FIPS for windows 11?

Gary Buckley 5

I need to use FIPS for logging in to my work. will windows 11 support this? the only guidance I can find is for windows 10. How do I move from windows 11 to windows 10?

Reza-Ameri 16,826 Reputation points

2023-03-24T20:27:43.35+00:00

Do you have the link for the guidance for the Windows 10?

If yes, would you mind share it here.

Normally, most features available in the Windows 10 would work in Windows 11.

1 answer

Syed Shiraz Shahid 270 Reputation points

2023-03-25T11:00:45.09+00:00
Windows 11 has a FIPS-compliant cryptographic module that meets the requirements of FIPS 140-2. To enable FIPS mode in Windows 11, you need to follow these steps:

Open the Local Group Policy Editor by typing "gpedit.msc" in the search box on the taskbar and pressing Enter.

In the Local Group Policy Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

Find the setting named "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" and double-click on it.

Select the "Enabled" option and click OK.

Close the Local Group Policy Editor and restart your computer for the changes to take effect.

Note: Enabling FIPS mode may impact the functionality of some applications that do not support FIPS-compliant algorithms. You should test your applications thoroughly before enabling FIPS mode in a production environment.0
Please sign in to rate this answer.

1 person found this answer helpful.
Brian App 0 Reputation points

2023-05-16T14:56:27.34+00:00

I have found no fips certs that are currently approved for windows 11. Do you have info otherwise?

Ken Lux 0 Reputation points

2023-07-18T20:27:52.1466667+00:00

Per this article (https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation), as of 2/16/2023, the latest version of Windows that is FIPS Validated is Windows 10 v. 1809.

However, if you look at the NIST CMVP Website, you can see that certain modules of later versions of Windows have been validated, but it doesn't appear that all modules have been validated for version of Windows later than 1809. (See below for more info).

If you do not need FIPS 140-2 Validation (e.g., for CMMC for DoD contractors, subcontractors, and suppliers), and are subject to Common Criteria certification, MS has had most versions of Windows up to Windows 10 or 11 21H2 validated for Common Criteria (I didn't check for all builds). You generally need to enable FIPS mode to meet the CC configuration.

In both cases, these are NOT the latest builds. So there is an inherent conflict between requirements for staying patched versus staying FIPS/CC validated.

However, I did just look at a computer running Windows 10 22H2 (10.0.19045.3208), and the version of its Cryptographic Primitives Library (C:\Windows\System32\bcryptprimitives.dll) lists its version and file creation date as 10.19401.2486 and 1/6/23 1:05 PM, respectively. so maybe MS isn't touching the cryptographic modules that haven't been aren't being submitted for validation.

One might be able to verify all of the cryptographic module versions on later Win 10 builds. But you would need to compile a list of dll files to verify. Once you had that list, I presume a PowerShell script could be used to flag machines with non-validated cryptographic module dll files.

If you want to find out more about the status of the individual modules, check out the links below:

At NIST's website for the Cryptographic Module Verification Program, you can search for Microsoft and find the status of the modules (https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&Vendor=microsoft&CertificateStatus=Active&ValidationYear=0)

If you do so, as of 7/18/23, you can see that some modules have been validated for Windows 10.0.19401 (e.g., Cert 4339), and the latest module to be verified is a Windows 11 Boot Manager (Windows v. 10.0.2.22000, Cert 4546).

Additionally, at NIST you can see which modules are in process:

https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List

If you scroll down to Microsoft, you can see that there are several modules in process with most of them in "Coordination" as of 2/4/23, which is the last step in the process. However, while there are two entries for "Cryptographic Primitives Library" one is in "Coordination (2/4/23)" and one is in "In Review 1/6/23)". I presume the one in coordination is for later versions of Windows 10, while the other is for Windows 11.

Why 0 Reputation points

2023-09-07T05:11:09.6833333+00:00

Need the specific CAVP# for auditors.
Sign in to comment