The operating system is pre-installed on the devices in the evaluated configuration. When the device is turned on for the first time the Out of Box Experience (OOBE) runs to complete the configuration.
The following security settings are applied to create the evaluated configuration:
Some of the links in this document may be written for Windows versions that are earlier than Windows 10. The content in all these links apply to the Windows 10 version.
|
Management Function
|
User Guidance
|
Local Administrator Guidance
|
IT Administrator Guidance
|
1
|
Configure password policy
|
|
√
|
√
|
2
|
Configure session locking policy
|
|
√
|
√
|
3
|
Enable/disable the VPN protection
|
|
√
|
√
|
4
|
Enable/disable [Wi-Fi, Bluetooth]
|
|
√
|
√
|
5
|
Enable/disable [camera, microphone]
|
|
√
|
√
|
6
|
Specify wireless networks (SSIDs) to which the TSF may connect
|
|
√
|
√
|
7
|
Configure security policy for connecting to wireless networks
|
|
√
|
√
|
8
|
Transition to the locked state
|
√
|
√
|
|
9
|
TSF10 wipe of protected data
|
|
√
|
|
10
|
Configure application installation policy
|
|
√
|
√
|
11
|
Import keys/secrets into the secure key storage
|
√
|
√
|
|
12
|
Destroy imported keys/secrets and any other keys/secrets in the secure key storage
|
√
|
√
|
|
13
|
Import X.509v3 certificates into the Trust Anchor Database
|
|
√
|
√
|
14
|
Remove imported X.509v3 certificates and any other X.509v3 certificates in the Trust Anchor Database
|
√
|
|
|
15
|
Enroll the TOE in management
|
√
|
|
|
16
|
Remove applications
|
|
√
|
√
|
17
|
Update system software
|
|
√
|
√
|
18
|
Install applications
|
|
√
|
√
|
19
|
Remove Enterprise applications
|
|
√
|
√
|
20
|
Configure the Bluetooth trusted channel
|
√
|
√
|
|
21
|
Enable/disable display notification in the locked state
|
√
|
|
|
22
|
Enable/disable all data signaling over [USB hardware ports]
|
|
√
|
|
24
|
Enable/disable developer modes
|
|
√
|
√
|
25
|
Enable data-at rest protection
|
√
|
√
|
|
26
|
Enable removable media’s data at rest protection
|
√
|
√
|
|
28
|
Wipe Enterprise data
|
|
√
|
√
|
30
|
Configure whether to allow a trusted channel if certificate validation is not possible
|
√
|
√
|
|
32
|
Read audit logs kept by the TSF
|
√
|
√
|
|
33
|
Configure certificate used to validate digitally signed applications
|
|
√
|
√
|
34
|
Approve exceptions for shared use of keys/secrets by multiple applications
|
|
√
|
√
|
35
|
Approve exceptions for destruction of keys/secrets by other applications
|
√
|
√
|
|
36
|
Configure the unlock banner
|
|
√
|
√
|
37
|
Configure the auditable items
|
|
√
|
|
38
|
Retrieve TSF-software integrity verification values
|
|
|
√
|
40
|
Enable/disable backup to remote system
|
√
|
√
|
|
44
|
Enable/disable location services
|
√
|
√
|
|