Part 1: Design Principles, Specification Version 1.2, Revision 116, 1 March 2011 [TPM 1.2 Commands] TPM Main Part 3: Commands, Specification Version 1.2, Revision 116, 1 March 2011 [TPM 2.0 Arch] Trusted Platform Module Library Part 1: Architecture, Family 2.0, Level 00, Revision 01.16, October 30, 2014 [TPM 2.0 Commands] Trusted Platform Module Library Part 3: Commands, Family 2.0, Level 00, Revision 01.16, October 30, 2014 1.2 Protection Profile [PP MDF] Protection Profile for Mobility Device Fundamentals, Version 2.01, 17 September 2014 2 SECURITY FUNCTIONAL REQUIREMENT ASSURANCE ACTIVITIES This section describes the assurance activities associated with the SFRs defined in the ST and the results of those activities as performed by the evaluation team. The assurance activities are derived from the [PP MDF]. 2.1 Security Audit (FAU) 2.1.1 Audit Data Generation (FAU_GEN.1) 2.1.1.1 TSS Assurance Activities Microsoft 2016 Page 8 of 213

2.1.1.2 Guidance Assurance Activities The evaluator shall check the administrative guide and ensure that it lists all of the auditable events and provides a format for audit records. Each audit record format type must be covered, along with a brief description of each field. The evaluator shall check to make sure that every audit event type mandated by the PP is described and that the description of the fields contains the information required in FAU_GEN.1.2. [Guide] Section 3.1 Audit Events identifies the auditable events. Requirement FAU_GEN.1 Description Start-up and shutdown of the audit functions Additional Record Contents Log: Event Id Windows Logs/Security: 4608, 1100 4608 Windows Logs -> Security Subcategory: Security State Change Startup of audit functions Logged: <Date and time of event> Task category: <type of event> Keywords: <Outcome as Success or Failure> FAU_GEN.1 Startup and shutdown of the OS and kernel 1100 Windows Logs -> Security Subcategory: Security State Change The event logging service has shut down Logged: <Date and time of event> Keywords: <Outcome as Success> Windows Logs/Security: 4608, 1100 4608 Windows Logs -> Security Subcategory: Security State Change Startup of audit functions Logged: <Date and time of event> Task category: <type of event> Keywords: <Outcome as Success or Failure> FAU_GEN.1 Insertion or removal of removable media 1100 Windows Logs -> Security Subcategory: Security State Change The event logging service has shut down Logged: <Date and time of event> Keywords: <Outcome as Success> Microsoft- Windows-Kernel-PnP/Device Configuration: 410 Windows 10 audits insertion of removable media, winch meets the condition insertion or removal. 410 Applications and Services Logs -> Microsoft -> Windows -> Microsoft 2016 Page 9 of 213

Requirement FAU_GEN.1 Description Establishment of a synchronizing connection Additional Record Contents Log: Event Id Kernel-PnP -> Device Configuration Device < DeviceInstanceId> was started Logged: <Date and time of event> Security ID: <user identity> DeviceInstanceId: <Device path and volume GUID of inserted removable media> Windows Logs -> System Source: Schannel : 36880 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 36880 Windows Logs -> System Source: Schannel An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows. Logged: <Date and time of event> Protocol: <TLS protocol> CipherSuite: <cypher suite> FAU_GEN.1 FAU_SEL.1 Audit records reaching an administratorconfigurable percentage of audit capacity All modifications to the audit configuration that occur while the audit collection functions are operating. No additional Information. 11 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational Build Chain System/TimeCreated/SystemTime: <Date and time of event> UserData/CertGetCertificateChain/Certificate/subjectName: <subject name in client certificate> UserData/CertGetCertificateChain/CertificateChain/ChainEle ment/certificate <issuer of leaf certificate as subject name in chained certificate> TrustStatus -> ErrorStatus: <Error code > Windows Logs/Security: 1103 The security audit log is now <the configured value > percent full. Logged: <Date and time of event> Keywords: <Outcome as Success> Windows Logs/Security: 4719 4719 Windows Logs -> Security Subcategory: Audit Policy Change System audit policy was changed Logged: <Date and time of event> Task category: <category of audit> Task Subcategory: <subcategory of audit> Subcategory GUID: <subcategory GUID name> Security ID: <user identity> Account Name: <account name> Account Domain: <account domain> Microsoft 2016 Page 10 of 213

Requirement Description Additional Record Contents Log: Event Id Login ID: <login Id> Changes: <Success/Failure changes> Keywords: <Outcome as Success or Failure> FCS_CKM_EXT.1 generation of a REK No additional Information. Windows Logs/System: 24 24 Windows Logs -> System Source: TPM Logged: <Date and time of event> FCS_CKM_EXT.5 Success or failure of the wipe. No additional Information. Windows Logs/System: Success: 12 Failure: 4502 12 Windows Logs -> System 12Logged: <Date and time of OS startup>(this event along with no other earlier events indicates a wipe has occurred.) FCS_CKM.1(1) FCS_HTTPS_E XT.1 FCS_RBG_EXT. 1 Failure of key generation activity for authentication keys. Failure of the certificate validity check. Failure of the randomization process. No additional Information. Issuer Name and Subject Name of certificate. [No additional information]. No additional information. 4502 Microsoft-Windows-ResetEngAttempt to restore the system to original condition has failed. Changes to the system have been undone. Logged: <Date and time of event> Microsoft-Windows-Crypto-NCrypt: 4 Logged: <Date and time of event> Provider Name: <Key storage provider name> Key Name: <Unique name for key> Algorithm Name: <Key algorithm name> Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 11 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational Build Chain System/TimeCreated/SystemTime: <Date and time of event> UserData/CertGetCertificateChain/Certificate/subjectName: <subject name in client certificate> UserData/CertGetCertificateChain/CertificateChain/ChainEle ment/certificate <issuer of leaf certificate as subject name in chained certificate> TrustStatus -> ErrorStatus: <Error code > (Error 20 indicates an untrusted root in the certificate chain) Windows Logs -> System: 20 20 Windows Logs -> System Source: Kernel-Boot The last boot s success was <LastBootGood event data>. Logged: <Date and time of event> LastBootGood: <Outcome as true or false indicating if the Microsoft 2016 Page 11 of 213

Requirement Description Additional Record Contents Log: Event Id kernel-mode cryptographic self-tests and RNG initialization succeeded or failed> FCS_STG_EXT. 1 Import or destruction of key. [No other events] Identity of key. Role and identity of requestor. Import: Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient/Lifecycle-System: 1006 Destruction: Windows Logs/System: 12 1006 Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational A new certificate has been installed. Logged: <Date and time of event> Subject: <Certificate subject name, CN, etc.> Thumbprint: <Certificate thumbprint> FCS_STG_EXT. 3 Failure to verify integrity of stored key. Identity of key being verified. 12 Windows Logs -> System 12 Logged: <Date and time of OS startup> This event along with no other earlier events indicates a wipe has occurred. Bitlocker recovery Bitlocker recovery System event Id 20 is recorded by source Kernel-Boot indicating event data LastBootGood as false. This event together with the indication of the TSF executable causing the failed boot on the Recovery screen. FCS_TLSC_EX T.1 Failure to establish an EAP-TLS session. 20 Windows Logs -> System Source: Kernel-Boot The last boot s success was <LastBootGood event data>. Logged: <Date and time of event> LastBootGood: <Outcome as true or false indicating if the kernel-mode cryptographic self-tests and RNG initialization succeeded or failed> Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 System/TimeCreated/SystemTime: <Date and time of event> UserData/CertGetCertificateChain/Certificate/subjectName: <subject name in client certificate> UserData/CertGetCertificateChain/CertificateChain/ChainEle ment/certificate <issuer of leaf certificate as subject name in chained certificate> TrustStatus -> ErrorStatus: <Error code > Error 20 indicates an untrusted root in the certificate chain. Microsoft 2016 Page 12 of 213

Requirement Description Additional Record Contents Log: Event Id Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 41 System -> TimeCreated -> SystemTime: <Date and time of event> UserData -> CertVerifyRevocation -> Certificate -> subjectname: <certificate subject name> UserData -> RevocationStatus -> error: <error code > Error code 0x80092013 indicates The revocation function was unable to check revocation because the revocation server was offline. Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 30 Verify Chain Policy System -> TimeCreated -> SystemTime: <Date and time of event> UserData -> CertVerifyCertificateChainPolicy -> Certificate - > subjectname: <certificate subject name> UserData -> Result value -> error: <error code> Error 0x800B010F: The certificate s CN name does not match the passed value. 36888 Windows Logs -> System Source: Schannel A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is %1. Description Error Code Value Unexpected message 10 Bad record MAC 20 Record overflow 22 Decompression fail 30 Handshake failure 40 Illegal parameter 47 Unknown CA 48 Access denied 49 Decode error 50 Decrypt error 51 Protocol version 70 Insufficient security 71 Internal error 80 Microsoft 2016 Page 13 of 213

Requirement Description Additional Record Contents Unsupported extension Log: Event Id 110 Establishment/termin ation of an EAP-TLS session. Windows Logs -> System : 36880 Windows Logs -> System Source: Schannel An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows. Logged: <Date and time of event> Protocol: <TLS protocol> CipherSuite: <cypher suite> Termination : Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf: 1793 <This event indicates that the TLS connection was terminated> FCS_TLSC_EX T.2 Failure to establish a TLS session. Reason for failure. Logged: <Date and time of event> Windows Logs -> System : 36888 36888 Windows Logs -> System Source: Schannel A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is %1. Description Error Code Value Unexpected message 10 Bad record MAC 20 Record overflow 22 Decompression fail 30 Handshake failure 40 Illegal parameter 47 Unknown CA 48 Access denied 49 Decode error 50 Decrypt error 51 Protocol version 70 Insufficient security 71 Internal error 80 Unsupported 110 extension Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 11 Microsoft 2016 Page 14 of 213

Requirement Description Additional Record Contents Log: Event Id System/TimeCreated/SystemTime: <Date and time of event> UserData/CertGetCertificateChain/Certificate/subjectName: <subject name in client certificate> UserData/CertGetCertificateChain/CertificateChain/ChainEle ment/certificate <issuer of leaf certificate as subject name in chained certificate> TrustStatus -> ErrorStatus: <Error code > Error 20 indicates an untrusted root in the certificate chain. Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 41 41 System -> TimeCreated -> SystemTime: <Date and time of event> UserData -> CertVerifyRevocation -> Certificate -> subjectname: <certificate subject name> UserData -> RevocationStatus -> error: <error code > Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 30 Verify Chain Policy Failure to verify presented identifier. Establishment/termin ation of a TLS session Presented identifier and reference identifier. Non-TOE endpoint of connection. 30 System -> TimeCreated -> SystemTime: <Date and time of event> UserData -> CertVerifyCertificateChainPolicy -> Certificate - > subjectname: <certificate subject name> UserData -> Result value -> error: <error code> Error 0x800B010F: The certificate s CN name does not match the passed value. Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 System/TimeCreated/SystemTime: <Date and time of event> UserData/CertGetCertificateChain/Certificate/subjectName: <subject name in client certificate> UserData/CertGetCertificateChain/CertificateChain/ChainEle ment/certificate <issuer of leaf certificate as subject name in chained certificate> TrustStatus -> ErrorStatus: <Error code > (Error 20 indicates an untrusted root in the certificate chain) Windows Logs -> System : 36880 36880 Windows Logs -> System Source: Schannel An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows. Logged: <Date and time of event> Protocol: <TLS protocol> CipherSuite: <cypher suite> Microsoft 2016 Page 15 of 213

Requirement Description Additional Record Contents Log: Event Id Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 11 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational Build Chain System/TimeCreated/SystemTime: <Date and time of event> UserData/CertGetCertificateChain/Certificate/subjectName: <subject name in client certificate> UserData/CertGetCertificateChain/CertificateChain/ChainEle ment/certificate <issuer of leaf certificate as subject name in chained certificate> TrustStatus -> ErrorStatus: <Error code > Termination : Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf: 1793 <This event indicates that the TLS connection was terminated> Logged: <Date and time of event> FDP_DAR_EXT.1 FDP_STG_EXT. 1 Failure to encrypt/decrypt data. Addition or removal of certificate from Trust Anchor Database. No additional information. Subject name of certificate. Windows Logs -> System : 24588 Logged: <Date and time of event> Volume: <encrypted volume letter> Applications and Services Logs -> Microsoft -> Windows: Import: : CAPI2: 90 Removal: CertificateServicesClient-Lifecycle-System / Operational Id 1004 90 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational <un-named>logged: <Date and time of event> Security UserID: <SID of user account that imported the certificate/secrets> Subject: <Certificate subject name, CN, etc.> 1004 Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational A certificate has been deleted Logged: <Date and time of event> Security ID: <SID of user account that deleted the certificate/secrets> SubjectNames: <Deleted certificate subject name> Thumbprint: <Deleted certificate thumbprint> EKUs: <Deleted certificate EKUs> NotValidAfter: :<Deleted certificate expiration date> Microsoft 2016 Page 16 of 213

Requirement FDP_UPC_EXT. 1 Description Application initiation of trusted channel. Additional Record Contents Name of application. Trusted channel protocol. Log: Event Id TLS: Windows Logs -> System Source: Schannel 36880 and Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational 11 Non-TOE endpoint of connection. Bluetooth: Windows Logs -> System: 8 Windows Logs -> System : 36880 36880 Windows Logs -> System Source: Schannel An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows. Logged: <Date and time of event> Protocol: <TLS protocol> CipherSuite: <cypher suite> Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 11 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational Build Chain System/TimeCreated/SystemTime: <Date and time of event> UserData/CertGetCertificateChain/Certificate/subjectName: <subject name in client certificate> UserData/CertGetCertificateChain/CertificateChain/ChainEle ment/certificate <issuer of leaf certificate as subject name in chained certificate> TrustStatus -> ErrorStatus: <Error code > FIA_AFL_EXT. 1 Excess of authentication failure limit. No additional information. 8 Windows Logs -> System Source: BTHUSB The remote adapter < remote bluetooth radio address> was successfully paired with the local adapter. Logged: <Date and time of event> EventData: <remote bluetooth radio address> Exceeding failure limit: Windows Logs/Security: 4740 4740 Logged: <Date and time of event> Security ID: <SID of locked account> Account Name: <name of locked account> Account Domain: <domain of locked account> FIA_BLT_EXT. 1 User authorization of Bluetooth device. User authorization User authorization decision. Windows Logs/System (BTHUSB): 8 Windows Logs/System (UserPnp): 20001 Microsoft 2016 Page 17 of 213

Requirement FIA_BLT_EXT. 2 FIA_UAU_EXT. 2 Description for local Bluetooth service. Initiation of Bluetooth connection. Failure of Bluetooth connection. Action performed before authentication. Additional Record Contents Bluetooth address and name of device. Bluetooth profile. Identity of local service. Bluetooth address and name of device. Reason for failure. No additional information. Log: Event Id 8 Windows Logs -> System Source: BTHUSB The remote adapter < remote bluetooth radio address> was successfully paired with the local adapter. Logged: <Date and time of event> EventData: <remote bluetooth radio address> 20001 Windows Logs -> System Source: UserPnP Driver Manager concluded the process to install driver <driver name> for Device Instance ID <ID value include device address> Logged: <Date and time of event> Security UserID: <SID of user> DeviceInstanceID: <instance ID (including remote device address)> SetupClass: <Bluetooth service/profile GUID> Windows Logs/System (BTHUSB): 8 8 Windows Logs -> System Source: BTHUSB The remote adapter < remote bluetooth radio address> was successfully paired with the local adapter. Logged: <Date and time of event> EventData: <remote bluetooth radio address> Windows Logs/System (BTHUSB): 16 16 Windows Logs -> System Source: BTHUSB The mutual authentication between the local Bluetooth adapter and a device with Bluetooth adapter address <device address> failed.logged: <Date and time of event> Data: <remote device address> N/A due to no selection in Security Target FIA_UAU_EXT. 3 FIA_X509_EXT. 1 User changes Password Authentication Factor. Failure to validate X.509v3 certificate. No additional information. Reason for failure of validation. Windows Logs/Security: 4738 4738 Windows Logs -> Security Subcategory: User Account Management A user account was changed Logged: <Date and time of event> Security ID: <user identity> Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 11 Microsoft 2016 Page 18 of 213

Requirement FIA_X509_EXT. 2 FMT_SMF_EXT.1 Description Failure to establish connection to determine revocation status. Change of settings. Success or failure of function. Initiation of software update. Initiation of application installation or update. Additional Record Contents No additional information. Role of user that changed setting. Value of new setting. Role of user that performed function. Function performed. Reason for failure Version of update. Name and version of application. Log: Event Id Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational Build Chain System/TimeCreated/SystemTime: <Date and time of event> UserData/CertGetCertificateChain/Certificate/subjectName: <subject name in client certificate> UserData/CertGetCertificateChain/CertificateChain/ChainEle ment/certificate <issuer of leaf certificate as subject name in chained certificate> TrustStatus -> ErrorStatus: <Error code > Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 41 41 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational Verify Revocation System -> TimeCreated -> SystemTime: <Date and time of event> UserData -> CertVerifyRevocation -> Certificate -> subjectname: <certificate subject name> UserData -> RevocationStatus -> error: <error code > Error code 0x80092013 indicates The revocation function was unable to check revociation because the revocation server was offline. See AAR Table below : Administrative Actions audits See AAR Table below : Administrative Actions audits Windows Logs/System: 19 19 Windows Logs -> System Installation Successful: Windows successfully installed the following update: <app/update name> Logged: <Date and time of event> Security ID: <SID of user account that installed the app> updatetitle: <app/update name> updateguid: <app/update Guid> serviceguid: <app/service GUID> updaterevisionnumber: <app version> Microsoft-Windows-AppXDeploymentServer/Operational: 400 Microsoft 2016 Page 19 of 213

Requirement FMT_SMF_EXT.2 Description Unenrollment. Additional Record Contents Identity of administrator. Remediation action performed. Log: Event Id 400 Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server -> Microsoft-Windows- AppXDeployment-Server/Operational Deployment Add operation on Package <package Id> from: (<.appx pathname> ) finished successfully Logged: <Date and time of event> Security ID: <SID of user account that installed the app> PackageFullName: <package Id> Path: <.appx pathname> Un-enroll: Microsoft-Windows- SystemSettingsThreshold/Operational: 511 Wipe protected data: Windows Logs/System: 12 Un-enroll: Microsoft-Windows- SystemSettingsThreshold/Operational: 511 Attempted to turn off workplace device management. Result is <result code> Logged: <Date and time of event> Security: <user identity> Remediation action removed Enterprise apps. FPT_NOT_EXT. 1 [Measurement of TSF software]. [Integrity verification value]. Wipe protected data: Windows Logs/System: 12 (Logged: <Date and time of OS startup> (This event along with no other earlier events indicates a wipe has occurred.) HealthAttestation log fileresponse <See section Managing Health Attestation for more information> FPT_TST_EXT. 1 FPT_TST_EXT. 2 Initiation of self-test. Failure of self-test. See topic Take appropriate policy action based on evaluation results in online guidance for list of measurements and verification. None Windows Logs/System: 20 Start-up of TOE. Boot Mode. Windows Logs/System: 21 20 Windows Logs -> System Source: Kernel-Boot The last boot s success was <LastBootGood event data>. Logged: <Date and time of event> LastBootGood: <Outcome as true or false indicating if the kernel-mode cryptographic self-tests and RNG initialization succeeded or failed> 21 Windows Logs -> System Source: Kernel-Boot The OS loader advanced options menu was displayed and the user selected option <boot mode> Logged: <Date and time of event> OptionSelected: <auxililiary boot mode> Note: this event is recorded if the operating system was started in an auxiliary boot mode whereas its absence indicates the operating system started in normal boot mode. Microsoft 2016 Page 20 of 213

Requirement FPT_TUD_EXT. 2 Description [Detected integrity violations]. Success or failure of signature verification for software updates. Additional Record Contents [The TSF code that caused the integrity violation]. Recovery Screen Log: Event Id System event Id 20 is recorded by source Kernel-Boot indicating event data LastBootGood as false. This event together with the indication of the TSF executable causing the failed boot on the Recovery screen. Since the OS is often not functional in this scenario, the reason cannot be recorded. Windows Logs/Setup: 1, 2, 3 1 Windows Logs -> Setup Initiating changes for package Logged: <Date and time of event> PackageIdentifier: <KB package Id> InitialPackageState: Resolved IntendedPackageState: Installed ErrorCode: <success outcome indicated by 0x0> 2 Windows Logs -> Setup Package was successfully changed to the Installed state Logged: <Date and time of event> PackageIdentifier: <KB package Id> IntendedPackageState: Installed ErrorCode: <success outcome indicated by 0x0> Success or failure of signature verification for applications. 3 Windows Logs -> Setup Windows update could not be installed because The data is invalid Logged: <Date and time of event> Commandline: <KB package Id> ErrorCode: <install failure indicated by 0x800700D (2147942413)> Microsoft-Windows-AppXDeploymentServer/Operational Id 400/404 for success/failure 400 Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server -> Microsoft-Windows- AppXDeployment-Server/OperationalDeployment Add operation on Package <package Id> from: (<.appx pathname> ) finished successfullylogged: <Date and time of event> Security ID: <SID of user account that installed the app> PackageFullName: <package Id> Path: <.appx pathname> 404 AppX Deployment operation failed for package <app package identity> with error <error code>. The specific error text for this failure is: <failure text>. Logged: <Date and time of event> User ID: <SID of user account that installed the app> Microsoft 2016 Page 21 of 213

Requirement Description Additional Record Contents Log: Event Id PackageFullName: <package Id> FTA_TAB.1 FTA_WSE_EXT.1 Change in banner setting. All attempts to connect to access points. No additional information. Identity of access point. Windows Logs/Security: 4656 4656 Windows Logs -> Security Subcategory: Registry A handle to an object was requested. Logged: <Date and time of event> Security ID: <SID of locked account> Object Name: <Name of the object changed> Accesses: <Access granted> Access Mask: <Access requested> Microsoft-Windows-WLAN-AutoConfig/Operational log event Id 8000, 8003 8000 Microsoft-Windows-WLAN-AutoConfig/Operational WLAN AutoConfig service started a connection to a wireless networklogged: <Date and time of event> Network Adapter: <adapter device name> FTP_ITC_EXT.1 Initiation and termination of trusted channel. Trusted channel protocol. Non-TOE endpoint of connection. 8003 Microsoft-Windows-WLAN-AutoConfig/Operational WLAN AutoConfig service has successfully disconnectd from a wireless network Logged: <Date and time of event> Network Adapter: <adapter device name> IPSec: Windows Logs/Security: Initiation: 4651, 5451, Termination: 4655, 5452 HTTP/TLS: Windows Logs -> System: 36880 EAP-TLS/802.1x/802.11-2012: Microsoft-Windows-WLAN- AutoConfig/Operational: 8001, 8003 4651 Windows Logs -> Security Subcategory: IPsec Main ModeIpsec main mode security association was established. A certificate was used for authentication. Logged: <Date and time of event> Task category: <type of event> Local Endpoint: <Subject identity as IP address> Remote Endpoint: <Subject identity as IP address of non-toe endpoint of connection > Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2> Local Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint> Remote Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint> Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id and cryptographic parameters established in the SA> Microsoft 2016 Page 22 of 213

Requirement Description Additional Record Contents Log: Event Id Keywords: <Outcome as Success> 5451 Windows Logs -> Security Subcategory: IPsec Quick ModeIPsec quick mode security association was established Logged: <Date and time of event> Task category: <type of event> Local Endpoint: <Subject identity as IP address/port> Remote Endpoint: <Subject identity as IP address/port of non- TOE endpoint of connection > Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2> Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id, QM SA Id, Inbound SPI, Outbound SPI and cryptographic parameters established in the SA > Keywords: <Outcome as Success> 4655 Windows Logs -> Security Subcategory: IPsec Main Mode IPsec main mode security association ended Logged: <Date and time of event> Task category: <type of event> Local Endpoint: <Subject identity as IP address/port > Remote Endpoint: <Subject identity as IP address/port of non- TOE endpoint of connection/channel > Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2> Keywords: <Outcome as Success> 5452 Windows Logs -> Security Subcategory: IPsec Quick ModeIPsec quick mode security association ended Logged: <Date and time of event> Task category: <type of event> Local Endpoint: <Subject identity as IP address/port> Remote Endpoint: <Subject identity as IP address/port of non- TOE endpoint of connection > Cryptographic Information: <The entry in the SPD that applied to the decision as the QM SA Id, Tunnel Id, Traffic Selector Id> Keywords: <Outcome as Success> HTTP/TLS: Applications and Services Windows Logs -> System Source: Schannel : 36880 36880 Logged: <Date and time of event> Protocol: <TLS protocol> CipherSuite: <cypher suite> Microsoft 2016 Page 23 of 213

Requirement Description Additional Record Contents Log: Event Id Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 (Note: The event identifies the Non-TOE endpoints) 11 System/TimeCreated/SystemTime: <Date and time of event> UserData/CertGetCertificateChain/Certificate/subjectName: <subject name in client certificate> UserData/CertGetCertificateChain/CertificateChain/ChainEle ment/certificate <issuer of leaf certificate as subject name in chained certificate> TrustStatus -> ErrorStatus: <Error code > Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf: 1793 1793 <This event indicates that the TLS connection was terminated> Logged: <Date and time of event> EAP-TLS/802.1x/802.11-2012: 8001 Logged: <Date and time of event> SSID: <Wireless network name> (non-toe endpoint of connection) Authentication: WPA2-Enterprise (protocol) 802.1x Enabled: Yes (protocol) 8003 Logged: <Date and time of event> SSID: < Wireless network name> (non-toe endpoint of connection) The evaluator shall also make a determination of the administrative actions that are relevant in the context of this PP including those listed in the Management section. The evaluator shall examine the administrative guide and make a determination of which administrative commands are related to the configuration (including enabling or disabling) of the mechanisms implemented in the TOE that are necessary to enforce the requirements specified in the PP. The evaluator shall document the methodology or approach taken while determining which actions in the administrative guide are security relevant with respect to this PP. The evaluator may perform this activity as part of the activities associated with ensuring the AGD_OPE guidance satisfies the requirements. [Guide] Section 3.1 Audit Events identifies the administrative operations with their associated audits. The evaluator examined the management functions identified in the security target FMT_SMF_EXT.1 to determine which actions are security relevant. Microsoft 2016 Page 24 of 213

Administrative Actions audits Administrative Action 1. configure password policy: a. minimum password length b. minimum password complexity c. maximum password lifetime 2. configure session locking policy: a. screen-lock enabled/disabled b. screen lock timeout c. number of authentication failures 3. enable/disable the VPN protection: a. across device [b. on a per-app basis c. no other method] Windows Logs/Security: 4739 4739 Windows Logs -> Security Audit Log Id Subcategory: Authentication Policy Change Domain Policy was changed. Logged: <Date and time of event> Security ID: <SID of user account making audit policy change> Account Name: <name of user account making audit policy change > Account Domain: <domain of user account making audit policy change if applicable, otherwise computer> Category: <Audit category that was changed.> Subcategory: <Audit subcategory that was changed.> Changes: <Change to audit policy.> Windows Logs/Security: 4739 4739 Windows Logs -> Security Subcategory: Authentication Policy Change Domain Policy was changed. Logged: <Date and time of event> Security ID: <SID of user account making audit policy change> Account Name: <name of user account making audit policy change > Account Domain: <domain of user account making audit policy change if applicable, otherwise computer> Category: <Audit category that was changed.> Subcategory: <Audit subcategory that was changed.> Changes: <Change to audit policy.> Windows Logs/Security: Enable: 4651, 5451 Disable: 4655, 5452 4651 Windows Logs -> Security Subcategory: IPsec Main ModeIpsec main mode security association was established. A certificate was used for authentication. Logged: <Date and time of event> Task category: <type of event> Local Endpoint: <Subject identity as IP address> Remote Endpoint: <Subject identity as IP address of non-toe endpoint of connection > Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2> Local Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint> Remote Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint> Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id and cryptographic parameters established in the SA> Keywords: <Outcome as Success> Microsoft 2016 Page 25 of 213

Administrative Action Audit Log Id 5451 Windows Logs -> Security Subcategory: IPsec Quick ModeIPsec quick mode security association was established Logged: <Date and time of event> Task category: <type of event> Local Endpoint: <Subject identity as IP address/port> Remote Endpoint: <Subject identity as IP address/port of non- TOE endpoint of connection > Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2> Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id, QM SA Id, Inbound SPI, Outbound SPI and cryptographic parameters established in the SA > Keywords: <Outcome as Success> 4655 Windows Logs -> Security Subcategory: IPsec Main Mode IPsec main mode security association ended Logged: <Date and time of event> Task category: <type of event> Local Endpoint: <Subject identity as IP address/port > Remote Endpoint: <Subject identity as IP address/port of non- TOE endpoint of connection/channel > Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2> Keywords: <Outcome as Success> 4. enable/disable [GPS, Wi-Fi, Bluetooth, mobile broadband] 5452 Windows Logs -> Security Subcategory: IPsec Quick ModeIPsec quick mode security association ended Logged: <Date and time of event> Task category: <type of event> Local Endpoint: <Subject identity as IP address/port> Remote Endpoint: <Subject identity as IP address/port of non- TOE endpoint of connection > Cryptographic Information: <The entry in the SPD that applied to the decision as the QM SA Id, Tunnel Id, Traffic Selector Id> Keywords: <Outcome as Success> GPS: Windows Logs/Security: 4657 4657 Windows Logs -> Security Subcategory: Registry Registry entry change Logged: <Date and time of event> Task category: <type of event> Security ID: <user identity> Object name: <key path> Changes: <old and new registry values> Keywords: <Outcome as Success or Failure> Microsoft 2016 Page 26 of 213

Administrative Action Audit Log Id WiFi: Microsoft-Windows-WLAN-AutoConfig/Operational Id 11001 (enable) 11004 (disable) 11001 Microsoft-Windows-WLAN-AutoConfig/Operational Wireless network association succeededlogged: <Date and time of event> Network Adapter: <adapter device name> Local MAC address: <Wi-Fi address> 11004 Microsoft-Windows-WLAN-AutoConfig/Operational Wireless security stopped Logged: <Date and time of event> Network Adapter: <adapter device name> Local MAC address: <Wi-Fi address> Bluetooth: Windows Logs/Security: 4657 4657 Windows Logs -> Security Subcategory: Registry Registry entry change Logged: <Date and time of event> Task category: <type of event> Security ID: <user identity> Object name: <key path> Changes: <old and new registry values> Keywords: <Outcome as Success or Failure> Mobile Broadband: WWAN-SVC-EVENTS/WWAN Operational Channel: 11009 Received ContextState Logged: <Date and time of event> State: <WwanActivatinoStateActivated> State: <WwanActivatinoStateDeActivated> 5. enable/disable [camera, microphone]: a. across device [ b. on a per-app basis c. no other method] 6. specify wireless networks (SSIDs) to which the TSF may connect Windows Logs/Security: 4657 4657 Windows Logs -> Security Subcategory: Registry Registry entry change Logged: <Date and time of event> Task category: <type of event> Security ID: <user identity> Object name: <key path> Changes: <old and new registry values> Keywords: <Outcome as Success or Failure> Windows Logs/Security: 4656 4656 Windows Logs -> Security Subcategory: Registry A handle to an object was requested. Logged: <Date and time of event> Security ID: <SID of locked account> Microsoft 2016 Page 27 of 213

Administrative Action 7. configure security policy for each wireless network: a. [selection: specify the CA(s) from which the TSF will accept WLAN authentication server certificate(s), specify the FQDN(s) of acceptable WLAN authentication server certificate(s)] b. security type c. authentication protocol d. client credentials to be used for authentication 8. transition to the locked state 9. TSF wipe of protected data Audit Log Id Object Name: <Name of the object changed> Accesses: <Access granted> Access Mask: <Access requested> Windows Logs/Security: 4656 4656 Windows Logs -> Security Subcategory: Registry A handle to an object was requested. Logged: <Date and time of event> Security ID: <SID of locked account> Object Name: <Name of the object changed> Accesses: <Access granted> Access Mask: <Access requested> Windows Logs/Security: 4800 4800 Windows Logs -> Security Subcategory: Logoff The workstation was locked. Logged: <Date and time of event> Security UserID: <SID of logon user> Account Name: <name of logon account> Account Domain: <domain of logon account> Success: System: 12 Failure: Wipe Failure Screen System: 4502 12 Windows Logs -> System The operating system started at system time <time>. Logged: <Date and time of OS startup> This event along with no other earlier events indicates a wipe has occurred. 10. configure application installation policy by [selection: a. restricting the sources of applications, b. specifying a set of allowed applications based on [assignment: application characteristics] (an application whitelist), 4502 Microsoft-Windows-ResetEng Attempt to restore the system to original condition has failed. Changes to the system have been undone. Logged: <Date and time of event> Windows Logs/Security: 4656 4656 Windows Logs -> Security Subcategory: Registry A handle to an object was requested. Logged: <Date and time of event> Security ID: <SID of locked account> Object Name: <Name of the object changed> Accesses: <Access granted> Access Mask: <Access requested> Microsoft 2016 Page 28 of 213