Windows FIPS 140 validation - Windows Security (2024)

Article
02/01/2024

The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum-security requirements for cryptographic modules in IT products. This topic introduces FIPS 140 validation for the Windows cryptographic modules. The Windows cryptographic modules are used across different Microsoft products, including Windows client operating systems, Windows Server operating systems, and Azure cloud services.

Windows client operating systems and cryptographic modules

The Windows client releases listed below include cryptographic modules that have completed FIPS 140 validation. Click on the release for details, including the CMVP certificate, Security Policy document, and algorithm scope for each module. When the CMVP certificate validation label includes the note When operated in FIPS mode, specific configuration and security rules outlined in the Security Policy must be followed.

Windows 11 releases

Windows 11, version 21H2

Windows 10 releases

Windows 10, version 2004 (May 2020 Update)
Windows 10, version 1909 (November 2019 Update)
Windows 10, version 1903 (May 2019 Update)
Windows 10, version 1809 (October 2018 Update)
Windows 10, version 1803 (April 2018 Update)
Windows 10, version 1709 (Fall Creators Update)
Windows 10, version 1703 (Creators Update)
Windows 10, version 1607 (Anniversary Update)
Windows 10, version 1511 (November Update)
Windows 10, version 1507

Previous Windows releases

Windows 8.1
Windows 8
Windows 7
Windows Vista SP1
Windows Vista
Windows XP SP3
Windows XP SP2
Windows XP SP1
Windows XP
Windows 2000 SP3
Windows 2000 SP2
Windows 2000 SP1
Windows 2000
Windows 95 and Windows 98
Windows NT 4.0

Windows Server operating systems and cryptographic modules

The Windows Server releases listed below include cryptographic modules that have completed FIPS 140 validation. Click on the release for details, including the CMVP certificate, Security Policy document, and algorithm scope for each module. When the CMVP certificate validation label includes the note When operated in FIPS mode, specific configuration and security rules outlined in the Security Policy must be followed.

Windows Server 2019 and 2016 releases

Windows Server 2019
Windows Server 2016

Windows Server semi-annual releases

Windows Server, version 2004
Windows Server, version 1909
Windows Server, version 1903
Windows Server, version 1809
Windows Server, version 1803
Windows Server, version 1709

Previous Windows Server releases

Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2
Windows Server 2008
Windows Server 2003 SP2
Windows Server 2003 SP1
Windows Server 2003

Use Windows in a FIPS approved mode of operation

To use Windows and Windows Server in a FIPS 140 approved mode of operation, all of the specific configuration and security rules outlined in the module Security Policy documents must be followed. To view or download the Security Policy documents for a given product release, navigate to the listing of FIPS 140 validated modules for the release in the sections above and select the links to the Security Policy documents.

As part of the configuration rules outlined in the Security Policy documents, Windows and Windows Server may be configured to run in a FIPS 140 approved mode of operation, commonly referred to as "FIPS mode." In current versions of Windows, when you enable the FIPS mode setting, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) modules will run self-tests before Windows runs cryptographic operations. These self-tests meet FIPS 140 requirements and ensure that the modules are functioning properly. The Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library are the only modules that use the FIPS mode configuration setting. FIPS mode does not control which cryptographic algorithms are used. The FIPS mode setting is intended for use only by the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) components in Windows.

Determine if a Windows service or application is FIPS 140 compliant

Microsoft validates the cryptographic modules used in Windows and other products, not individual Windows services or applications. Contact the vendor of the service or application for information on whether it calls a validated Windows cryptographic module (i.e., a module validated by the CMVP as meeting the FIPS 140 requirements and issued a certificate) in a FIPS compliant manner (i.e., by calling for FIPS 140 validated cryptography and configured according to a defined FIPS-approved mode of operation).

FIPS 140 and the Commercial National Security Algorithm Suite

The Commercial National Security Algorithm (CNSA) suite is a set of cryptographic algorithms promulgated by the National Security Agency as a replacement for NSA Suite B cryptographic algorithms. Many CNSA cryptographic algorithms are also approved under the FIPS 140 standard. To determine whether a CNSA algorithm was included in the scope of CAVP validated algorithms used in a Microsoft product, navigate to the listing of FIPS 140 validated modules for the product in the sections above and reference the algorithm scope listed for each validated module. Further algorithm details are available in each module Security Policy document.

FIPS 140 and Common Criteria certifications

FIPS 140 and Common Criteria are two complementary but different security standards. Whereas FIPS 140 validates cryptographic functionality, Common Criteria evaluates a broader selection of security functions in IT products. Common Criteria evaluations may rely on FIPS 140 validations to provide assurance that basic cryptographic functionality is implemented properly. For information about Microsoft's Common Criteria certification program, see Common Criteria certifications.

Contact fips@microsoft.com with questions or to provide feedback on this topic.