introduction€¦ · web viewlocal policies\security options\system cryptography: use fips 140...

$: Introduction€¦ · Web viewLocal Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithm$
Windows 8.1 and Windows Phone 8.1 Guidance

Microsoft Windows

Common Criteria EvaluationMicrosoft Windows 8.1

Microsoft Windows Phone 8.1

Common Criteria Supplemental Admin Guidance

Document InformationVersion Number 1.0Updated On February 9, 2015

Microsoft Confidential © 2015 Page 1 of 35


This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial

License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or

event is intended or should be inferred.

© 2015 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, the Windows logo, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.


http://creativecommons.org/licenses/by-nd-nc/1.0/


TABLE OF CONTENTS

1 INTRODUCTION ........................................................................................................................................................................................................................................................... 8

1.1 CONFIGURATION..............................................................................................................................................................................................................................................................81.1.1 EVALUATED CONFIGURATION........................................................................................................................................................................................................................................................... 8

2 MANAGEMENT FUNCTIONS ......................................................................................................................................................................................................................................... 8

3 MANAGING WIPE ...................................................................................................................................................................................................................................................... 11

3.1 WINDOWS 8.1..............................................................................................................................................................................................................................................................113.1.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 113.2 WINDOWS PHONE 8.1....................................................................................................................................................................................................................................................113.2.1 IT ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................................... 113.2.2 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 11

4 MANAGING EAP-TLS .................................................................................................................................................................................................................................................. 12

4.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................124.2 WINDOWS 8.1..............................................................................................................................................................................................................................................................124.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 124.3 WINDOWS PHONE 8.1....................................................................................................................................................................................................................................................134.3.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 13

5 MANAGING TLS ......................................................................................................................................................................................................................................................... 13

5.1 WINDOWS 8.1..............................................................................................................................................................................................................................................................13



5.1.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 135.2 WINDOWS PHONE 8.1....................................................................................................................................................................................................................................................145.2.1 IT ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................................... 14

6 MANAGING APPS ...................................................................................................................................................................................................................................................... 14

6.1 WINDOWS 8.1..............................................................................................................................................................................................................................................................146.1.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 146.1.2 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 156.1.3 WINDOWS PHONE 8.1................................................................................................................................................................................................................................................................. 15

7 MANAGING VOLUME ENCRYPTION ........................................................................................................................................................................................................................... 16

7.1 WINDOWS 8.1..............................................................................................................................................................................................................................................................167.1.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 167.2 WINDOWS PHONE 8.1....................................................................................................................................................................................................................................................177.2.1 IT ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................................... 17

8 MANAGING VPN ........................................................................................................................................................................................................................................................ 17

8.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................178.2 WINDOWS 8.1..............................................................................................................................................................................................................................................................178.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 178.3 WINDOWS PHONE 8.1....................................................................................................................................................................................................................................................188.3.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 18

9 MANAGING ACCOUNTS ............................................................................................................................................................................................................................................. 18

9.1 WINDOWS 8.1..............................................................................................................................................................................................................................................................19



9.1.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 199.2 WINDOWS PHONE 8.1....................................................................................................................................................................................................................................................199.2.1 IT ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................................... 19

10 MANAGING BLUETOOTH ........................................................................................................................................................................................................................................... 19

10.1 WINDOWS 8.1..............................................................................................................................................................................................................................................................2010.1.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 2010.2 WINDOWS PHONE 8.1....................................................................................................................................................................................................................................................2010.2.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 20

11 MANAGING PASSWORDS .......................................................................................................................................................................................................................................... 20

11.1 STRONG PASSWORDS......................................................................................................................................................................................................................................................2011.1.1 WINDOWS 8.1............................................................................................................................................................................................................................................................................ 2011.1.2 WINDOWS PHONE 8.1................................................................................................................................................................................................................................................................. 2111.2 PROTECTING PASSWORDS................................................................................................................................................................................................................................................2111.2.1 WINDOWS 8.1............................................................................................................................................................................................................................................................................ 2111.2.2 WINDOWS PHONE 8.1................................................................................................................................................................................................................................................................. 2211.3 LOGON/LOGOFF PASSWORD POLICY..................................................................................................................................................................................................................................2211.3.1 WINDOWS 8.1............................................................................................................................................................................................................................................................................ 2211.3.2 WINDOWS PHONE 8.1................................................................................................................................................................................................................................................................. 23

12 MANAGING CERTIFICATES ......................................................................................................................................................................................................................................... 25

12.1 WINDOWS 8.1..............................................................................................................................................................................................................................................................2512.1.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 2512.1.2 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 2612.2 WINDOWS PHONE 8.1....................................................................................................................................................................................................................................................26



12.2.1 IT ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................................... 26

13 MANAGING TIME ...................................................................................................................................................................................................................................................... 27

13.1 WINDOWS 8.1..............................................................................................................................................................................................................................................................2813.1.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 2813.1.2 WINDOWS PHONE 8.1................................................................................................................................................................................................................................................................. 28

14 GETTING VERSION INFORMATION ............................................................................................................................................................................................................................. 28

14.1 WINDOWS 8.1..............................................................................................................................................................................................................................................................2914.1.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 2914.2 WINDOWS PHONE 8.1....................................................................................................................................................................................................................................................2914.2.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 29

15 LOCKING A DEVICE .................................................................................................................................................................................................................................................... 30

15.1 WINDOWS 8.1..............................................................................................................................................................................................................................................................3015.1.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 3015.1.2 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 3015.2 WINDOWS PHONE 8.1....................................................................................................................................................................................................................................................3015.2.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 3015.3 MANAGING NOTIFICATIONS PRIOR TO UNLOCKING A DEVICE...................................................................................................................................................................................................3115.3.1 WINDOWS 8.1............................................................................................................................................................................................................................................................................ 3115.3.2 WINDOWS PHONE 8.1................................................................................................................................................................................................................................................................. 32

16 MANAGING AIRPLANE MODE .................................................................................................................................................................................................................................... 32

16.1 WINDOWS 8.1..............................................................................................................................................................................................................................................................32



16.1.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 3216.2 WINDOWS PHONE 8.1....................................................................................................................................................................................................................................................3316.2.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 33

17 DEVICE ENROLLMENT ................................................................................................................................................................................................................................................ 33

17.1 WINDOWS 8.1..............................................................................................................................................................................................................................................................3317.1.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 3317.2 WINDOWS PHONE 8.1....................................................................................................................................................................................................................................................3417.2.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 34

18 MANAGING UPDATES ................................................................................................................................................................................................................................................ 34

18.1 WINDOWS 8.1..............................................................................................................................................................................................................................................................3418.2 WINDOWS PHONE 8.1....................................................................................................................................................................................................................................................34



1 IntroductionThis document provides guidance information for a Common Criteria evaluation.

1.1 Configuration

1.1.1 Evaluated ConfigurationThe Common Criteria evaluation includes a specific configuration of Windows, the “evaluated configuration”. To run Windows deployments using the evaluated configuration follow the deployment steps and apply the security policies and security settings indicated below. The Security Target section 1.1 describes the Windows editions and security patches included in the evaluated configuration.

The operating system is pre-installed on the devices in the evaluated configuration. When the device is turned on for the first time the Out of Box Experience (OOBE) runs to complete the configuration.

The following security policies are applied after completing the OOBE:

Security Policy Policy SettingLocal Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithm EnabledAdministrative Template\Windows Components\Credentials User Interface\Do not display the password reveal button Enabled

The following security settings are applied:

Cipher suite selection is configured according to section 5 Managing TLS Volume encryption is enabled according to section 7 Managing Volume Encryption VPN connections route all traffic through the VPN tunnel as described section 8 Managing VPN Passwords use a minimum of six alphanumeric characters and symbols according to section 11.3 Password Policy RSA machine certificates are configured according to section 12 Managing Certificates to use a minimum 2048 bit key length Session locking is enabled according to section 15 Locking a Device Devices are enrolled for device management according to section 17 Device Enrollment



2 Management FunctionsThe following table maps management functions to roles:

Activity User GuidanceLocal Administrator Guidance

IT Administrator Guidance

Configure password policyWindows 8.1

Windows Phone 8.1

Configure session locking policyWindows 8.1

Windows Phone 8.1

Enable/disable the VPN protectionWindows 8.1

duWindows Phone 8.1Windows 8.1

Windows Phone 8.1

Enable/disable [Wi-Fi, mobile broadband radios, Bluetooth]Windows 8.1

Windows Phone 8.1Windows 8.1


Windows Phone 8.1

Enable/disable [camera, microphone]Windows 8.1


Windows Phone 8.1

Specify wireless networks (SSIDs) to which the TSF may connectWindows 8.1

Windows Phone 8.1

Configure security policy for connecting to wireless networksWindows 8.1

Windows Phone 8.1

Transition to the locked stateWindows 8.1


Windows Phone 8.1

Full wipe of protected data Windows Phone 8.1Windows 8.1

Windows Phone 8.1



Configure application installation policyWindows 8.1

Windows Phone 8.1

Import keys/secrets into the secure key storageWindows 8.1


Windows Phone 8.1

Destroy imported keys/secrets and any other keys/secrets in the secure key storage


Windows Phone 8.1

Import X.509v3 certificates into the Trust Anchor DatabaseWindows 8.1

Windows Phone 8.1

Remove imported X.509v3 certificates and any other X.509v3 certificates in the Trust Anchor Database

Windows 8.1Windows Phone 8.1

Enroll the TOE in managementWindows 8.1


Windows Phone 8.1

Remove applicationsWindows 8.1

Windows Phone 8.1

Update system softwareWindows 8.1

Windows Phone 8.1

Install applicationsWindows 8.1

Windows Phone 8.1

Enable/disable data transfer capabilities over USB port for Windows 8.1, Bluetooth


Windows Phone 8.1

Enable/disable [wireless remote access connections except for personal Hotspot service, personal Hotspot connections, tethered connections





Enable data-at rest protectionWindows 8.1

Windows Phone 8.1

Enable removable media’s data at rest Windows 8.1 Windows 8.1

Configure the Access Point Name and proxy used for communications between the cellular network and other networks



Enable/disable display notification in the locked stateWindows 8.1


Windows Phone 8.1

Wipe sensitive data Windows Phone 8.1Windows 8.1

Windows Phone 8.1Windows Phone 8.1

Alert the administratorWindows 8.1

Windows Phone 8.1

Remove Enterprise applicationsWindows 8.1

Windows Phone 8.1

Enable/disable cellular voice functionality Windows Phone 8.1 Windows Phone 8.1

Enable/disable device messaging capabilities Windows Phone 8.1 Windows Phone 8.1

Enable/disable the cellular protocols used to connect to cellular network base stations

Windows Phone 8.1 Windows Phone 8.1

Configure the unlock banner Windows Phone 8.1Windows 8.1

Windows Phone 8.1

Enable/disable location servicesWindows 8.1


Windows Phone 8.1



3 Managing WipeThis section contains the following Common Criteria SFRs:

Extended: TSF Wipe (FCS_CKM_EXT.5)

Labels: {FMT_SMF.1:A:8}

3.1 Windows 8.1

3.1.1 Local Administrator GuidanceThe following Windows help topic describes how to reset Windows 8.1 devices with removal of all user data (the “Fully clean the drive” option wipes all protected data):

How to refresh, reset, or restore your PC: http://windows.microsoft.com/en-US/windows-8/restore-refresh-reset-pc

3.2 Windows Phone 8.1

3.2.1 IT Administrator GuidanceAn MDM system may be used to remotely wipe enrolled phones.

3.2.2 User GuidanceThe following Windows Phone help topic describes how to reset Windows Phone 8.1 devices with removal of all user data:Settings + Personalization Reset my phone:

http://www.windowsphone.com/en-us/how-to/wp8/settings-and-personalization/reset-my-phone

4 Managing EAP-TLSThis section contains the following Common Criteria SFRs:

Extended: Trusted Channel Communication (FTP_ITC_EXT.1) Extended: PAE Authentication (FIA_PAE_EXT.1) Extended: Trusted Channel Communication (FTP_ITC_EXT.1) Extended: Wireless Network Access (FTA_WSE_EXT.1) Specifications of Management Functions (FMT_SMF.1)


http://windows.microsoft.com/en-US/windows-8/restore-refresh-reset-pc


Labels: {FTP_ITC_EXT.1:D:1}

4.1 IT Administrator GuidanceAn MDM system can be used to manage Wi-Fi profiles.

The following link specifies the server certificate requirements for EAP-TLS:

- http://support.microsoft.com/kb/814394/en-us

4.2 Windows 8.1

4.2.1 Local Administrator GuidanceThe following topics describe how to configure EAP-TLS on Windows 8.1:

- Extensible Authentication Protocol (EAP) Settings for Network Access: http://technet.microsoft.com/en-us/library/hh945104.aspx 1

The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:

Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx2


4.3.1 User GuidanceThe following topic describes how to configure EAP-TLS on Windows Phone 8.1:

http://msdn.microsoft.com/en-us/library/dn643706.aspx

5 Managing TLSThis section contains the following Common Criteria SFRs:

Extended: EAP TLS Protocol (FCS_TLS_EXT.1)

1 This topic also applies to Windows 8.12 This topic also applies to Windows 8.1



http://technet.microsoft.com/en-us/library/hh945104.aspx


Extended: TLS Protocol (FCS_TLS_EXT.2)

Labels: {FCS_TLS_EXT.2:A:1} {FCS_TLS_EXT.2:A:2}

5.1 Windows 8.1

5.1.1 Local Administrator GuidanceThe mandatory cipher suites listed in the Security Target correlate with those available in the TOE as follows:

Mandatory Cipher Suites (per Security Target) Available Cipher Suites in TOE3

TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246 TLS_RSA_WITH_AES_256_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 6460 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 6460 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384

The following MSDN article describes how the administrator modifies the set of TLS cipher suites for priority and availability:

- Prioritizing Schannel Cipher Suites: http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx- How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll: http://support.microsoft.com/kb/245030

The DN in the certificate is automatically compared to the expected DN and does not require additional configuration of the expected DN for the connection.


Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx

3 See: Cipher Suites in Schannel: http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx




5.2.1 IT Administrator GuidanceThe cipher suite selection and priority may be configured on the server side of a connection. Cipher suite selection and priority cannot be configured in Windows Phone 8.1. Cipher suite selection is made according to the default order as described in the previous section for Windows 8.1.

The DN in the certificate is automatically compared to the expected DN and does not require additional configuration of the expected DN for the connection.

Windows Phone 8.1 may be configured to trust a Certificate Authority by using policy pushed to the phone by a MDM. The TOE comes preloaded with root certificates for various Certificate Authorities. Additional Certificate Authorities are managed on the Windows Phone 8.1 device using workplace enrollment and an MDM.Restricting Applications

6 Managing AppsThis section contains the following Common Criteria SFRs:

Extended: Security Attribute Based Access Control (FDP_ACF_EXT.1)

Labels: {FMT_SMF.1:A:2} {FMT_SMF.1:A:5} {FMT_SMF.1:A:10}

6.1 Windows 8.1

6.1.1 Local Administrator GuidanceThe ability for users to run the Store app may be removed using a registry value on Windows 8.1 by performing the following steps:

1. Start the registry editor tool by executing the command regedit.exe as an administrator2. Navigate to the registry path HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore. Note that the WindowsStore registry key may need to be created.3. Create a DWORD (32 bit) registry value with the name RemoveWindowsStore under the WindowsStore registry key. Set the registry value to 1.

6.1.2 User GuidanceThe following Windows help topic describes how to remove app and any information the the app contained:

- Uninstall, change or repair a program: http://windows.microsoft.com/en-us/windows-8/uninstall-change-program

The following Windows help topic describes how to remove app and any information the the app contained:



- Uninstall, change or repair a program: http://windows.microsoft.com/en-us/windows-8/uninstall-change-program

Note: If the system administrator has disabled uninstalling Enterprise apps from the device then those Enterprise apps cannot be uninstalled.

6.1.3 Windows Phone 8.1

6.1.3.1 User GuidanceThe following TechNet topic describes how to restrict particular applications, sources of applications, or application installation:

- Try It Out: Restrict Windows Phone 8.1 Apps: http://technet.microsoft.com/en-us/library/dn771706.aspx

The following Windows Phone help topic describes the procedure to remove app and any information the app contained:

- Delete or reinstall apps: http://www.windowsphone.com/en-us/how-to/wp7/apps/delete-apps-and-games4

The following Windows Phone help topic describes how to remove apps:

- Deleting or reinstalling apps: http://www.windowsphone.com/en-US/how-to/wp8/apps/delete-or-reinstall-apps

7 Managing Volume EncryptionThis section contains the following Common Criteria SFRs:

Extended: Data at Rest Protection (FDP_DAR_EXT.1)

Labels: {FDP_DAR_EXT.1:A:2}{FDP_DAR_EXT.1A:1}, {FMT_SMF.1:A:6}

The following TechNet topic describes the BitLocker feature, including its use to encrypt the entire operation system volume or removable volumes:

- BitLocker Overview: http://technet.microsoft.com/en-US/library/hh831713.aspx

4 This help topic applies to the TOE.


http://technet.microsoft.com/en-US/library/hh831713.aspx


7.1 Windows 8.1

7.1.1 Local Administrator GuidanceThe following TechNet topic describes the manage-bde command that should be executed in a command shell while running as an administrator to configure DAR protection:

- Manage-bde: http://technet.microsoft.com/en-us/library/ff829849(v=ws.10).aspx

By default AES128 encrypion is used by the manage-bde command when enabling BitLocker for Windows 8.1 – the AES256 algorithm should be used instead. In addition, the TPM and PIN authorization factor must be used in the evaluated configuration. The Enhanced PIN capabilities must be used in the evaluated configuration.

To enable the TPM and Enhanced PIN authorization factors execute the following command:

Manage-bde –on <operating system disk volume letter>: -tpmandpin -encryptionMethod aes256

Administrators must create an Enhanced PIN value with a minimum of four and a maximum of 20 numeric characters, but can also include uppercase and lowercase English letters, symbols on an EN-US keyboard, numbers, and spaces. To enable the Enhanced PIN capabilities start the gpedit.msc MMC snap-in as an administrator and enable the following local or group policy:

Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup


7.2.1 IT Administrator GuidanceWindows Phone 8.1 supports device encryption with a TPM authorization factor that can be turned on using a Mobile Device Management (MDM) configuration policy setting. MDM policy settings are managed by a Mobile Device Management system and cannot be directly configured by users on their Windows Phone 8.1. If this device configuration policy setting is configured , then the TPM authorization factor is enabled. The following technical paper explains the “RequireDeviceEncryption” MDM configuration policy setting:

- Windows Phone 8.1 MDM protocol documentation: http://msdn.microsoft.com/en-us/library/dn499787.aspx- Windows Phone supports internal storage encryption. The enterprise management server can enable the encryption. The removable storage card is not encrypted.

The following TechNet topic describes the “File encryption on mobile device” compliance policy that may be used to configure “RequireDeviceEncryption” MDM configuration policy setting for enrolled devices:

- Compliance Settings for System Center 2012 R2 Configuration Manager: http://technet.microsoft.com/en-us/library/dn376523.aspx#bkmk_comps


http://technet.microsoft.com/en-us/library/dn376523.aspx#bkmk_comps


http://technet.microsoft.com/en-us/library/ff829849(v=ws.10).aspx


The encryption algorithm used for disk volume encryption on Windows Phone 8.1 is not configurable and is set to AES-128.

8 Managing VPNThis section contains the following Common Criteria SFRs:

Cryptographic Operation for Hashing (FCS_COP.1(HASH)) Extended: Subset Information Flow Control (FDP_IFC_EXT.1)

Labels: {FDP_IFC_EXT.1:A:1} {FCS_COP.1:A:1}

8.1 IT Administrator GuidanceAn MDM system may be used to administer VPN profiles.

8.2 Windows 8.1

8.2.1 Local Administrator GuidanceThe following TechNet topic describes how to create a VPN connection:

http://technet.microsoft.com/en-us/library/jj900206.aspx

The evaluated configuration requires that all network traffic other than traffic necessary to establish the VPN connection go through the VPN tunnel. To do this verify that the following configuration is set:

1. Navigate to View Available Networks by clicking on the network icon in taskbar and select the VPN connection2. Right-click the VPN connection and select Properties from the context menu3. Navigate to Networking tab; select Internet Protocol Version 6 (TCP/IPv6) or Internet Protocol Version 4 (TCP/IPv4) and click Properties.4. In Properties click Advanced.

Under General in Advanced TCP/IP settings, make sure the option Use default gateway on remote network to enable split-tunneling is selected.

The following TechNet topics describe the commands for configuring the hash parameter in a new or existing main mode cryptographic proposal:




New-NetIPsecMainModeCryptoProposal: http://technet.microsoft.com/en-us/library/jj573824.aspx Set-NetIPsecMainModeCryptoSet: http://technet.microsoft.com/en-us/library/jj554872.aspx

Hashes in the TLS protocol are configured in association with cipher suite selection. The administrator configures the cipher suites used on a machine by following the configuration instructions at the following link: http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx


8.3.1 User GuidanceThe following MSDN topic describes how to configure VPN on Windows Phone 8.1:

- Try It Out: Windows Phone 8.1 VPN: http://msdn.microsoft.com/en-us/library/dn673608.aspxo When configuring the VPN connection the Send all traffic MUST be set to ON.

9 Managing AccountsThis section contains the following Common Criteria SFRs:

Extended: Authorization Failure Handling (FIA_AFL_EXT.1)

Labels: {FIA_AFL_EXT.1:A:1} {FIA_AFL_EXT.1:A:2}

9.1 Windows 8.1

9.1.1 Local Administrator GuidanceThe following TechNet topic explains the net accounts command line utility for standalone computers (followed by command line options for managing account lockout policy):

- Net Accounts: http://technet.microsoft.com/en-us/library/bb490698.aspx

In addition to the parameters given in the referenced article the following are also valid options:

/lockoutthreshold: number : Sets the number of times a bad password may be entered until the account is locked out. If set to 0 then the account is never locked out.

/lockoutwindow: minutes : Sets the number of minutes of the lockout window.



/lockoutduration: minutes : Sets the number of minutes the account will be locked out for.


9.2.1 IT Administrator GuidanceThe maximum number of unsuccessful authentication attempts and associated remediation action is a Mobile Device Management (MDM) configuration policy setting that may only be managed by a Mobile Device Management system and cannot be directly configured by users on their Windows Phone 8.1. If this device configuration policy setting is configured, then the remediation action wipes the device and restores factory default settings. The following technical paper explains the “MaxDevicePasswordFailedAttempts” MDM configuration policy setting:

- Windows Phone 8.1 MDM protocol documentation: http://msdn.microsoft.com/en-us/library/dn499787.aspx

10 Managing BluetoothThis section contains the following Common Criteria SFRs:

Extended: Bluetooth Authentication (FIA_BLT_EXT.1) Specifications of Management Functions (FMT_SMF.1)

Labels: {FMT_SMF.1}

10.1 Windows 8.1

10.1.1 Local Administrator GuidanceThe following link describes how to enable/disable Bluetooth:

http://windows.microsoft.com/en-US/windows-8/install-view-manage-devices-printers


10.2.1 User GuidanceThe following link describes how to enable/disable Bluetooth:

http://www.windowsphone.com/en-us/how-to/wp8/connectivity/pair-my-phone-with-a-bluetooth-accessory



11 Managing Passwords

11.1 Strong PasswordsThis section contains the following Common Criteria SFRs:

Extended: Password Management (FIA_PMG_EXT.1)

Labels: {FIA_PMG_EXT.1:A:1}

11.1.1 Windows 8.1

11.1.1.1 IT Administrator GuidanceAn MDM system may be used to enforce use of strong passwords.

11.1.1.2 Local Administrator GuidanceThe following TechNet topics describe the characteristics for passwords that are available, instructions for setting the enforcement mechanism and a discussion of strong passwords and recommended minimum settings:

Enforcing Strong Password Usage Throughout Your Organization: http://technet.microsoft.com/en-us/library/cc875814.aspx5 Strong Password: http://technet.microsoft.com/en-us/library/cc756109(v=ws.10).aspx Password Best practices: http://technet.microsoft.com/en-us/library/cc784090(v=ws.10).aspx


11.1.2.1 IT Administrator GuidanceThe composition of strong passwords and minimum password length policy settings may only be managed by a Mobile Device Management (MDM) system and cannot be directly configured by users on their Windows Phone 8.1. The following technical paper explains the “AlphanumericDevicePasswordRequired”, “MinDevicePasswordLength“ and “DevicePasswordExpiration” MDM configuration policy settings:

Windows Phone 8.1 MDM protocol documentation: http://msdn.microsoft.com/en-us/library/dn499787.aspx

5 This topic also applies to Windows 8.1



The following TechNet topics describe the characteristics for passwords that are available, instructions for setting the enforcement mechanism and a discussion of strong passwords and recommended minimum settings:

Strong Password: http://technet.microsoft.com/en-us/library/cc756109(v=ws.10).aspx Password Best practices: http://technet.microsoft.com/en-us/library/cc784090(v=ws.10).aspx

11.2 Protecting PasswordsThis section contains the following Common Criteria SFRs:

Protected Authorization Feedback (FIA_UAU.7)

Labels: {FIA_UAU.7:A:1}

11.2.1 Windows 8.1

11.2.1.1 User GuidanceThe following Windows Help topic describes how to conduct initial logon authentication for users:

Sign in to or out of Windows: http://windows.microsoft.com/en-us/windows-8/sign-in-out-of-windows

Windows 8.1 do not require any configuration to ensure the password is obscured by default. The following best practices should be observed:

As with all forms of authentication, when entering your password, avoid allowing other people to watch you as you sign in.

Keep your device in a secure location where unauthorized people do not have physical access to it. As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen.


11.2.2.1 User GuidanceWindows Phone 8.1 does not require any configuration to ensure the password is obscured by default. The following best practices should be observed:

As with all forms of authentication, when entering your password, avoid allowing other people to watch you as you sign in.


http://windows.microsoft.com/en-us/windows-8/sign-in-out-of-windows


Keep your phone device in a secure location where unauthorized people do not have physical access to it. As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen.

11.3 Logon/Logoff Password PolicyThis section contains the following Common Criteria SFRs:

Extended: Authentication for Cryptographic Operation (FIA_UAU_EXT.1) Extended: Timing of Authentication (FIA_UAU_EXT.2) Extended: Re-Authorizing (FIA_UAU_EXT.3) Specifications of Management Functions (FMT_SMF.1)

Labels: {FIA_UAU_EXT.3:A:1} {FIA_UAU_EXT.3:A:2} {FIA_UAU_EXT.3:A:3} {FIA_UAU_EXT.3:A:4} {FMT_SMF.1:A:7}

11.3.1 Windows 8.1

11.3.1.1 Local Administrator GuidanceThe out of box experience requires that when user accounts are created a password is assigned to the account.

The following Windows Help topics describe how to change a user password: FIA_UAU.5.A3

Change your password: http://windows.microsoft.com/en-us/windows-8/change-your-password

The inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality”:

Security Policy Settings Overview: http://technet.microsoft.com/en-us/library/2fdcbb11-8037-45b1-9015-665393268e36

The following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy for standalone or domain-joined machines:

Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx Group Policy Management Console: http://technet.microsoft.com/en-us/library/dn265969.aspx



11.3.1.2 User GuidanceThe following Windows topic describes how to configure screen savers:

How to use screen savers: http://windows.microsoft.com/en-us/windows-8/using-screen-savers

The following Windows topic describes how users can initiate a session lock:

How do I lock or unlock my PC?: http://windows.microsoft.com/en-us/windows-8/lock-unlock-pc

The following Windows help topic describes how to enable or disable notifications in action center and application status on the lock screen:

- How to manage notifications for Mail, Calendar, and People: http://windows.microsoft.com/en-US/windows-8/how-manage-notifications


11.3.2.1 IT Administrator GuidanceIn the case of enrolled phones the TSF may also be configured to use the Password Authentication Factor by the Mobile Device Management (MDM) configuration policy setting described in the following technical paper for “DevicePasswordEnabled”:


The following TechNet topic describes the “Require password settings on mobile devices” MDM configuration policy setting that may be used to configure the “DevicePasswordEnabled” MDM configuration policy settings for enrolled devices:


11.3.2.2 User GuidanceThe following Windows Phone 8.1 help topic describes how to configure the TSF to use (set or change) a Password Authentication Factor:

- How do I set or change a password on my phone?: http://www.windowsphone.com/en-us/how-to/wp8/settings-and-personalization/lock-screen-faq

Additionally, the Require a password after setting must be configured with the value each time.

To enable or disable showing detailed status for applications on the lock screen:



- Go to Settings -> system- Tap lock screen- Under notfications tap Choose an app to show detailed status and choose none from the list to receive disable receiving detailed status information, or choose an application to show

its detailed status on the lock screen

To disable showing quick status for applications on the lock screen:

- Go to Settings -> system- Tap lock screen- Under notfications tap each of the boxes under Choose apps to show quick status and then choose none in the CHOOSE AN APP screen to receive no quick status information on the

lock screen, or tap a box and choose a desired application in the CHOOSE AN APP screen to receive quick status for that application on the lock screen

To disable receiving email, calendar or text message notifications in action center:

- Go to Settings -> system- Tap notifications+settings

Uncheck Show notifications in action center when my phone is locked

12 Managing CertificatesThis section contains the following Common Criteria SFRs:

Extended: Validation of Certificates (FIA_X509_EXT.1) Extended: Certificate Authentication (FIA_X509_EXT.2) Extended: Cryptographic Key Storage (FCS_STG_EXT.1)

Labels: {FIA_PK_EXT.1.:A:1} {FIA_PK_EXT.1.A2} {FIA_PK_EXT.1.A3} {FMT_SMF.1:A:3} {FIA_PK_EXT.1.A4} {FMT_SMF.1:A:4} {FIA_X509_EXT.2:A:1} {FIA_X509_EXT.2:A:2} {FIA_X509_EXT.2:A:3} {FIA_X509_EXT.2:A:4} {FIA_X509_EXT.2:A:5} {FCS_STG_EXT.1:A:1}



12.1 Windows 8.1

12.1.1 Local Administrator GuidanceThe following TechNet topic describes managing certificates (including the “Obtain a Certificate” sub-topic):

Manage Certificates : http://technet.microsoft.com/en-us/library/cc771377.aspx6 Certutil: http://technet.microsoft.com/library/cc732443.aspx7

The operational guidance for setting up a trusted channel to communicate with a CA is described in the operational guidance for FTP_ITC.1 (OS)) – IPSEC.



The following TechNet topic describes how to delete a certificate:

- Delete a Certificate: http://technet.microsoft.com/en-us/library/cc772354.aspx8

Root certificates can be added to and removed from devices using an MDM for enrolled devices.

When validating a certificate with modern Windows applications the connection to a configured revocation server must be available or the validation will fail. This configuration cannot be changed.

The administrator configures certificate validation for IPsec authentication using the Set-NetFirewallSetting PowerShell cmdlet as described in the following TechNet topic:

- Set-NetFirewallSetting: http://technet.microsoft.com/en-us/library/jj554878.aspx

The administrator configures certificate validation for network connections based on EAP-TLS using the “Set Up a Connection or Network” wizard in the “Smart Card or Other Certificate Properties” and “Configure Certificate Selection” screens as described in the following TechNet topic:

- Extensible Authentication Protocol (EAP) Settings for Network Access (Smart Card or other Certificate Properties configuration items): https://technet.microsoft.com/en-us/library/hh945104.aspx#BKMK_LAN_SmartCard

6 This topic also applies to Windows 8.17 This topic also applies to Windows 8.18 This topic also applies to Windows 8.1


https://technet.microsoft.com/en-us/library/hh945104.aspx#BKMK_LAN_SmartCard



The administrator configures certificate validation for HTTPS using the Security options checkboxes in the Advanced tab on the Internet Properties dialog for Control Panel. The “Warn about certificate address mismatch” setting configures whether the Web address must match the certificate subject field and warns the user of a mismatch. The following MSDN Blog describes the “Check for server certificate revocation” setting:

- Understanding Certificate Revocation Checks: http://blogs.msdn.com/b/ieinternals/archive/2011/04/07/enabling-certificate-revocation-check-failure-warnings-in-internet-explorer.aspx

The administrator cannot configure certificate validation for code signing purposes.

12.1.2 User GuidanceThe following TechNet topic describes how to manually import a certificate:

Import a Certificate: http://technet.microsoft.com/en-us/library/cc754489.aspx

When using HTTPS in a browsing scenario the user may choose to ignore a failed certificate validation and continue the connection.


12.2.1 IT Administrator GuidanceRoot certificates can be added to and removed from phones using an MDM for enrolled devices.



When validating a certificate with modern Windows applications the connection to a configured revocation server must be available or the validation will fail. This configuration cannot be changed.

Certificate validation for wireless network connections based on EAP-TLS is performed on Windows Phone 8.1 using policy pushed to the phone by a MDM. The following link is an example of MDM documentation for certificate validation on Windows Phone 8.1:

- How to Create Wi-Fi Profiles in Configuration Manager (Step 4: Configure security for the Wi-Fi profile): https://technet.microsoft.com/en-us/library/dn248970.aspx#BKMK_Step4

Certificate validation for VPN connections based on IPsec is performed on Windows Phone 8.1 using policy pushed to the phone by a MDM. The following link is an example of MDM documentation on certificate validation for VPN connections on Windows Phone 8.1:



- How to Create VPN Profiles in Configuration Manager (Step 4: Configure the Authentication Method for the VPN Profile): https://technet.microsoft.com/en-us/library/dn261200.aspx#BKMK_Step4

Certificate validation cannot be configured for code signing purposes.

Certificate enrollment is performed on the Windows Phone 8.1 using policy pushed to the phone by a MDM. The following link is an example of MDM documentation for certificate enrollment on Windows Phone 8.1:

- Certificate Profiles in Configuration Manager: http://technet.microsoft.com/en-us/library/dn261202.aspx

13 Managing TimeThis section contains the following Common Criteria SFRs:

Reliable Time Stamps (FPT_STM.1)

Labels: {FPT_STM.1:A:1} {FPT_STM.1:A:2} {FPT_STM.1.A3} {FPT_STM.1.A4} {FPT_STM.1.A5}

13.1 Windows 8.1

13.1.1 Local Administrator GuidanceThe administrator sets the time using the Set-Date PowerShell cmdlet that is documented here:

http://technet.microsoft.com/en-us/library/7f44d9e2-6956-4e55-baeb-df7a649fdca1

The administrator configures the time service to synchronize time from a time server using the W32tm command that is documented here:

http://technet.microsoft.com/en-us/library/cc773263(v=WS.10).aspx#w2k3tr_times_tools_dyax

The administrator ensures the communication path between the TOE client and the time service provider is protected from attacks that could compromise the integrity of the time by establishing an IPsec policy using the “Microsoft Windows 8 Microsoft Windows Server 2012 --- Supplemental Admin Guidance for IPsec VPN Clients (January 23 2014)”, where section 3 provides detailed instructions that can be used to configure the TOE client and the time service provider.



The administrator ensures the NTP server is authenticated by verifying the IP address provided by the IT administrator for the NTP Server in the main mode and quick mode security associations according to the audit trail for the FTP_ITC.1 requirement outlined in section “4.1 Audit Policy for IPsec Operations” of the IPsec VPN Client guidance.


13.1.2.1 User GuidanceThe following Windows Phone help topic describes how to manually configure the date and time:

Correct my date and time to update my phone: http://www.windowsphone.com/en-us/how-to/wp7/basics/correct-your-date-and-time-to-update-your-phone

Windows Phone 8.1 also supports automatically setting the date and time by the mobile operator via Network Identity and Time Zone (NITZ). Otherwise if the mobile operator does not support NITZ, then the user can only configure the date and time manually. The data + time settings screen described in the above Windows Help topic describes the Set automatically setting.

Windows Phone 8.1 devices do not support NTP.

14 Getting Version InformationThis section contains the following Common Criteria SFRs:

Extended: Trusted Update: TSF Version Query (FPT_TUD_EXT.1)

14.1 Windows 8.1

14.1.1 User GuidanceThe following Windows topic describes how to determine the hardware model and operating system version:

http://windows.microsoft.com/en-us/windows-8/view-system-information

The following are instructions for getting the version of an app on Windows 8.1:

1. Start the app you wish to get the version of.2. Once the app is opened, move your mouse cursor to the upper-right or lower-right corner of the screen to see the Charms bar. Touch screen users need to swipe-in from the right-edge

of the screen to bring up the Charms bar.3. Click or tap Settings charm on the Charms bar to open Settings for the app.



4. Click or tap Permissions to see the developer’s name and also current version of the app.


14.2.1 User GuidanceThe following Windows topic describes how to determine the hardware model and operating system version:

http://www.windowsphone.com/en-US/how-to/wp8/basics/which-version-of-windows-phone-do-i-have

The following steps describe how to determine the version of apps on the phone:

1. In the App list, tap Store .

2. Tap More , then tap Downloads.

3. Slide over to history. This will list the apps on the phone and the version of each app.

15 Locking a DeviceThis section contains the following Common Criteria SFRs:

Extended: TSF and User initiated Locked State (FTA_SSL_EXT.1)

Labels: {FTA_SSL_EXT.1:A:1} {FTA_SSL_EXT.1:A:2} {FTA_SSL_EXT.1:A:3}

15.1 Windows 8.1

15.1.1 Local Administrator GuidanceThe following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy for standalone or domain-joined machines:

Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx


http://www.windowsphone.com/en-us/how-to/wp8/settings-and-personalization/wheres-the-app-list


Group Policy Management Console: http://technet.microsoft.com/en-us/library/dn265969.aspx

The inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality”:

Security Policy Settings Overview: http://technet.microsoft.com/en-us/library/2fdcbb11-8037-45b1-9015-665393268e36

15.1.2 User GuidanceThe following Windows topic describes how to configure screen savers:

How to use screen savers: http://windows.microsoft.com/en-us/windows-8/using-screen-savers

The following Windows topic describes how users can initiate a session lock:

How do I lock or unlock my PC?: http://windows.microsoft.com/en-us/windows-8/lock-unlock-pc


15.2.1 User GuidanceThe evaluation shall verify that the AGD guidance describes the method of setting the inactivity interval and of commanding a lock .

The following Windows Phone topic describes how to configure the inactivity interval by first creating a password that must be presented to unlock the phone:

Lock screen FAQ: http://www.windowsphone.com/en-US/How-to/wp8/settings-and-personalization/lock-screen-faq

The inactivity interval is then configured by choosing a time option (other than never) in the Screen times out after dropdown listbox and then also choosing the each time option in the Require a password after dropdown listbox.

The phone may be commanded to transition to the locked state by configuring the inactivity interval as above and then pressing the button to power off the phone such that the lock screen will be presented and the password will be required when the button is pressed to turn the phone back on.

In the case of enrolled phones the inactivity interval may also be configured by the Mobile Device Management (MDM) configuration policy setting described in the following technical paper for “MaxInactivityTimeDeviceLock”:




The following TechNet topic describes the “Idle time before mobile device is locked (minutes)” MDM configuration policy setting that may be used to configure the “MaxInactivityTimeDeviceLock” MDM configuration policy settings for enrolled devices:


15.3 Managing Notifications Prior to Unlocking a DeviceThis section contains the following Common Criteria SFRs:

Default TOE Access Banners (FTA_TAB.1)

Labels: {FTA_TAB.1:A:1}

15.3.1 Windows 8.1

15.3.1.1 Local Administrator GuidanceThe following TechNet topics describe how to configure a message to users attempting to logon:

Interactive logon: Message title for users attempting to log on: http://technet.microsoft.com/en-us/library/cc778393(v=ws.10).aspx Interactive logon: Message text for users attempting to log on: http://technet.microsoft.com/en-us/library/cc779661(v=WS.10).aspx


15.3.2.1 User GuidanceFor Windows Phone 8.1 the following procedure may be followed to support this requirement.{FTA_TAB.1:A:1}

Distribute a photo to all users with phones that has a picture with the notice and consent warning message. Each user then does the following on the phone:

1. In the App list, tap Settings.2. In the Settings list tap lock screen.3. Under Background tap choose background.4. Tap photo.5. Tap change photo.


http://www.windowsphone.com/en-us/how-to/wp8/settings-and-personalization/wheres-the-app-list


6. Select and tap the photo distributed by the administrator and tap the check mark at the bottom of the photo.

The phone with the notice and consent warning is now displayed before unlocking the phone.

16 Managing Airplane ModeThis section contains the following Common Criteria SFRs:

Specifications of Management Functions (FMT_SMF.1)

Labels: {FMT_SMF.1:A:1} {FMT_SMF.1:A:11} {FMT_SMF.1:A:12} {FMT_SMF.1:A:13}

16.1 Windows 8.1

16.1.1 User GuidanceWhen airplane mode is on wireless connections, cellular voice, cellular protocols, and messaging functionality will not work on the device. The following link describes how to enable/disable airplane mode:

http://windows.microsoft.com/en-US/windows-8/what-is-airplane-mode


16.2.1 User GuidanceWhen airplane mode is on wireless connections, cellular voice, cellular protocols and messaging functionality will not work on the phone. The following link describes how to enable/disable airplane mode:

http://www.windowsphone.com/en-us/how-to/wp7/start/whats-airplane-mode

Wi-Fi and Bluetooth can be turned on while airplane mode is on to prevent voice and messaging from being used but allowing wireless and Bluetooth data to continue to work. The following links describe how to enable/disable Wi-Fi and Bluetooth:

http://www.windowsphone.com/en-us/how-to/wp8/connectivity/connect-to-a-wi-fi-network

http://www.windowsphone.com/en-us/how-to/wp8/connectivity/pair-my-phone-with-a-bluetooth-accessory


http://www.windowsphone.com/en-us/how-to/wp8/connectivity/connect-to-a-wi-fi-network

http://www.windowsphone.com/en-us/how-to/wp7/start/whats-airplane-mode

http://windows.microsoft.com/en-US/windows-8/what-is-airplane-mode


17 Device EnrollmentThis section contains the following Common Criteria SFRs:

Extended: Specification of Remediation Actions (FMT_SMF_EXT.1)

Labels: {FMT_SMF.1:A:9}

17.1 Windows 8.1

17.1.1 Local Administrator GuidanceThe following link describes how to enroll for device management with an MDM (see the table under the subheading “Mobile Device Enrollment” for the “Windows 8.1 and Windows RT 8.1”):


To unenroll from device management do the following:

Go to Settings > PC Settings > Network > Workplace Click Turn off

The administrator of the MDM can determine when a device is enrolled, unenrolled and policy is applied or not applied. Thus the administrator is alerted.


17.2.1 User GuidanceThe following link describes how to enroll and unenroll with an MDM. A MDM can wipe a device during unenroll.

http://www.windowsphone.com/en-us/how-to/wp8/accounts-and-billing/set-up-or-delete-a-workplace-account

18 Managing UpdatesThis section contains the following Common Criteria SFRs:

Operational User Guidance (AGD_OPE)


http://www.windowsphone.com/en-us/how-to/wp8/accounts-and-billing/set-up-or-delete-a-workplace-account


Windows 8.1 and Windows Phone 8.1 applications include metadata that is installed with the application by the Windows Installer and the Store App installer. The application metadata includes version information that prevents the Windows Installer and the Store App installer from updating an installed application with an older version.

Update packages downloaded by Windows Update for Windows 8.1 and by Windows Phone update central for Windows Phone 8.1 are signed with the Microsoft Root Certificate Authority to prove their authenticity and integrity. This signature is checked on the mobile device before installing any of the product updates contained in a given package in order to verify the updates have not been altered since they where digitally signed. If the signature is incorrect, then the update operation will fail. Otherwise, if the signature is correct then the update operation will proceed. The user guidance indicated in the links below tell how to determine if an update operation was successful or unsuccessful.

18.1 Windows 8.1The following link describes Windows Update on Windows 8.1:

http://windows.microsoft.com/en-us/windows/windows-update

18.2 Windows Phone 8.1The following link describes how to get updates on Windows Phone 8.1:

http://www.windowsphone.com/en-us/how-to/wp8/update-central9

9 This topic also applies to Windows Phone 8.1


introduction€¦ · web viewlocal policies\security options\system cryptography: use fips 140...

Documents